c4ada8628f591a551e8d3eec090bedcab90c9cccaae9e641d8a57e80ab3cc307

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Size

117KB
MD5

9fac3e4225b3aaacbf2a59a2bcffba00
SHA1

252caef9b62150eee9a7d83db7d68f7355e62216
SHA256

c4ada8628f591a551e8d3eec090bedcab90c9cccaae9e641d8a57e80ab3cc307
SHA512

1489fbbf331476dc673791835f921f44f3cb5a2f37fb3762787927e3620a019645df9c9e23f0457b3aee8761966b8eb1d434fe2f718e0c7edabcfb5f44eb2d72
SSDEEP

1536:zcUhcQHa9YT9d4tl6xKYfx0CnMOYWzxbZKIM7URtQK2WxnnvV3gwyIDwo:zDLHZd4+KYf6CMOn7YK2SvVwID

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	fcwIccAo.exe

Executes dropped EXE 2 IoCs

pid	Process
4432	LUwMEQoA.exe
2788	fcwIccAo.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LUwMEQoA.exe = "C:\\Users\\Admin\\PIkUYskY\\LUwMEQoA.exe"	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fcwIccAo.exe = "C:\\ProgramData\\KGwYEkMA\\fcwIccAo.exe"	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fcwIccAo.exe = "C:\\ProgramData\\KGwYEkMA\\fcwIccAo.exe"	fcwIccAo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LUwMEQoA.exe = "C:\\Users\\Admin\\PIkUYskY\\LUwMEQoA.exe"	LUwMEQoA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LUwMEQoA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3060	reg.exe
3568	reg.exe
5060	reg.exe
4996	reg.exe
2672	reg.exe
1988	reg.exe
4500	reg.exe
4248	reg.exe
3696	reg.exe
1604	reg.exe
2948	reg.exe
1492	reg.exe
2532	reg.exe
3160	reg.exe
2536	reg.exe
3156	reg.exe
4824	reg.exe
2492	reg.exe
3004	reg.exe
2044	reg.exe
5024	reg.exe
3100	reg.exe
2112	reg.exe
4060	reg.exe
2764	reg.exe
2916	reg.exe
1416	reg.exe
464	reg.exe
1420	reg.exe
2692	reg.exe
216	reg.exe
3100	reg.exe
3124	reg.exe
2456	reg.exe
3680	reg.exe
3040	reg.exe
4436	reg.exe
1420	reg.exe
1212	reg.exe
3000	reg.exe
1124	reg.exe
4052	reg.exe
4220	reg.exe
3956	reg.exe
5104	reg.exe
1324	reg.exe
2172	reg.exe
3128	reg.exe
4856	reg.exe
964	reg.exe
4816	reg.exe
1412	reg.exe
4876	reg.exe
5076	reg.exe
3188	reg.exe
2168	reg.exe
4600	reg.exe
4348	reg.exe
916	reg.exe
672	reg.exe
1832	reg.exe
1928	reg.exe
4824	reg.exe
1360	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4648	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4648	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4648	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4648	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
636	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
636	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
636	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
636	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
432	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
432	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
432	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
432	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3204	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3204	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3204	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3204	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4540	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4540	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4540	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4540	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3244	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3244	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3244	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3244	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4944	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4944	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4944	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4944	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4328	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4328	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4328	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4328	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1160	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1160	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1160	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1160	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1604	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1604	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1604	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1604	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1640	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1640	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1640	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1640	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3352	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3352	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3352	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3352	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2788	fcwIccAo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe
2788	fcwIccAo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4432	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	83
PID 5016 wrote to memory of 4432	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	83
PID 5016 wrote to memory of 4432	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	83
PID 5016 wrote to memory of 2788	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	84
PID 5016 wrote to memory of 2788	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	84
PID 5016 wrote to memory of 2788	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	84
PID 5016 wrote to memory of 3092	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	85
PID 5016 wrote to memory of 3092	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	85
PID 5016 wrote to memory of 3092	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	85
PID 3092 wrote to memory of 4624	3092	cmd.exe	87
PID 3092 wrote to memory of 4624	3092	cmd.exe	87
PID 3092 wrote to memory of 4624	3092	cmd.exe	87
PID 5016 wrote to memory of 2492	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	88
PID 5016 wrote to memory of 2492	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	88
PID 5016 wrote to memory of 2492	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	88
PID 5016 wrote to memory of 3100	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	89
PID 5016 wrote to memory of 3100	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	89
PID 5016 wrote to memory of 3100	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	89
PID 5016 wrote to memory of 2672	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	90
PID 5016 wrote to memory of 2672	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	90
PID 5016 wrote to memory of 2672	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	90
PID 5016 wrote to memory of 2920	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	91
PID 5016 wrote to memory of 2920	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	91
PID 5016 wrote to memory of 2920	5016	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	91
PID 2920 wrote to memory of 4748	2920	cmd.exe	96
PID 2920 wrote to memory of 4748	2920	cmd.exe	96
PID 2920 wrote to memory of 4748	2920	cmd.exe	96
PID 4624 wrote to memory of 1656	4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	97
PID 4624 wrote to memory of 1656	4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	97
PID 4624 wrote to memory of 1656	4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	97
PID 1656 wrote to memory of 3652	1656	cmd.exe	99
PID 1656 wrote to memory of 3652	1656	cmd.exe	99
PID 1656 wrote to memory of 3652	1656	cmd.exe	99
PID 4624 wrote to memory of 2300	4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	100
PID 4624 wrote to memory of 2300	4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	100
PID 4624 wrote to memory of 2300	4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	100
PID 4624 wrote to memory of 4596	4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	101
PID 4624 wrote to memory of 4596	4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	101
PID 4624 wrote to memory of 4596	4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	101
PID 4624 wrote to memory of 4988	4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	102
PID 4624 wrote to memory of 4988	4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	102
PID 4624 wrote to memory of 4988	4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	102
PID 4624 wrote to memory of 4668	4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	103
PID 4624 wrote to memory of 4668	4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	103
PID 4624 wrote to memory of 4668	4624	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	103
PID 4668 wrote to memory of 3024	4668	cmd.exe	108
PID 4668 wrote to memory of 3024	4668	cmd.exe	108
PID 4668 wrote to memory of 3024	4668	cmd.exe	108
PID 3652 wrote to memory of 660	3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	109
PID 3652 wrote to memory of 660	3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	109
PID 3652 wrote to memory of 660	3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	109
PID 660 wrote to memory of 4648	660	cmd.exe	111
PID 660 wrote to memory of 4648	660	cmd.exe	111
PID 660 wrote to memory of 4648	660	cmd.exe	111
PID 3652 wrote to memory of 2696	3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	112
PID 3652 wrote to memory of 2696	3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	112
PID 3652 wrote to memory of 2696	3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	112
PID 3652 wrote to memory of 4220	3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	113
PID 3652 wrote to memory of 4220	3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	113
PID 3652 wrote to memory of 4220	3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	113
PID 3652 wrote to memory of 4992	3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	114
PID 3652 wrote to memory of 4992	3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	114
PID 3652 wrote to memory of 4992	3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	114
PID 3652 wrote to memory of 3960	3652	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\PIkUYskY\LUwMEQoA.exe
  "C:\Users\Admin\PIkUYskY\LUwMEQoA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4432
- C:\ProgramData\KGwYEkMA\fcwIccAo.exe
  "C:\ProgramData\KGwYEkMA\fcwIccAo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        8⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        10⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        12⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        16⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        20⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        22⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        24⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        26⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        30⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        31⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        32⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        33⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        34⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        36⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        37⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        39⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        40⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        41⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        42⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        43⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        44⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        46⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        47⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        48⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        49⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        51⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        52⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        53⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        54⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        56⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        57⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        58⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        59⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        60⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        61⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        62⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        63⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        64⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        65⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        66⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        67⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        69⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        70⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        71⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        72⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        73⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        74⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        75⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        76⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        77⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        78⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        79⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        80⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        81⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        82⤵
        
        PID:1412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        83⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        84⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        85⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        86⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        87⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        88⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        89⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        90⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        91⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        92⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        93⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        94⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        95⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        96⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        97⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        98⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        99⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        100⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        101⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        102⤵
        
        PID:1984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        103⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        104⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        105⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        106⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        108⤵
        
        PID:4352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        109⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        110⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        112⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        113⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        114⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        115⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        116⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        117⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        118⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        119⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        120⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        121⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        122⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        123⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        124⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        125⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        126⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        127⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        128⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        129⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        130⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        131⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        132⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        133⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        134⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        135⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        136⤵
        
        PID:1228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        137⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        138⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        139⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        140⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        141⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        142⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        143⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        144⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        145⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        146⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        147⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        148⤵
        
        PID:2124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        149⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        150⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        151⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        152⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        153⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        154⤵
        
        PID:552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        155⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        157⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        158⤵
        
        PID:32
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        160⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        161⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        162⤵
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        163⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        164⤵
        
        PID:3036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        165⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        166⤵
        
