c4ada8628f591a551e8d3eec090bedcab90c9cccaae9e641d8a57e80ab3cc307

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Size

117KB
MD5

9fac3e4225b3aaacbf2a59a2bcffba00
SHA1

252caef9b62150eee9a7d83db7d68f7355e62216
SHA256

c4ada8628f591a551e8d3eec090bedcab90c9cccaae9e641d8a57e80ab3cc307
SHA512

1489fbbf331476dc673791835f921f44f3cb5a2f37fb3762787927e3620a019645df9c9e23f0457b3aee8761966b8eb1d434fe2f718e0c7edabcfb5f44eb2d72
SSDEEP

1536:zcUhcQHa9YT9d4tl6xKYfx0CnMOYWzxbZKIM7URtQK2WxnnvV3gwyIDwo:zDLHZd4+KYf6CMOn7YK2SvVwID

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 62 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 62 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	lYAkogEw.exe

Executes dropped EXE 2 IoCs

pid	Process
760	lAQkYcQI.exe
1268	lYAkogEw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lAQkYcQI.exe = "C:\\Users\\Admin\\WCgUMkso\\lAQkYcQI.exe"	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lYAkogEw.exe = "C:\\ProgramData\\vOQMYkoo\\lYAkogEw.exe"	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lYAkogEw.exe = "C:\\ProgramData\\vOQMYkoo\\lYAkogEw.exe"	lYAkogEw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lAQkYcQI.exe = "C:\\Users\\Admin\\WCgUMkso\\lAQkYcQI.exe"	lAQkYcQI.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	lYAkogEw.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	lYAkogEw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lYAkogEw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lAQkYcQI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4176	reg.exe
2336	reg.exe
4460	reg.exe
4172	reg.exe
2024	reg.exe
3432	reg.exe
3872	reg.exe
4084	reg.exe
1820	reg.exe
1892	reg.exe
2896	reg.exe
4984	reg.exe
452	reg.exe
3360	reg.exe
4088	reg.exe
5088	reg.exe
5072	reg.exe
1136	reg.exe
1104	reg.exe
3308	reg.exe
4632	reg.exe
4420	reg.exe
2364	reg.exe
1416	reg.exe
808	reg.exe
1224	reg.exe
2316	reg.exe
2828	reg.exe
1388	reg.exe
4432	reg.exe
2192	reg.exe
1900	reg.exe
2224	reg.exe
4208	reg.exe
2140	reg.exe
4020	reg.exe
4924	reg.exe
1316	reg.exe
2616	reg.exe
1756	reg.exe
1620	reg.exe
5072	reg.exe
4176	reg.exe
4132	reg.exe
1900	reg.exe
1692	reg.exe
3692	reg.exe
4148	reg.exe
3108	reg.exe
3624	reg.exe
416	reg.exe
3692	reg.exe
4744	reg.exe
4456	reg.exe
452	reg.exe
4172	reg.exe
4972	reg.exe
3964	reg.exe
3420	reg.exe
4296	reg.exe
216	reg.exe
4940	reg.exe
4984	reg.exe
3432	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2136	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2136	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2136	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2136	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1464	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1464	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1464	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1464	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4840	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4840	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4840	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4840	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4772	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4772	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4772	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4772	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2760	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2760	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2760	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2760	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3940	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3940	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3940	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
3940	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1112	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1112	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1112	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1112	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4952	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4952	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4952	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4952	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4412	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4412	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4412	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4412	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1788	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1788	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1788	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1788	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4084	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4084	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4084	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4084	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2304	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2304	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2304	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2304	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4852	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4852	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4852	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
4852	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1268	lYAkogEw.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe
1268	lYAkogEw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 760	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	85
PID 2220 wrote to memory of 760	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	85
PID 2220 wrote to memory of 760	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	85
PID 2220 wrote to memory of 1268	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	86