        PID:1012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        168⤵
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        169⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        170⤵
        
        PID:2916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        171⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        173⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        174⤵
        
        PID:1928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        175⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        176⤵
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        177⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        178⤵
        
        PID:1012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        179⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        180⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        181⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        182⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        183⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        184⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        185⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        186⤵
        
        PID:4008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        188⤵
        
        PID:1160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        189⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        190⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        191⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        192⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        193⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        194⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        195⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        Modifies registry key
        
        PID:4052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqIkYwgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        194⤵
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koQsAYEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        192⤵
        
        PID:1656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        Modifies registry key
        
        PID:1212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwQIIQgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        190⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pewwYwgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        188⤵
        
        PID:4944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSAUQAog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        186⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:4972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kykcYIEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        184⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:4004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cswksUII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:4816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKkQcAMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FugocYoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        178⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:4624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgIkQwww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        176⤵
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwcEEIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        174⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        Modifies registry key
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocsQIQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        172⤵
        
        PID:536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocQocsYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        170⤵
        
        PID:820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KosYIcUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        168⤵
        
        PID:4308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEMgYYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        166⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:1600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psgMEsUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        164⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWwgssAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:4288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIAQwAME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        160⤵
        
        PID:2164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        Modifies registry key
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEAYssUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        158⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:3208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCcMwwEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        156⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqAsAcgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        154⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmYAgEYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        152⤵
        
        PID:3896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deIUkAog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        150⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:4444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQEcEwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        148⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcEYwIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        146⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCEUUYEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        144⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        Modifies registry key
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEoEYQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        142⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:1976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies registry key
        
        PID:2168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaYkAcEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        140⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkwUoEwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        138⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAUswAAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        136⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGEswoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        134⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        Modifies registry key
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMwIgwEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        132⤵
        
        PID:100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:3036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueEsIgEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        130⤵
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies registry key
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYMIQUMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        128⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYcQEEUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        126⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piQEwcww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        124⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQQMMYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        122⤵
        
        PID:4812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSMcgwkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        120⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCsEckgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zckAMoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        116⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:1324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccgYIAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        114⤵
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcAAooog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        112⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmUIcIwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        110⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auYEEgAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        108⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqQMAkIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        106⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMwQIwoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        104⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWUIcEAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        102⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQEswIUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        100⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkQswcgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        98⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIcQkwIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        96⤵
        
        PID:1360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOEcsIwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        94⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:1472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCMAcgkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        92⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcIUIEQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        90⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies registry key
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeAcckIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        88⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        Modifies registry key
        
        PID:5060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGMgIIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        86⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okIsQgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYYQEMIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        82⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:5024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwswYkws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        80⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:5044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYMUYAIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        78⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAIkscso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        76⤵
        
        PID:4008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEEUsQAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        74⤵
        
        PID:32
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsoggQUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        72⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqgIgEEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        70⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouIkosQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        68⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcwEsUsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        66⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGcwYsUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        64⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAgcMYYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        62⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOgQIAcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        60⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkgYYMkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        Modifies registry key
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkkYocIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        56⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgscQAwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWcAgsYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        52⤵
        
        PID:876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwAUIEck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        50⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISEQkAAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        48⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:3060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsgsckAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        46⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUMwUAAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        44⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsYgUAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        42⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGcwwcEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        40⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYkwscIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        38⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iscsggMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        36⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUEsYIIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        34⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgskoYAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        32⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKUwoMQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        30⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqIMwUwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        28⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsgoYIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        26⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwksEAQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        24⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkcMAows.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        22⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGowAIMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        20⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yicscsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        18⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYYggMws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        16⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkUcowoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        14⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImoocIgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        12⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQYYMQcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        10⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgEcYsEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        8⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3596
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2696
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:4220
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkQggwIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        6⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2300
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4596
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:4988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSgwoskU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2492
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3100
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUYMIAwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4748

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ba1b9b5e771d6f0acef54c77842913d5 AXB8u4d2VU2ngd5X/ofl0Q.0.1.0.0.0
1⤵
PID:1668

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1508

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2112

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KGwYEkMA\fcwIccAo.exe

Filesize
109KB

MD5
4ef564119788b67f0a10047d23827f39

SHA1
f74ce3cd8ead45b9b766d859eaeaa2819154386f

SHA256
4bf7772fc615ed538f9649d65a8e1f7fd4035c925aea70e99cde9be968af113f

SHA512
51e6cd9cbf4f0b51156e92713a779e83f1ce5dc56f6b2cf9cb9de774bf3a1ae27ef8cc651a0ce3fe13fb69d3e0db90e65f0e86fc72aba02227bc120e16b76130

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
153KB

MD5
a53cf4513d831728d51fb2f7614ebc10

SHA1
a8c68f8ee5febc429730fb2b4ec5f3836ebc70ed

SHA256
1c3c7f6ad4e95a8818238168d49aa2541261b0a802e173ce807ee7c472a7dbf5

SHA512
82ca7c8495aa64059f4e9df76cce8af2d9f741d036a25592f0654135d8f2df10c38ceadf06594f6d895899af6a982d35c66347ad8d709e762be3006ce5bf3af0

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
236KB

MD5
0c9f4a723e6776f2332ac95f7e14ab27

SHA1
27ebf509db8dd8e64461b69dc9269fda75cfa744

SHA256
d8144e09500434777ebcd9d528dc428e9e543f95dc2b003251d328572b33510e

SHA512
b0baaa6891d01bf4fef38d13525de1beee4e3858e1a5c6f99e008628bf844ac949cea507575fd87cc9c2a2e2a2eaf902920c453e7fcb1b0015d07b93b9a88461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
118KB

MD5
8fe525a87310494c9dd316846f62b136

SHA1
7f51b6753f65e4c89156776a168652db9be32a06

SHA256
6954fa530b539c2e36d0af4e02152fd2708802b4cdca156ba0a07406100a08c5

SHA512
7c6b38c4bb119dd4abe98d41e928043d6d47ad595bf6899ac765a8f66e729fdc88658a17e0dee64bd2fb99b64c40293eabf492aca59b910892db76d055c787ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

Filesize
111KB

MD5
8228992f3c8eb085c568b8e425fa6db3

SHA1
35ac616d9b9ee547c801e7fbb156c1a6d41c971d

SHA256
cdf8aaeb46defc0ff01ea2fdd32c60e6982d95757a9baae40e1fe2c7a656e32d

SHA512
4aa4ae74cb4adbdf603d0af9a1a9ea9d90c7e7bcc83115774bbc7eeca6fda6c7c1b7cf6c52b6bcd4e4379eba5251ce84d4a5d7b29c49ce70c50ce37e32c43e9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

Filesize
112KB

MD5
565ff708e2fad3e14ffa1a1639295d25

SHA1
144634bc9685d8c84db340f6c8c986cdd1eb7b4d

SHA256
a8c1914d552e092da3197c186c6d9b794fbda864242c6c140df9ce7a2f4349c1

SHA512
8ebd8e4c8cce8ffc0433349fdeeeb715983a35a3cee103ae89b5fc842aa97947a2ccbb6888a5678fd95c8cd9d05d99083fcb17142a0160b10c66bf8fe239f284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png.exe

Filesize
112KB

MD5
335ad3e079cce25372242abd90f2c263

SHA1
1c51a9e17f865238efa7522b593bffa261e64420

SHA256
18d97abf5f0ceeda66c7f775435fb66b7e97d64fa308a8730f8c0cfe5be9decd

SHA512
6658b827df511a382fae47a79a490729f943075f8c75400c21a8bd1051ac9d5442bc3aed0d4ef6a400bb2628d4b80b3e9a9fc0be6d8c35246649845d042cff1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe

Filesize
111KB

MD5
824b7a6278d10195a6bf13452f45b55e

SHA1
f958614b0ecc9f0c168c50c46dc6183e27e20097

SHA256
4325a3b3104cbc865ffe0f0ff34758edb0ca4a33030159067db6eb9279fff528

SHA512
fa79cdebed0ddae94a325fe00163886ef41b78a7eb423c373329a65b9a6e4bb1f43552d1868b8192242088c593fad1a0a4018e58566d95f52b05c5c2a7b9bafa

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

Filesize
112KB

MD5
8b2c68cb2e504e1f0497e3fda069e018

SHA1
50284b33933c21570ac41b717309d91db5f81658

SHA256
b3826b4bbe1788c8186c3dc5d10bdae8b9d5f9af432b00ed80cf707378887e1a

SHA512
aea340d43eefdfef16d1b7f951b11737fe3266f9501b2c4d0c2a13a8ee0a42909cff264488f1b5223a15551f368699207a97af28dc62505549c9549cedd287ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock

Filesize
7KB

MD5
7b96834e1052bc1779d35e027b0f719a

SHA1
6d56be801edcf9bc449473784d7b2291939039a8

SHA256
c04f54809574033ba6dbadf3e94017ceaf9adf5de7d3e5c74650bca0c34ae947

SHA512
32f58556e886156ace18c5fb7e5675cbbd041e2c03e50c3666827c5b95eb0babd6bb16bb4606c260fbeb7bd44fb4bb1ca511648584da147d7970a3f284bdd4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQwg.exe