PID 2220 wrote to memory of 1268	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	86
PID 2220 wrote to memory of 1268	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	86
PID 2220 wrote to memory of 3556	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	87
PID 2220 wrote to memory of 3556	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	87
PID 2220 wrote to memory of 3556	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	87
PID 2220 wrote to memory of 4984	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	89
PID 2220 wrote to memory of 4984	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	89
PID 2220 wrote to memory of 4984	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	89
PID 2220 wrote to memory of 4772	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	90
PID 2220 wrote to memory of 4772	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	90
PID 2220 wrote to memory of 4772	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	90
PID 2220 wrote to memory of 4660	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	91
PID 2220 wrote to memory of 4660	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	91
PID 2220 wrote to memory of 4660	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	91
PID 2220 wrote to memory of 3504	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	92
PID 2220 wrote to memory of 3504	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	92
PID 2220 wrote to memory of 3504	2220	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	92
PID 3556 wrote to memory of 2320	3556	cmd.exe	97
PID 3556 wrote to memory of 2320	3556	cmd.exe	97
PID 3556 wrote to memory of 2320	3556	cmd.exe	97
PID 3504 wrote to memory of 2728	3504	cmd.exe	98
PID 3504 wrote to memory of 2728	3504	cmd.exe	98
PID 3504 wrote to memory of 2728	3504	cmd.exe	98
PID 2320 wrote to memory of 1316	2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	99
PID 2320 wrote to memory of 1316	2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	99
PID 2320 wrote to memory of 1316	2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	99
PID 1316 wrote to memory of 236	1316	cmd.exe	101
PID 1316 wrote to memory of 236	1316	cmd.exe	101
PID 1316 wrote to memory of 236	1316	cmd.exe	101
PID 2320 wrote to memory of 248	2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	102
PID 2320 wrote to memory of 248	2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	102
PID 2320 wrote to memory of 248	2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	102
PID 2320 wrote to memory of 4044	2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	103
PID 2320 wrote to memory of 4044	2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	103
PID 2320 wrote to memory of 4044	2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	103
PID 2320 wrote to memory of 3476	2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	104
PID 2320 wrote to memory of 3476	2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	104
PID 2320 wrote to memory of 3476	2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	104
PID 2320 wrote to memory of 2992	2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	105
PID 2320 wrote to memory of 2992	2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	105
PID 2320 wrote to memory of 2992	2320	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	105
PID 2992 wrote to memory of 2616	2992	cmd.exe	110
PID 2992 wrote to memory of 2616	2992	cmd.exe	110
PID 2992 wrote to memory of 2616	2992	cmd.exe	110
PID 236 wrote to memory of 2388	236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	111
PID 236 wrote to memory of 2388	236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	111
PID 236 wrote to memory of 2388	236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	111
PID 2388 wrote to memory of 2136	2388	cmd.exe	113
PID 2388 wrote to memory of 2136	2388	cmd.exe	113
PID 2388 wrote to memory of 2136	2388	cmd.exe	113
PID 236 wrote to memory of 3432	236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	114
PID 236 wrote to memory of 3432	236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	114
PID 236 wrote to memory of 3432	236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	114
PID 236 wrote to memory of 3176	236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	115
PID 236 wrote to memory of 3176	236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	115
PID 236 wrote to memory of 3176	236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	115
PID 236 wrote to memory of 2272	236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	116
PID 236 wrote to memory of 2272	236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	116
PID 236 wrote to memory of 2272	236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	116
PID 236 wrote to memory of 828	236	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\WCgUMkso\lAQkYcQI.exe
  "C:\Users\Admin\WCgUMkso\lAQkYcQI.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:760
- C:\ProgramData\vOQMYkoo\lYAkogEw.exe
  "C:\ProgramData\vOQMYkoo\lYAkogEw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        8⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        10⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        12⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        14⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        16⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        18⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        20⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        22⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        24⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        26⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        28⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        32⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        33⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        34⤵
        