Filesize
1016KB

MD5
92e14eb982e73ab611b9d20c2518df0f

SHA1
acb87210ef13f57cad71e33d48edddc5aa971ee5

SHA256
d51498e498f689674a81a093f886f5b6d19fa3e97d3a0fa9175810b0ac16cc3b

SHA512
d1b331cac73fbd6eec4c8de72e10bb4554f64ccd3bb2c2a71ecac1cd6b695b2e146116a087489fb45640cad6422807d6b613d710c5ccb78eb5cf4310d687b7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkIA.exe

Filesize
124KB

MD5
3880950e2b047d36b2f9f3c8019d353b

SHA1
3153e4fb3a1e9f05714c7d721e8d50eafd9403ae

SHA256
56f495684c2762e6610de60e011b5b4217da6ba07ad48db5c8575272808480cf

SHA512
8423f11d150648266b62e11bec87cb30919db627ec55f3a2ab3a5ea63ce719cd640513a13ce5b19b3299fc3e1820a5bd23302256f46148755c4ee105de6804b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAEi.exe

Filesize
114KB

MD5
329978da0436d2a7c67851373bffb5b8

SHA1
01f899a1a3605f4fee2b3b1b2eaaf3ff8cdd8839

SHA256
adc6e71483259560b8776b55c6665303bbadff6b613b25b4d3d90672438bb855

SHA512
22207f454154f17b7e0a26a2def862507f538e09159c82c3144d7f89aabe554924fcf2d4b12f83e274658ba3fe00dddef8196c5eda76979866ede5f948ab517c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUUq.exe

Filesize
111KB

MD5
329f1b046cf9d07fd6b17a2d7fd35511

SHA1
49477e72e47c2b419c5e88497e8f7b2384f784be

SHA256
fb3d1c279343878b454ba3053a46b28ec7750a23f04148a95c2651862663178a

SHA512
5766fd778b8981c14a1619833835dd1645b9cf582eedfe39f9bbddaa2ec6e5c89ff124d318cedece82e4af30628437b298849a7e17b18d47c2dc3c9905a78b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAEK.exe

Filesize
119KB

MD5
1dcedad4ee84fa6d8f5eeda2479336b2

SHA1
71e40b9cab3eb595b73260a67884a651fe85ae85

SHA256
5564e9bad40c8ce4b60b824e463454b72d19b7ae508056d92972d5d88f812377

SHA512
5eb1459acefd69abb4f96316959a80083406fa1811e316e51de2f709a916df4189ca08ba11c4f0597181b9408dd0493e47ccdd0e77824efdda9a977b168e94da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cgoo.exe

Filesize
148KB

MD5
52e99c97da96253cf5b6d609da86f2f9

SHA1
5d21a819a395887a9b291bf6c4b3a9d6fbd024f2

SHA256
aa5d9484f4d0a3cb81554b7c0f6d3ca3a934107fec46b66cb9f0843c17ffa271

SHA512
38e126e2977da289ab4b89983c6ce4f72c5c87e01a397abf8b6c3fb803c2219b30a7c1e89dd933be482235b737014f8446b31cffc2dffa2bb136ff5bc19932bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIwC.exe

Filesize
140KB

MD5
7d1d57e52370e5ffb153d2ab8297d9c2

SHA1
c138238f4cfdba30da46bca8ed4c3e576d28f2d4

SHA256
966d880f5726ba0848758d250f5a8eb450246416553bdcf25a89f1c7c43531a2

SHA512
9578b90d0bb505c8daf84c812b5e573050b642660d675b995f53b47cf2271d8e9259f761d45f27d429bbe95e64ac8a44fa7b6174a6109d0a5087b815d462701a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dggc.exe

Filesize
115KB

MD5
06ddce00855da656f6d3f5ab22fbd13c

SHA1
7637c7c3b0618f81e55084f9d99bf20834e0eab3

SHA256
4491565b5fa347cbb5aea3393cff2f2716e3a8984867cce5b94de10a8b0e1fe2

SHA512
c6ce18e1a408c24188b350560ace26e691f4f8f9eb8d5f83b67332d5f6d42308ffa3e924c6970927897153fb869b909b741b55ee29fcd4759b04463660f62a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dwcm.exe

Filesize
111KB

MD5
313a0dacaf4cfb254fc6e0f7174172d8

SHA1
fe1b70fba7cb9b27fc0c6b2a1a2a62c48888f4a6

SHA256
cc53e6545ae9a5316925ad9ac73ad0f2211ef678bb8664530da7da415d9b4e21

SHA512
1c358e7951b4f74d505d23b97d5cbedf3c7f0f692a03cc19b74fdbd7538af046db19b508c95e4aa79ba6b778c942cbe9cbb69285d1f83ac7e9e20b07378a1e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMwo.exe

Filesize
115KB

MD5
aa17ee3a02d77dc780cceb4238bf391d

SHA1
03d29869b8bf7df6144dfc37d5fe7e113d6c1a3d

SHA256
25c41d94213a798a2a53d6eba15115f2389e75376d33055a779c755d51a4b5bf

SHA512
18b36b885bcc631e70483a0fe13e48bbd9c11bc439429e442e85330484e3c43bbf27930cff6ed006af0f3f5550daa8293172a1275829ab2d07925d0fb977170c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoQg.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\FsAY.exe

Filesize
116KB

MD5
7cf6c27150552b3dee4c3d240a5ed007

SHA1
95fd0e5ae5beb28851e151bcb2e06dfffbb57d70

SHA256
24006e0d9cfb70b99383d897171be8f165d86cb54eca3585742944dac1fe5316

SHA512
eb075fe937addbc5f5b9775d9e3f8d513e3c4e944106e890f045af633e92dac9f870807f1557cc5dd33c413c6c860d1f6592d7dbc0606695f6754d69e3d68286

Download Submit
C:\Users\Admin\AppData\Local\Temp\FwAw.exe

Filesize
112KB

MD5
39dd9d3203d9d993cc6a609ce3f3f4d0

SHA1
8a20579554bee0a8cd0bf92a9ec8c4aa794d842f

SHA256
565829d1becddab6437a533484ba2bf11b5502f9a8bd530c73041c4b664e2144

SHA512
ccb87662ee7bf98a43ec9694528ee6202842d17e08c905502363dddd3cc58c11b204d4665ea33c303e24b4c6f6cbb01709109f845829e561c1349eec46fa124d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYEs.exe

Filesize
113KB

MD5
fcacc64538d7246f1f4330ddd34c2a39

SHA1
24e53b53d76359ca2381c5b794bd6d0285707959

SHA256
494790af21c07022062e7b1d10983311aba779f292c9d10131f79f9a092920e9

SHA512
fc9c3085735bdb7d60888cea457399da7f6f81943845343b96cd2c50ddd3bf4a76d8b2c93677897eb47f753db1332fba0666631c6f848d130deecce81a3d7439

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYQI.exe

Filesize
137KB

MD5
4aa89c1615e80539759cd88105548d7e

SHA1
dcf669f9c558df17a5ff9424baa1982582d938cc

SHA256
059c55cabaeedfdb6529f84b26d8f71317179ecac2a658bca4212d0d1bb27416

SHA512
7528a95b8bcac760645bdef6552ab353bbf1025fda2e0b1a936a092942425c87077a35914bbb11ceb6f4da24adedf87abdbc91407d8df834452f61274a01caf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ggsi.exe

Filesize
116KB

MD5
5fe61f5db4b089dbebf5448a8b3b3ef5

SHA1
0574f0dcbad4d40e24ae29eef0cfc1ec45321fe6

SHA256
79288d65058bbdcfc47d07aacb53b07065473bea751d887fdb013b019cba5458

SHA512
8528aaeb5ed95d21077d4b7b5c8f643ac12e6a113b0e98a328146d67c682c6b42e5a623306c649b94bc91893d7b494607699c293342be7c742eeee63087684b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwEu.exe

Filesize
1.4MB

MD5
b30dc673c510958366a2d6b6cb3493e4

SHA1
9b13a334b2fabf7184472511a94891fb27d761b4

SHA256
160199e00364ff2ad04e2aea156b170cb91de864cc02b460925a300150f4d5e0

SHA512
21a595d96e6d51be0ffe9dcd93d1f8c6c1adfa0ffdefa081d0249e9421370eef7169c544fb20edd12b702fe8ce3ede0ad2edd1cb1d6eb9272c55ce333c8dd185

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwsw.exe

Filesize
1.1MB

MD5
df44bf804841e92a9d2fb257dd0d80ad

SHA1
5d1ff66543db47c73e20b23372499a74f2a86647

SHA256
535a678a52c691df58ebb97f6f9ad89ad1e421b81de2a57b94151ad475d8fb3f

SHA512
5727b8a58c90514f51da972bbf4c9e755782718b8f685c72cc7c079a4b6b759f60637e1bd65e39000b86f2987d82cc00a1ce642bfa90c54e61299cd7216e78ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQUq.exe

Filesize
113KB

MD5
3b96e093a0b497cf77e91b3631cdecf4

SHA1
3a55e0045164e1542a010a09cd5f652dc06dab64

SHA256
07651fc5f3c2a13d6217636662074c251d1b939431bb63d047d8049c829b3abd

SHA512
4c19be16a754a6b04accb58d71d57aa04f03afa274b2109de06b9e84c628f1bd851630febea21a1991ea888fbd8f7cb1de24c7a2f88799afad0a5f6aee6c3e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEky.exe

Filesize
712KB

MD5
ee2b8936025bab1f431a1e5079e46196

SHA1
a52fb9f9a3a397f8d2d598f665fe70cc322da726

SHA256
e2f2250ffe808a295db1b033528b10d10b2010fe442a517279b03ea616a064a7

SHA512
ba960f7b9bd98af1bb5f4f06b605197db02f580e653ca65f92d6878d9c9cb633919e25598468196feb71aa105ea7fac0eebcd3e27228c284fded3482df8c1067

Download Submit
C:\Users\Admin\AppData\Local\Temp\LUse.exe

Filesize
119KB

MD5
ea5cdb39f460b0eec1ada0ced98633d2

SHA1
5761b6480dda1cf0a718f6a0cc7d76f6dcecbadd

SHA256
c28a1b2aa61ff45de643b465b7f7fd283c2e2345df5ab4805f7a12012d59dd29

SHA512
a4a9500e62a9d4208a66764a8b2cd340d288c9f790039e21102a8ef2a6987db890d0df5d88b35b0e705a07ab31134c7ad5a2f791ad9a25a90902e3cdc6ca1dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIAM.exe

Filesize
111KB

MD5
957fb5599cbf8edd77870e9a5a0b0f30

SHA1
3305667d1fa64cd8294bd65d46e2f1e7119b5085

SHA256
743aa9b343448095246efe46f6064a3e0e2fbd15a2acbcfa42d9a4ee49de2603

SHA512
b8e448ba324bb46c8a860d59480bb7565b7a8c5c505312c969aa4714f1627659beae1ec85b87f575785d11b1623a25bba551be33d663ec47172e037198cc8cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mwsc.exe

Filesize
117KB

MD5
d003774722cc9109c6987c10776d882b

SHA1
151a6aba7d67f541d6e5a6644485e499ed85a648

SHA256
ca4806021394d120dae5b1cf1f67c9c040ea8d31ade044fd63a4781950432c22

SHA512
628bb39795e3efe6a31a5d23514bdd872a05d9a76ef0ec49ca71469789b314f3d6751e7bebdab162d187d34e77d7060c55e98e951bc42d43bea37cb0ad22d7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEkA.exe

Filesize
745KB

MD5
a13ebd9a10fb7ed4dc7e034a61585fae

SHA1
8ee247d88b6921ccf1752b993d3d65fca0e17926

SHA256
2840fa835627535de9cfd0529853d8ce15e5209eddd28a1ce2330dcbbb40f424

SHA512
69d861a2ae2c3ab9ffd4444ac3c9a89f7c67a53aed5495cb582341f5d83d2b39d61ab606e7d5cd3a9ee7455dbc2cf399220ce707c4f4a76e04466969c8e47d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIAW.exe

Filesize
111KB

MD5
60fe76e417609021695c8648a9099f08

SHA1
771cf8cbb322457bb76fa2a91c1179f1fc8a154c

SHA256
f3cd5e0b0f0cae84523ac1abe079177f19721c63a98bc3300e5fd1b9317cbf96

SHA512
4ee7e8ec7f3a10d9db793d27631ca4207a82232cd584d28994396d111eb759a5e4eabf518b004dd13c2a9fadc5e5b9252b23603f603d792ece218f4276c3e84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUke.exe

Filesize
721KB

MD5
ab525ba0038f025775d99bbd437a6c99

SHA1
e5efbdcc92666d189c60cb82972486f0ebbbd5f4

SHA256
6fbedf244d5f713e28852f5fc5ee1f65625d3c74f17a06cc6fb70e0a9f0f87f6

SHA512
86e74c232f5c11833f7e8b062051d207e4f11b4e933af7a6797a6c94a23513cf73e84ced7d745b472a241065cfb76eadf1338e157eb13c12ce0c15aa3f5c0c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\NksK.exe

Filesize
118KB

MD5
28d30bdadf27875dcdd31ce9c6800332

SHA1
98e56d6686d7f8e0259409c265f39515e3001242

SHA256
df22abde35bdc55b4096f34486291356a5e07e9010b16dfb8042b5ad1546a2fc

SHA512
afed4846ffff272a303083cc757f02d6dcd8b8a7ef6cb54efd19e693f467f84fa4806cd2ca305146028e240259bec7632938fbbc35302c92b72fcbad2d8fb14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwUG.exe

Filesize
1.2MB

MD5
689f68ac0ff60a4af94f891bacc67da2

SHA1
100f12ea8291175defb92ad4fa9162c1eae3c42a

SHA256
18ef10c62989b762542e819eb6cd53a34533c19e2cbb1f54995e448faf837590

SHA512
503ca5e0e645b149efc6b944e8e436199e443677ac1aea1f222998cc8819e9b97c1c3a127f61b55952734eab51a503863bca0722a34e2b1476232d6d1c52ca70

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMIw.exe

Filesize
111KB

MD5
2f3abe17978ef25c27b798c339e4d952

SHA1
b1acc79ad114003a934560999b95c60f14fa609d

SHA256
b45a5da2355c3480582889155f7da3833ddd1f8c9f558786d4b7fd53d69bedb6

SHA512
4dcda638e8f80f7d3e0c28a8ea0dc8709e3b88b07e5ca50153fe2b1508860838d00b0e794681bdf7f6944de8d324467d4bb491055fd34c1f8af7bb19f1c2b7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUEG.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\PsoG.exe

Filesize
118KB

MD5
9d051738acb767014eec06e3a0a02a5a

SHA1
4ea4990e37498582f0b447be2aaa6e741ba70fdf

SHA256
18a02e513150da13de6ed0ba503195837ddb87ab2ffde1652a86e9f92bed2e70

SHA512
9e79e46340da00d733c7719aa8c71db0bae28435c75e30717b47a2bb115da25936e6f60f865c20e3961210438272894a09abaa5002533024fb132885835743a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMAm.exe

Filesize
136KB

MD5
eb7874bf3853041b18ec30c1bd374696

SHA1
2c9507e8b362113db760f709f193321c067605bd

SHA256
7b1336c55cdc90fdf31976a8cd772fc687ce8681ac127400d3eb9e4001359748

SHA512
5d8ef1572910bed68b486672e7bbf96f9bd3603df069ed5f1b7438dfecc34afda793d1ecfa703462c160c8130a53f496739b1fc93885789e3313618491cb1df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUwu.exe

Filesize
1.7MB

MD5
d0c71ae178d29eb5f6415e3033e5b6d3

SHA1
16481f771acc747fa0853d2a453604fed316f5b5

SHA256
03c6390e1b22d119b65ecb3fd221cd4c5f8e42f764c15caf020fafc52acd09b7

SHA512
cac18619083fac51ca51aa7f42460a38afc566f02bebd00fc2f90dc6bbee16c4271af1be8ecdf1c58358e873217c6b3954804de2b9d599d2451dacf1ced1d58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgIY.exe

Filesize
238KB

MD5
4bd07557573eb2f4906ad1b6ce54ba48

SHA1
e42c6beac38e96fb87f9b666f0a9927fdb114e47

SHA256
830c69d164f6fed0dc68a4cf504f19a37ebced6f53e7cbcd29f59a5e2fba4da5

SHA512
3783048bc7ea77d70ba434bb74711d416dea1e9829112daae0ae76bc7d07fae262fe577f0c24df9a5254ef5fdf5584a46e8e8b480561fafae8b21c9753fd4baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qgog.exe

Filesize
607KB

MD5
a1b323f6164b16431733b9a5c06f9189

SHA1
718827d9b0391759c4b74ab35fd6e601036bfb9e

SHA256
f6d8493dadb53fd71cacb8bddf0d1f7db2bd86e0fd9cecde3f02331e86b174ec

SHA512
e516621bc2cb6ee8d6c9ee8a3c2d6cdb1cffd9da3788edbce32aa65868da772728bef7617970f0d0e8b9afb2c0cea0f551430bd0a982a86c285d828437d9d600

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsQI.exe

Filesize
698KB

MD5
5a3709ef6bd61ef28e7cb2a6243d9711

SHA1
4ced776bab57cc8c1794434d685e00d774d51c38

SHA256
e48b317d4ef9355cdaef356dff6c50c5ed6cb4b566bdec579e0fa35c480a15cc

SHA512
fd79d19fbd856d815c602790070407215682cb95e89d5796a7b5e907a90a79c5973beeec6a215b0c264cb1201a809b9251324404498a3ee962e826ce1dc47346