        PID:112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        35⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        36⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        38⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        40⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        41⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        42⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        43⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        44⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        45⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        46⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        47⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        48⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        50⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        51⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        52⤵
        
        PID:2928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        54⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        55⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        58⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        59⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        60⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        61⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        63⤵
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        64⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        66⤵
        
        PID:248
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        67⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        68⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        69⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        70⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        71⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        73⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        74⤵
        
        PID:1892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        76⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        77⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        79⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        80⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        81⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        82⤵
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        83⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        84⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        85⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        86⤵
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        88⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        89⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        93⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        94⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        95⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        96⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        97⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        98⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        101⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        102⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        104⤵
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        106⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        107⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        108⤵
        
        PID:1112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        109⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        110⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        111⤵
        
        PID:248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        112⤵
        
        PID:3384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        113⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        114⤵
        
        PID:3612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        115⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        116⤵
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        117⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        119⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        121⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        122⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        123⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        124⤵
        
        PID:3344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKooQQQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        124⤵
        
        PID:2728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoYcwkIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKYAcgwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        120⤵
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAQccMwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        118⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:3360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiEAwwgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        116⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqkkMwkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        114⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaoAEsUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        112⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dggkkIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        110⤵
        
        PID:3420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAQkEsMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        108⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAMwsEEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        106⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYocgEYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        104⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYEUIAEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        102⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyMEAQww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        100⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwUgcwEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        98⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYwAIMgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        96⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biEkIAUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        94⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:1416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSUUcYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        92⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:1692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYsMUoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        90⤵
        
        PID:2548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEggcwQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        88⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqYQokgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        86⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:2896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSgAgMsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        84⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKEgIQYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        82⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:1900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGEIIwsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        80⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKwEYYUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        78⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAMEMoUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        76⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGMAIQQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUsgYccA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        72⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIskwUcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        70⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuEsoIMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        68⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOUMMQAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        66⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoEEkckQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCYYcswI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        62⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCwgoQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        60⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKEgcgIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        58⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owAAwgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGosQAUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        54⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsEYwkos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        52⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSQEwsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oucMcsgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        48⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYkssEUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        46⤵
        
        PID:248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGUUwUAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        44⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NksQkUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        42⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:3624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csgwMwAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        40⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQoIckQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        38⤵
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BoAgAsco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWQUYIUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        34⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGMIYUIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        32⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUgYQgQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        30⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sckQAwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raIgUIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        26⤵
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qysAMEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        24⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWAwAcUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        22⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scEoYYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        20⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEoIkEUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        18⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYUkAIgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgQcEcso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        14⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIwUMoEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        12⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twEgEwAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEMQMUck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4708
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3432
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3176
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQYQkYIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        6⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:248
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4044
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIQMwkUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2616
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:4984
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4772
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yywswUEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2728

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
237KB

MD5
20bbeb792349b0f140eeaf11b3224304

SHA1
3721468c1efed0e616411336df1fd1d641dc9a6b

SHA256
b07a822ee09c6102a85bc6a89b3a2363f3b844518cf21e8dbf15f88ce50a1386

SHA512
42474eaea2a0ff5393371d4eeaaa696d7e1d664c5f02ca15aed8608bfa71c73ca79d97cef00a7aca2e33508d0ded31d7b2075002a16fe4bd713d16378c218bbb

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
157KB

MD5
dfd3083725fc16a8e6d06662243752f4

SHA1
2c520dd396569b150601f8eb7677de4e0fe9a1bb

SHA256
497e7afbded47e8b70b85bd1880f31dabe32d9f2c3005003d0afb481a0cee3f4

SHA512
8855b9edaeeffb5d68bbd65506ae91200f61278a58dd41bd3363d93d3b93356e960763614bc4f1476d31cb1506958c882ebac8e5873a0f975fda5ad14e19a301

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
144KB

MD5
387a6de3a12191651566e6a1cc97c039

SHA1
089af7c2290ae80a204f610e6b3e8cbdc9f50243

SHA256
d96c0f260c07da32aa64185bbfe87c39d8814769f99f8bd2861d9d6fca269d10

SHA512
68ddbbc4786056336ec6ce11d1022907156f1e9bf011a11df3bd2c94174deef9a61da1fa94d263c3a79dc73b737d888c7abc94c4618cd0d4d9c093ab6e24d15c

Download Submit
C:\ProgramData\vOQMYkoo\lYAkogEw.exe

Filesize
111KB

MD5
e39ee0be372a4fad6140b842a4981cc2

SHA1
df7fe714fa7d4ee9336d4ee40a9b0bdd6a951839

SHA256
5fb8b8eb1957679298fabb4a0c8b458cd07709dda39712a3335b555b88e68eb0

SHA512
169027066edd1c317cc21b09bcc2870e1cdde6a476ee195c993ffb4be69e6c08aa3af5607004b9bb30582dc073252f46fdb73523f740c24a83ace63a06e52077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

Filesize
119KB

MD5
29e60f45c11d18251bebec2ad261e7ad

SHA1
e30d2f0bc03927127139971cefc83bd2f891263f

SHA256
42bf11348f39a67f53b457ff52672c94a8bcb075b1f32d82357c3ba015d6266c

SHA512
6d65406f4fa2b0719b21255e33d16efdfe4ff31debd8dd17fe84575aa499fedbb86ad591ee83c2a496b3a28c16b358e3977e83901aa2de7beda80ef25e18e1d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