Download Submit
C:\Users\Admin\AppData\Local\Temp\REsK.exe

Filesize
110KB

MD5
cb2bd106826cda433c9a22256b8cbdde

SHA1
e8eb9a45826d61fcd6c42d0431321cf0833fd97b

SHA256
9a440189e7e012dd4bc57434ec9fb5a5815dfb90b54b90807f40e10249f9cec7

SHA512
830f4ea7dd6a7ab8f50053f0852aaa8d831c22ceb8d16e744ad6f60f317a2a3cb11c4d66a057a1d83a456b15b01c2d80ea658adf762722b40d5cc9f2fd183cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScAS.exe

Filesize
151KB

MD5
f1c1e26380766257fc45d263592d7253

SHA1
0fb2c91f01372c07312c1f8472991b8eeaf3291e

SHA256
abad3fb820f03f0b177186146c8689b6c5408b9594daa7ea6a0b255c248d3e8b

SHA512
b8de996c81d9d13b1b0c3c0f5ea93cb60c7f89a7eaa0c581e2e06ee54cd25073814a593d36b7f7333c0e141c305ced67914e18fec04a9c6ff032b7d052a966a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToQC.exe

Filesize
347KB

MD5
dd651490ca15b3e8ea36614974ca293f

SHA1
d89d2fb4e1745cb0e779a53f6cac290bb816d770

SHA256
f95c5a1841925dd227f300b9773c4107556742c1b266ac986b118ec9f92ca436

SHA512
eb630925af89e96907f01b80f4305db14042e83b4c1fcef58c661a098fdd94e201beccfef7fa6c3d95b84b98bede4e3128e78502ac30cb6801f8b4431a48b44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uswg.exe

Filesize
120KB

MD5
c1eb58a4ab0b6964d2ad9bbd312dd7f0

SHA1
adf0356b0e27f686a56c4d64cf3a7c66f86eff6b

SHA256
7c19a6bf99746c79c6b1976217a6ec85385db2b831ae65d86a639e5c5c1da979

SHA512
a599c426e988d69fbee965dccff91863a14ecbc7aa5dd625debdc2b6824c8c12464469ee6b1a2551b3c8e76b81419c8ecbf8e22e2816f17a34dabff31dcf3c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAIo.exe

Filesize
567KB

MD5
d89ef4d5a164f29228a9eac9e41d78aa

SHA1
3a93ecb6734fec98394d8e025bb6b7a772eef4c0

SHA256
c94726e21d49b40f0735c3876a5629ec473f134b66e7cb9ffe9a6074acdea5f3

SHA512
83b13c627569a25be64ea5e19f9e42bd1a72bf0a386e289dc7a822ec1954285ce0a84a9dd9611e9e8f961089dc3780dcdb900f9cd0f359bab40303b14579a42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUkw.exe

Filesize
236KB

MD5
4ecc699330240b22e7f07bde52a03cdf

SHA1
c253617147cd6abf184c2e39ce04bf7abc89617d

SHA256
036c79f40894dc21cb76831cf047265e16565fb383c2bc649d60b516d05ee8d6

SHA512
47520563e72099a9794c7fc91368a8fa03c5ead9f423856cf69e446eb34ccfde5ea12667f80c453a9df83e39a23f4b8b724ff8bbda3f0155384be78b2149789c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgsG.exe

Filesize
117KB

MD5
c934932b9dda6ad1f2fe044cb2b195cd

SHA1
e6be7ce57b4a931f13134bbc22e22c0a17a18017

SHA256
fdce548752c27131947a1aeed6658c87a4b51d5331dd7f0e5af5fa2c17eea0f3

SHA512
32dc28d8521cce82b51453bb7ff503c2e970fbe680fa4a70360bbfb34d42a643bb325cdac77e47314b6ece06f9a99f00ae4277efddc1109e057644d6f8d2ddb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUAY.exe

Filesize
115KB

MD5
85c9f63af748f1eeb056c860f1bb0c88

SHA1
86d5cafebc0b14c223eb9f01d3ed1ddd6037628d

SHA256
bed70c3bccba25baa67f501341686ce506ad00fe029e9420c2ce7d1cec733638

SHA512
80ed26eebe83d17fbc656423762f54b7ad001a08d9f421a8f15352fde2adcee8f97d9b242a1c9a800be21900ebb8e35c0aea6b555b750b758c11ddfd15d55660

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQkC.exe

Filesize
783KB

MD5
f3c3636fed191c216fea0f47a5377ac5

SHA1
0e591affe617835f7d2f7a705b69eb3d79cff0ad

SHA256
46e39963aa2387d1d09910ab6d363e807f64afeb021b2b4a38402dcd3b6d3cab

SHA512
6348fe385d7603444834697978399a9095a41b1f02fb9fa7c6b7ab241d1348f842e6305cc91add6cafcbe3b2c93ece7cc4d77fe52630ddd5b40a9211ff12ab17

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcwO.exe

Filesize
706KB

MD5
2b119cbd8d716a3bf8e573c5ebe4fb64

SHA1
a6cf5b93ca2713e9559d4ae01832328b82a776e0

SHA256
697807fce62cc80103ac35ac243d291d8af6bdb553c6e13469028756ee8e8d78

SHA512
a4cba22f114629a405e013ea0604759593fdf1ce3a5891156a2835cb09b8cf1b90ff61f5fe300fec16fb6449c9b5b58ca9ba7b8f5d287ba67c465c06561a88b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIMg.exe

Filesize
554KB

MD5
75563e917b7e8692f19061df0b937351

SHA1
d2cfd6ce90471cd4d2d3e8a246cfa3bc71c21726

SHA256
fbf9b247f250592edcf1da5a7d72425663aaffec378c70c4c0f99a3c58e887de

SHA512
23bbbc715eb5dbbc59bfdd9e3f0a62c14a2f7bddf60cb3ea02ce159243709c1f4059ac28c1b6dc465b8cca223f84cef6fa3cabf3c4c14dce603e53404b2e048b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIsK.exe

Filesize
113KB

MD5
6c4cdf4dead2d932c9688b525d7201b8

SHA1
505e3243cf9a090e25a045df3b612176e18d6f6f

SHA256
f62f46a152620da98337f92d5327c58fcc282220075b8052045237931ed9dd90

SHA512
358f7ae9bbf4f44ab3e2ea59bd0651a9411303c7103c1a972ee4a70ae94955b739ad21b23b43a548d00b294c40280708d7ba133f708f72971b17644e4bd96ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkIa.exe

Filesize
112KB

MD5
741345ee8c35bd756ff76d1571f36129

SHA1
1430e52b9e1fa0234079f0faf631ee0ffcb9f85b

SHA256
ebea8a64c0b14e4a69c7f081a2cc8bb2ed96c672864030bb47d4a5012782b2f9

SHA512
01085edf53549c739cfe54fd02c5fbad15c640e1176b8dec54c8a4b0d916dc527b6a1ebe93f9d956a4b6440d041de1767d2a4cf75d720b75708e437af1066eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwIU.exe

Filesize
1.1MB

MD5
07c7d8d109462d1d9449259fbd6f64c4

SHA1
a5a0348ea9404238ac14c7d750f396b13606b0e9

SHA256
bda85b22642b2c7c3ce47377c13c9f48f1db0af9906d77d1afc9fd22c3830696

SHA512
c3550431f56e99d2d72fe822d6515f198b8b43d3108681103712c0383a7ac72373191764e627806300838d0f6b2d412b0f0bb659047376ec2b4d6d57a05d3ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQkE.exe

Filesize
112KB

MD5
516b26d868dda7996e29c2c121997f36

SHA1
bdc9dc88d67f24641862de325181ce98ec114967

SHA256
eda9eebc4cb5e12f57ea0838a4d3438cb35e88a8be9b160b063ac9ec1b8432a4

SHA512
6c9ff98a5e79174e147bdfbb23fb7e7e88413529af91e4b5ac94e01159127f24c4dcf63150510358988aaa09dec0707eb67119b87909d516b64afdf7314185dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYUE.exe

Filesize
114KB

MD5
ea88d4082b28b2329f7d876f776d9116

SHA1
f4c6c8434b46cadd1ea26508a2190b2ba3bcbbde

SHA256
220ed4ba7f1528ab3dbf02016e24166c9efe53ed72f012a8a9dfb1bcdfa7e269

SHA512
04af28346d682a0cc9894fd4f7fd5c05dc8d6d7949f8063e8e63a42e033e907f7e743652b13fae160808dec0ebd636ee8e3ae7fcf1c5fdec1d782d879c33d32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccQG.exe

Filesize
123KB

MD5
a43b1820e7d3124c21e31ab752bbbc1d

SHA1
33f8903d801133f717a7289a57a58e63313e456c

SHA256
61e1b2b86824fb7b8accd2fb3f039f2fc659a12a1cfcc6d612bbfe97c0506fc8

SHA512
b39131358ef6e8801a3d750d6719c3e8c89418df3d05d0d77291179a13a4c6a0cca5f6d0b5b627ca25ebf0b2dfd1a979ec176b4bcf8ba8559a5698851b8d7591

Download Submit
C:\Users\Admin\AppData\Local\Temp\cosE.exe

Filesize
113KB

MD5
c16030705caf24c66f92451e25425d90

SHA1
b58f15970d244d64cf73c9118a0f05fda053a50e

SHA256
7fd917bcf4d77019928317667e68b6e39732226c48c0bc614cd10cf318745429

SHA512
084fc1c3803ca033ed2b97fc9b3f35d5c9448993dbee33c588be5fd9512ec4c80d32dd458de0b80e0a949a670f6e8fa7238e7c8c0baf8511b8a0618004a384a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwIK.exe

Filesize
112KB

MD5
2e1721ddf1c9e8d22cfa4ce20ef8c921

SHA1
a6f269e33852fadaa594c44b5c70b64570aeeb05

SHA256
6391b1a38ab818ee0d55a2e0978c375abf27b9c4b6e3bd118b5d982ccb173596

SHA512
b9daf3f601ad748f61663a3cceb613b6004c34b236a9e88f74f6b4913ec9620cf62276f722993bc9958b67f148a6c0afeaa86333e20749f04f93147e51184f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcwe.exe

Filesize
111KB

MD5
5db4d1108217b7dfd56a0429f874e795

SHA1
7a4071d1a564727d7e8deb737aa703a02c3ac86b

SHA256
d3f938aed6b4e424f8aef454632f081028c33db692730e0e07a8a532118f9d61

SHA512
8f2c0a6a7a752d3ed1677f325f664a6616432142d57432a0d409204e9721e56339219fc43be272ecf427a21c4050baec64ca393a024c333db82741868d07519a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAgY.exe

Filesize
112KB

MD5
6d397a1e9fc3d814981e9a33375deba4

SHA1
9815918a05327cde3f34aec596dd91b2e5fc7184

SHA256
bc68481f339e6af1287fcea5acb36ab24c622379f86d4ef5730c58347449478b

SHA512
badb4b51954dc1d8c7f98b95003be659e30547e2529420cad0966a2d2b085595ba9dd3b716d2cf4d9c48b30e9ee11d36428cf7ac834c640688b31acc731f3897

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIos.exe

Filesize
721KB

MD5
f078f1f5086618528c62f7451dca3c08

SHA1
676e8deb254aa8a8c3a249465d172accbcfeff83

SHA256
47645550b2a43cb4465657844bac49867c07cd73a0e9e08579181b5d090c38df

SHA512
02d630be9b7f947a66f21abee4d393be0e730e66d73055335b15f832e79f0cd20b847b3cf731c57865847ad372f25a999dbd8e73fe6ef4a5d379227477de3834

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIwe.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkQE.exe

Filesize
111KB

MD5
4aa2f0b4fb83306044b90d0d9a9730a2

SHA1
86dbc1e594c35a7a42984af029f46ff719d7f737

SHA256
c20d0c490befc467649680a3a9161e4f6e17586a0598fa3ec6f446de107f3c1e

SHA512
44742a57a6aa1a65bc2149ddba816560bb0ce6a1e5e9bf2e6f0ba7ac298bce84e716bad70c27428aafa9e1b64a80c02b5ab1ba447bcd5a9ec0579c7bfc44426e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkoy.exe

Filesize
115KB

MD5
9519a9ebde4954621e7ca5fac2302f62

SHA1
88461aa2be32a6f422333538db2c6f9aef6a8158

SHA256
57a885da2695d94c405108773e68514c312b7fa98013acf8db04d5e1d07b7fe5

SHA512
185580d170a916b8eea5a953ae1b9cb2529ff246c83add50b493c9ac4247ff49f6fa01afde45e752cfa7080b24f8fc43b601ac96a5abf9dee8fc18e90d302a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\igIA.exe

Filesize
111KB

MD5
b61f56db9a69d61629bf441604bc0ee1

SHA1
82f2b71d800264532b21eccc600c1690867c3766

SHA256
0a2e4f0bc6c44d95efd01d0217f7aa687ae1edad3e87df838344fa44f04a9d89

SHA512
4b942e78c376688e5a1c74655a784c92a8642220a3272db0fd3dd90654b62a07c04bca91525c9b4b3599450e9c3f2c39721e41cde3b3fedf5d025c324d48e9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\igYm.exe

Filesize
137KB

MD5
9976d9152e36128ae9faaa84c1d363ff

SHA1
8e613aaf99d55be5c6512540ed32dcb62ef287ef

SHA256
d44dbb998a13e5a1b34657e7c055b315c6d1e474c9506a4c10928cd3ddcdf076

SHA512
8f4361154cc63f11228041090d71c2f78a7c09793c9f5d48588fa6da5a0f7c5fb248d7471281335eb23153c1c96fbdb310e01a96997f05f39e0a69ecc3bc3e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQYC.exe

Filesize
482KB

MD5
0b4022e0beb7b0f853f7de57ed067dbc

SHA1
a076de89aca6a6c3290ad2e1aa6996d642ff2eb9

SHA256
59978413e388fb952305c28e9ec5b65e99c0501b8e5cbe1aafbde41ded17ad84

SHA512
2e6ea6f52f47ff298e714cd727df9e8747252e16bf5f05e55d4863d00577bcca2af9ad9ccafc800f5c7bd2e295dd65645f4e1b7c6ab4bf3dd039dc5128a75d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYgs.exe

Filesize
555KB

MD5
d7a093991867dc2af9e01a9581f147bb

SHA1
b34f326ff77e7acf072ed28df45ca6467096a005

SHA256
13fb5789ee8f1db5cb9b027839b310180016e783e7ace66d2570b818c30da63b

SHA512
10844ec63f048c5da04ee70e7ca6f8275e647a73203265b5fb78cb7f5b14042e0968c0b03771e3091d5684cc416208fac19fe50095ab3b7074a244dd5592a42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jksy.exe

Filesize
112KB

MD5
4285012bf4a974482a3a3ed9fa69eba4

SHA1
f950e4b6858313cc18e3e13b5ee7e359b0d6ac99

SHA256
804b63cf27e5dab506af4b761229ef7ce88be67c3cd289bae0c2e0536f071d66

SHA512
6216aae05d1be65cc9cc133c68b9f6a1704bb4ce37d19bdb92205fb312277bb980fdaafc33a5974df34286d5c0da0928522addb1adcee3284ee69492ed4c8f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkoK.exe

Filesize
119KB

MD5
0a9b0a2640426bb506b6cef41adf3948

SHA1
77a4b4a0c52b22a0b3775bd529c04c5135cd6d95

SHA256
39cc8c3dafc9193ce728dd6a1a8febc912367da505b6d1a34f7c96bef11d56c7

SHA512
7b9ec8f5009018dc0564dae90406e9af7c4cbbdef1a02cf44e6c65f8a2e2cd26d2f938d08187e15d16d32f358089e7e880de00bf2abcf1f3d40f73b7d70b0b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwgO.exe

Filesize
117KB

MD5
2012ca53b4f4bf1298f21da940c024d7

SHA1
7c7a00d7cb222484edcba07854a1dc37284fd81d

SHA256
e772ac4a7ff9a6fd83f91e6355dbf8c4efb9df7fdd756ad82b3301936b62de58

SHA512
cdf91f109ba8492c307aed4c31c3cec1aad338a09e89af7a7a3d58dc3978e020ce4cba45aea4001b36c947738e3e993429d9619d360b7b6994ee623186b1955b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsMQ.exe

Filesize
138KB

MD5
ad294930f7f1fb696a2181cf7847f71d

SHA1
39ee184be3522fd4a6ec21b68e21082509942a9f

SHA256
e14883115388c5ebb7f83be6dfa1cfa80cee0a52ecbca0c5d861af444d87764b

SHA512
018ba4dcff23536a5b32adc45622e86314400048d2513a432543e66e2531c2568513af818d02020680bcec1eb820ffa3a15b81217869e6c76b7872224e823a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\lscQ.exe

Filesize
110KB

MD5
6e73541c60e10ab86537ca104dc5201d

SHA1
569c1b0b40f323b847204002ded5166445ab8205

SHA256
3039b8178a8a63e8373ac86ef080778dd459dcca77e010f5d4eb68fcde642bf4

SHA512
c933128f5620b797be6d71cfff9e9ba0531d0d8b57c7180043a9d09c7a5a94f6784d9ce9c7d7c38f32c0a983a51e2977f080fdba9b13ebf04a5a814a957d4ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAsU.exe

Filesize
110KB

MD5
7d466e813f0a726bbe8551e4b8127f30

SHA1
4b7f3c7f9f2a9c9072aecffa93073291ca02258e

SHA256
395e2936d7a891fc66e5f44cd770a9c0b91fff3446bbcbbadff396f29016ff7e

SHA512
d0343d397e8743f57620cb80b96efef14ac3d05f4a52d225e6e94db788c042bcbd8610ba129cab4c1d61c540f46b17febb399842df9126aaa4766f02565f337c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYEA.exe