Filesize
113KB

MD5
0e4b2176b29138feabd247fb88ffae72

SHA1
31ce551533b051bfd0d9087dfdafc6dd3d748cd3

SHA256
d7ea6c37249f1392aaa16aedbf6604c6079d4c515cc4718bb8176c214fa1c78d

SHA512
02bb363c778bf27f60f1f6d2b22921ba19e3330954b1b5ab06a95d4c5412850cf58d31f4e536467d5e480b1174ba80275de0887ed402efcaff819230fe9d819f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
115KB

MD5
bbbc09040c6ce929f5044ed5300c21d8

SHA1
339bc8f98407f4e2635647b758d95a62d1cb462e

SHA256
8bd0f73822ec1e95638c7b17d3498445ed9db084db0099d973a96834a2aa6d55

SHA512
5ef6fe93c411cd42357ca9f34500033eecf472fe566a49c4b07b2d4701ef8901fd7a72eba22d27b571403ffbdec2ec85f902879e88871d2c5bf3a490338074dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

Filesize
112KB

MD5
f2060f365904ca66fc4458706e4a68ea

SHA1
255cdf73a25ff34a373744238a89b93f85ce83df

SHA256
1012635a7095163d3a394debd728b1c6973985e93d038e50ef0c896b60a75b64

SHA512
1e468d20039fcab9dab24bb3cb248657686ef504ca78e4a66d51ba7d0e39ff08b897cd76e29cde877812947d58fba5e7417aa8050ac413c1d2d4f1fb1fa54aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

Filesize
113KB

MD5
c3f055c48bd917c0464cd98d5f1deb9e

SHA1
d0052c2a91f33cb5150b09b6f79179b22079082b

SHA256
c5e5977ef50bf9ce0497e8928121c8a16e2f6d138ca0606be8a3c8db050e04c0

SHA512
3eac312a15cb68c747b10388d9759b13d3a313dde2acc713c0255896193684126f58ec9181a9e8cc3a129a7636aa124d1dc7820584f59f28f7201de504e46c55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

Filesize
110KB

MD5
75a4aef480717d7d5b20a14246aa1570

SHA1
a726e64e21fc732dd31e8272104d7c1900a0c422

SHA256
ea3e6f33d89ffd012dcf141ad2ab77ed57684b65007e44f5409c5297aabf31c5

SHA512
a9da56e5524edca4b809cb70a60f435c5bd0261887ef66c122dc65158ff52bb437d4231cf08b5de31a13397a421b4c931ffd82e2e788448bd69e9d5fcd610087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png.exe

Filesize
111KB

MD5
f06ef7ab2334c633d99001f93b0e6208

SHA1
7bb8df619f55ad5f977e82617455efd8065a72ca

SHA256
26158c83e94644d0afa4c92e41be1fb2104c621f657866764f911968dcaf8760

SHA512
96c2d832126cbd3696a682d69b8c7b77d1b8a8e69c6bec8534f87e84bbde1816b14e3137cb83e5578c8e2782bfa4c6e721c78b92affd667f738cbd670d88201b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
111KB

MD5
92e6d15bcb561f93377e2c49331aaccb

SHA1
05ab3f95be76e886360e19c8af8fb26c3dd9cf21

SHA256
c7f25d32ebc56439b673bc5b5abfce8c802bc60d01216d4dea4445b4e1fd2963

SHA512
6749d983d37ee8d9436f14f10581568e88b9ac1bc7d435dd64969f9e3e5fcd7a93defb61305ebb40ccade6c43b1bb2a91b3c90b51e62b67ced8742fbb5f2d0cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

Filesize
110KB

MD5
ac62afc63c426e3543a873f948e00ff5

SHA1
72f0960acb7e4a4099db1d525a435c0246a4445f

SHA256
c00e3015d86d3572052471d72e748b05911b6517d2479eda179509df5fae4697

SHA512
9af59b8cd0e117811bd7a1fe6825a04b591e3e2302c8543dec3a45669dcb47097a2a4dbeb130e9322e9a5b4e3ca20b4351a8ec2ce260e30730af4fc1efb575bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
11ee6ce57570580c1f5f08441f54b08f

SHA1
6e3ff723f2b5a09dcf76ab9a2963d5e7c3cd8ba3

SHA256
f197fb9da77be9dbbc9354081f2942f8d6c9f1791fb966ea1c9ff540b90b8dbc

SHA512
f94399d11f35cd6e4ba8c88dd5bbb39c3839df8a91d61d193c989a38d035672ab7a58a55905e92986f75d789dd77ada63b8238ed07f56c2a95bd6857b7da101f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