Filesize
565KB

MD5
baf5566ce6f9aa4b19528ab82054eac5

SHA1
c7820fff35d9a657e0b9b233cd1df3a4523a222d

SHA256
f41f82ec6184a76271f67a38b9fa3e9baddb481c699c791579f6c0f225647b42

SHA512
5330d91324161e7c5afe260853e0115dc1d7347bdf018029cd90065ba25f8e6f2c7d7a27cf002f7da6f431b48e6d1e2fde52dad9ff8f8cfa7fe03db86e0f358b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mocW.exe

Filesize
744KB

MD5
d2a4a555b111d93a8fcb8ef363ce4d22

SHA1
05090a991906de4df6427a15d33725a28b95ae89

SHA256
58f58450a1afa2eee18f407e0981feeda81ac17d58631375c96a2f868bd8b6d0

SHA512
bff4cf6d63a74e356cbaa20d3b843299a40e0a2ca08f57a65ce2c71f6b5de378a54dafc78730d40c9d0b11bfe42cf7d4a9371230c787b021981b258d195c609e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEwA.exe

Filesize
112KB

MD5
916292ddcdea1daae3032e8c6b7eb182

SHA1
899bdce8ef09908027e08480a10ea7385c2dcce4

SHA256
db4db5a779e4ed6a51f75a08a9513153d0fbe2b45245e902cb979179c23c3b19

SHA512
e9de09e7f4cc3d0f53787d7ae60aa153c6edad4aa38c3d8080258d628986c41d343bbdf805f58c2c45bae071272b1d8b32638372e408841241ea26bcdb8fd29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwEm.exe

Filesize
505KB

MD5
b9d8e164f948a12480adc71bd0a4c1cb

SHA1
626c0ec306806f89324870038e378eab43476270

SHA256
77e343361fb5a8a947ff4f012ec26d1c63c571a9e461aafc0a691e13dbb34583

SHA512
cc07e2710a23523cdf76be48fd3fbffe63a0a3805bc5ba6bd788c755c572bc903b8fe477da31bb78c938339dd3d45b766e25b9d5b2d0fe31dde2c345ce7ad9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwQe.exe

Filesize
112KB

MD5
0140e2290e8de5cbeee9cb94387fc6ef

SHA1
fad0b80bc21c8c22a8ce2eab9653dd80e515470f

SHA256
397476518fa770c177bf37ad610591dcb8ee738e03853c8ce5d86b987bf15ece

SHA512
9be38000bad94c8602878ed712c9345ff1cad3d74962a4030338f7d38d68b4356544c40fb1759b661ffac72ffd3b0df73826db73784c0ae4d65a5901fef1499a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQII.exe

Filesize
112KB

MD5
a0196d207cd479923bc3d34b9fb87e58

SHA1
1058a8cf28d621a38b4f7ed1f7242474b0d6d3f7

SHA256
7018dbdb1a9db1d8ee5cf3b696d49e64a9360ef3e6e52720880b3091115abd5a

SHA512
40e0023062c1246a124c24ccc1b3720cc8a039773d43c13eeda49f6274171ca2a950a0853cd83fe22c86ea33cbfe0c4a5de62b3623db8cae8265b977643129a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUIA.exe

Filesize
797KB

MD5
2d3a5e4974220924089a25504bfd2bc8

SHA1
ca200a3aa4347cfa771a1b436cc629584c00438b

SHA256
f2e8a085928333239de4be681d8bfbe64b158c2f1b49f8f592f7cf04b6d9f410

SHA512
67a4f68aea29b20e21586d59b2133ac0083117b4d7e44abf6d16feea2559337d2bcc7772580ba6320d8a337fc272e6e6f741de60f686907abbb4493a6c102813

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogcM.exe

Filesize
112KB

MD5
a7450988529bc5600c7f0fb99f9f75ad

SHA1
60077da9ba6e431a36382458a5c5b7aa80d57d9e

SHA256
69161fb170ec37473ea2a58fc8cb4a2afe12708275fdfde1b8061682eb9419f3

SHA512
b9c8e62c046689283564af3b7f70e9e798545a033ddb59b6d6a6981a3e3a079e9637049518749b5f699653ac66468451f97d6229b7cc9312b254190a7b35ff74

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYMu.exe

Filesize
112KB

MD5
970e44db82ee6ef564e0b992c7eccaf9

SHA1
0e0a5ffc652d24a6f3522383642e5196bb73be8a

SHA256
6881b3c7583960c23042cccbe08d504fc7ca9c8f28f3538a6f79280efd39f498

SHA512
64883cf25f7f76362a800ee9a4ca4f023609212d50205b3f21619bdf233e87a6f6419edfef1afba111c21a5ea00b6f9760a01b9ed71a91698dcb8ccb7b5e6331

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgwI.exe

Filesize
117KB

MD5
f73fbbcf6b76a577a24541976dd1f61b

SHA1
661d86f6f7334772e8371388bbe6eae45c6fc92a

SHA256
92b75e1ce0086671142243b8c780ef5b96baa7924746433a058ca141ca0beef8

SHA512
ffe5896ae2122f226fe114d37bf1c484b4ccb64241dbbd6c2421bccc4ae558aa3cec78e9beca5e6c7c6657f5f5e84aa6f90f36c5542adf475acd73ae5fa33676

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUoo.exe

Filesize
158KB

MD5
8bb38c3f016dd7a6c2235a696b6943bc

SHA1
6f5949af7912b746e5ed70663ee1281449ee08a2

SHA256
cff701144d61cba34c8a2b1b3d754dfe9f60e6465b10118f910aabc034978916

SHA512
06f5095b5cddd7b5bd91fa4ad590f0d5209bb13ad974ad4601be61d04639a576ecc850ac240922e11bba0aac46abc703c02e7ebb120949dfe3355b80d52017d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcIW.exe

Filesize
110KB

MD5
a89f8e75640e00e9beddf4dea8dde056

SHA1
f6a2d442438ca806bff1cf44b89095853aae8f9c

SHA256
23c7f9b9c43ac0a0fffa421199f3fa7cd301eed874e72e517d37ea05d1c3c700

SHA512
3ec7dc079660ceca953bb58d36a2ac3aaa4d00af64bf11ab701f09a1365d757a74370f7ac49cca8d5617a7bb0a79b4015767945f4ab5fb4d50df92e4225b5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAUy.exe

Filesize
412KB

MD5
7cf35c25bfe594b1f1298261aa350053

SHA1
276e14a5fb5e1c47cff6a99569fa560aa582153f

SHA256
36f737ac1920e59f82a6d0e1bea6d5d71d97fc206143343339d88f5947a29dd9

SHA512
5e1f1efb4a2714913a99a977c36442e2ea8984369324b50d0b2abe27822f520285106e704beae5c40937b79cac323acfe07e1c107b55ffd59f55033b8647c3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUYMIAwg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYgE.exe

Filesize
699KB

MD5
c3114d2cbe6ec80804107065d67c8426

SHA1
abbe6d77feb074ee7cbef8c20349753458ee01ce

SHA256
2de25fd473c5d78a9355ec9fb8f5572e35201fcfeaaeb2ffee4953e3a8aaf209

SHA512
fb48a638bd66b31985146d3b3e0440f3dd69a0a226e79687210d0ddfc905b75050714ce058edce9184e03e74f867b8c9022f3213de414b9c23ea4e7e199aa380

Download Submit
C:\Users\Admin\AppData\Local\Temp\swYW.exe

Filesize
117KB

MD5
434714d9bba03355db04fe4a89947ed5

SHA1
8e5a36ad5f4d5d46b2e05d20c36011b3a49035f8

SHA256
cc01cc338b0951f1f99b812a8335dff8bcc4f15b4d3707005d75c9c74e32968c

SHA512
f387ae0607650e1299720d5a77febaf72bd31917647e52e34ec3260976cd6ef9236f041e2259051f497f4cb7969d934ba54fedeceb6162dfefce501018a48002

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMgW.exe

Filesize
112KB

MD5
e8683224f2cb0769158084652ddc9333

SHA1
564a079e9e12d80c4b27ca007f04043ea7ce800b

SHA256
5f736c888aa8b066e01bf8dd4925f3dd5e3fc9134fe325c6c7b700d0f051f04e

SHA512
647fa05503f2771efa0a95bc97b0ac40ab0b84fb01cb8f229a6b578124dcd0d0438b1113b487d3694206d7946a81dabd3aa5a8f42a1c7cb0ea3a5720713f896c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYoU.exe

Filesize
1.3MB

MD5
9262e6e578d5c85f1f049780d560a1c1

SHA1
e6f280d43858ec344a5a3cfd53db89635fa1c455

SHA256
a22537a5d94a98571f7968e598eef2aaddca15ce7015220948f71f443864cdfe

SHA512
683edf1b19d65446ece413b74c0718ff06abcf5c6a457296a70086eb5f891c0f9e639396dcc3ec49b932d0c24877b3ddabe01dd777754a85ec5721c3b7dc0152

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcQy.exe

Filesize
111KB

MD5
a85cf92f1c0a39311bc267266655acb3

SHA1
e5fc58540322ff5381618dab6a1c972f0aa1f5f1

SHA256
d86ed921a0de98354c36f25b8c473f4b8031ce1f082a01fe8067cded2112900c

SHA512
c1c08d0c45cca2f9976a19999362e50e7aa288210bc7fb96ae3774ca1e1bd51a50df84c49e2cfd85e80ca0856bdb3a9666861b28ae600a3f3f2b6c64ec489347

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQcA.exe

Filesize
111KB

MD5
7ca572b6eb3644ae6764166a80636ec5

SHA1
f789ca32413f8a148dd5f3606cd5b37eeb10e559

SHA256
d572de041dc3ec157130239d203f846ebe3ccca3c10636e0c969dda20052b711

SHA512
6e144da6a47c5237ac036b9c0fd03194ba5890c2b43d13c010ebc0d3889bc7bee19b3fbdeb648ce0a225b56c6cf3484ce45955e81fc0d9c174421c8d4f5937a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYMO.exe

Filesize
111KB

MD5
619f771f409f46d9bc84de279b1f2bbc

SHA1
b1873f686f1630cdb0ea606de564e46c8b6f3702

SHA256
19b80144a94f474d4b1d199b4a4c4ed43f33b14b3faf8ccf550310f9f1b40693

SHA512
c4deba738bb696a89b1aa66c519bdf1398b5c4ddf420ef8d769cc8cf93e88a684409b7956d92bef24a6e8a4b8f2fbab532541d958352706d0b0936263512c2f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vocC.exe

Filesize
489KB

MD5
ec86b39547f7f60d1b0d2bbd780342e3

SHA1
8939c189a64e095d912f8b6b31ebf35832c2a2af

SHA256
274c1b206208d1139106dc5ea762327963275dcb803e618631e8b38b71c852c4

SHA512
363fe0fe23abef657ba014a46e4a11ad00178cec4b9f5473b9ce481933b169a36cb9d54f377fcb03ccbc96ac9c09859ba1349cb3bd043d465b9375ea148fa199

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwcQ.exe

Filesize
113KB

MD5
f0de89d12ccdfbeed5872f3e2f54f3e2

SHA1
882d73454b5678e75163bd81bc167dd1c65c25c6

SHA256
afb8a4f4bdb502ffbb591ab1e7d194163e4cc0ace8b868d28aa494e5d0b8116f

SHA512
052be82dd8298bdf3cf03fdda6ca752361f296581963330612ab73ac0d7ea0b148e700684757d02d99d097356f00d63f0460c833deb5966e90dbe4f2528a9db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEgi.exe

Filesize
237KB

MD5
312bdcd2be17bee0ab0edeb88d6da20e

SHA1
9a47d059a8f5a6569eeafe5a8aaf495dcb66a9d0

SHA256
6a562f1a90f16d6a1481ccd9ef4b7beeb866e82370ea2d50ed37f41bbf8184f2

SHA512
1109096eca909b1ca0b40b1fbffa1a3734fb583613537b2ad1efc40472db4ea9058d193c7d6a153e9361bc85956d16e1da399d005c18d726c3c874df943c39ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQMQ.exe

Filesize
723KB

MD5
1c9b6ea5067cf3e5347dda9e8d67972b

SHA1
8c12ebab15558c48d1a4591cd905c241d99bf108

SHA256
6ca567db1415e086a18e9ec83b6a1b8322bb105e9e888d21ee5a455c1ebd205c

SHA512
6e74bb855d83be0cc617547a08efaeb6e0c5f853f02b08d522cd457e8d3605784883eed31f379ccd49ce5105be85eb89f963d2aa40b3eac072a52f5b33fb993b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQQu.exe

Filesize
110KB

MD5
9e202969d4ffb63098ac6e9f4c95b511

SHA1
8055ef0dd275dff124cea48ba1b27266e8f603b6

SHA256
c97e7ea91c1c4b9891d07ee18d979dc59964fae66cfaff416394e193def979fd

SHA512
4d9dc442551b4d691fbad08a2a17a46aa7b5d20cbe40efd7b93b080cf103fbafd361170f6dc7f904e29485483eaf68f60a3f7002388ca74e9271e1a1291788b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIAE.exe

Filesize
112KB

MD5
6342bbf87fad718fdda49be90ddf36cb

SHA1
b2245091e8385b98a9828b8dc4acb171ac88b415

SHA256
f4d3c2e8410641753415fe36b58ba120e2637fdec9d0efdc3a4f2dbecd446de9

SHA512
ee16aaa885e3ffe4ec903a7ec18f3ed24eb8133aeeadf4cde9f7e28b5007bcd7c3e159b02cd4551bb74d7d3d62495e9d87961480f89fed1d1270e33ada62b73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYAs.exe

Filesize
112KB

MD5
7b9304d97679b9d5f1cf093339d91ca0

SHA1
a737dcb31f00796bd3463549c6297bbfcd355fd5

SHA256
1561701eb0c69654def05893bfe3511e029549ca9ff78ce4e77e3112fc320108

SHA512
328ec0d23d24e9c67c857629023b32e79e8cd32c6b3d2632c157c69a74372990570d87ffd243a3357f30615bc683c06284dac9c6ddd6f9231e296d7da17f29b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoEi.exe

Filesize
564KB

MD5
20dd6117ef21263a3848d3052217a3f3

SHA1
d3874287ec0d4dcb06d0df1672febdb78e9eb1ac

SHA256
deb6faca311adf0f89112979e6c587416359319e0459b760ac41e487a2f7fe88

SHA512
a8f22423e7a534c6a035517e24e2b65e5eeb71bcaeb263aabcd8e6a6e13462bed9ec2641f29dd4c36874f484269874f05c5fc7b4e5a1a333c0af9f270a142aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsgU.exe

Filesize
113KB

MD5
41d1406fa09aa064ac2e91ad7f8f48f8

SHA1
75d3095e0ed3a0cd3ee150e3d14c30749113752d

SHA256
de9a2328498e4be4754b00f8c31726d10cdca8850f9c76f90a1282ce3e2df1da

SHA512
d43d4e5d5e61360686d09ba8ddcb6cb3acf79f8e745dc3b1ff30973ccc313bab04fad8e84a95e1758d7c08ac2d9da6463ced672e47d08143a2f507c7c99151f2

Download Submit
C:\Users\Admin\Downloads\ExportReceive.gif.exe

Filesize
987KB

MD5
f07bd3006a668c0525db61700cf9d86f

SHA1
7aff60e3e6d72d2fb9b2931408930d7cae5aa4c1

SHA256
fac1be736c76d08344b8839a614fceeb13349e8955d08c3c06329cbb19ccb8ae

SHA512
e23800c3c493c62eb2bc643b39321dfb733c9886b7e5f1349466ab695ac63e0db560487511599cb2e6c96ef3682fdf432f625bad884ce2e83e6c2987cb49bf6a

Download Submit
C:\Users\Admin\PIkUYskY\LUwMEQoA.exe

Filesize
109KB

MD5
c7c543dfe5d5116c8c56bc6406e0b595

SHA1
7bbb1e40ea378705b9888613bd3a472219d9d92c

SHA256
754757d3b2104da3d85c5c5709f8ba8ef569b595146c1c67c0ee595d3500be2a

SHA512
cab9558a87e16a85fec9415b4203d78680aff7844389c99081a4960c6185fd9d41aaf967e9c2ec1725d1e1ecf87a5af34c867c5db2c900fa2894f199e2419f79

Download Submit
memory/116-402-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/116-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/432-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/552-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/552-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/624-1583-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/624-1515-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/636-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/636-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/772-932-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/772-863-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/916-351-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1012-1633-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1048-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1160-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1160-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1200-1044-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1212-1107-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1228-1519-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1364-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1364-1376-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1404-334-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1560-1698-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1560-1648-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1568-378-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1856-455-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1856-462-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1932-543-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2004-658-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2348-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2348-326-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2464-353-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2464-360-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2464-817-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2464-872-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2688-1299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2772-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2772-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2788-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3048-343-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3048-335-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3096-445-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3124-994-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3204-86-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3244-119-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3276-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3276-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3352-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3448-654-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3448-722-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3500-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3652-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3748-792-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3748-737-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3772-593-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3820-470-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3896-1454-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3896-1405-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3944-1767-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3944-1714-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3968-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4004-1226-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4072-429-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4072-437-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4080-369-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4080-361-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4200-420-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4200-411-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4328-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4328-141-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4404-394-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4404-494-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4404-471-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4432-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4468-410-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4540-108-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4548-419-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4548-428-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4624-97-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4624-30-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4644-453-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4648-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4728-1157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4796-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4812-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4912-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4944-130-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5004-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5016-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5016-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5052-374-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5052-386-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download