Filesize
113KB

MD5
9741490ee08ffc45beb96d7bf9a3ce3b

SHA1
aa086069270020d54e687a8412697e7628ec78ff

SHA256
474aae57cb4fc02e4eba7226f13f8165e739e3505d71dcc8f6889ecc1fec3b3d

SHA512
8bb43ca5ba97aba522132573769a52c62952c97566faca2be01a532a440ef90859ca9c820c4a9f416959d0e7f26ba5a1b3bcd80589fe624ac4ae0ddd9025caa2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

Filesize
112KB

MD5
206849f54f887ad9c6253ee42642474c

SHA1
2027eaeccb8bfee025aa25012d2c32051d31246a

SHA256
8ca236f4bb3ffe73eaef7a063833da920935234b592354118c2d26432a2ccb64

SHA512
9d839c7f1db77c44e438168467a7017dd7d13503dc30eb536f50d93bd7bddfaf3028dd931d02039689e76df3ec358da4c73f2fee7542814bbc306416ac631416

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe

Filesize
112KB

MD5
413919de2eb29cfd9c6dbf82372f83c5

SHA1
a72137f735cb8731dcc1b4297fa5179095e5a392

SHA256
06a6d205674d5c182d76b7c52fb47de8e9e2df8cf4464819bf24862445f504c9

SHA512
671032edce70751da82a729c565d17b5c60d4aa1a967f4b3132bf906c2b576607aa364c0c76b9d523fac097aac653d83f6871a30d873eccddbd2032810cf0609

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock

Filesize
7KB

MD5
7b96834e1052bc1779d35e027b0f719a

SHA1
6d56be801edcf9bc449473784d7b2291939039a8

SHA256
c04f54809574033ba6dbadf3e94017ceaf9adf5de7d3e5c74650bca0c34ae947

SHA512
32f58556e886156ace18c5fb7e5675cbbd041e2c03e50c3666827c5b95eb0babd6bb16bb4606c260fbeb7bd44fb4bb1ca511648584da147d7970a3f284bdd4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcAi.exe

Filesize
587KB

MD5
b6c982f7d0a7ebb73fd4211bfcf18ad7

SHA1
fe4b948b47e7a2211c48361f0608988e0a5c2d51

SHA256
86dd4a4135616463e82daa991cecab80879bedf778879ce50bac727bacda5afc

SHA512
eb141a0c39c991ababc311c6161b4bb7ddb227a2090a806218d1ba00665c138d5c681a0cbcf7ba9fbc787c41563991787abfdbeea2b79aa232c17fa6707c5bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYAy.exe

Filesize
743KB

MD5
b3e4c178b995f8621a7ab29a5a1c0b03

SHA1
cb1b12d7d0c3d381d3aa779992c759bfb49b0b56

SHA256
c930b8582984b3f9ce46aea65e2d39d758230bccbf63468cec0ee1faead251bb

SHA512
4623064aaa4895cbe6534ca0cc06446ab947896ee3a5485df4a5ff35e0a9e92b80ad9947a63b510b2fb43fcc8be01c33534e43506ed5e7e9e6e0c288d8b84e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BgYu.exe

Filesize
110KB

MD5
fc7197ab14e1deb6df28dd21e18588be

SHA1
ee4fa3bb403b21c93e9d7cf092c371a03a7faea6

SHA256
8b8c0afe5b5fc1ed845c78744acb553466d2d32cc871c397c461e28ee6ba5890

SHA512
f9d9cec9a3a9d14d9a542238ae35ded84efec114ca1dd641112273d49b7b676a8e9596e00af055a9923c2bc5495e946028d9abd540453a2ccb093b8b7279fbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAgS.exe

Filesize
119KB

MD5
6435a8250a39031238a3d3a578a2eb67

SHA1
580d51988f7cf62998a04596f2e1d44fa5724b12

SHA256
6e2938bcb3038fcb0c2eba75db5806c1f11db90dec5584240a0ddda5e4fe9d08

SHA512
c494ed0c93109097d02092f72b3a15355067ca4477f31db3b2de52769dabdeb86400cdfafc2d33394fb491a0c7f542bfd6c7ac75e6e05ef871e29b1fcfd21f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIMQ.exe

Filesize
115KB

MD5
fea36e968e109f773a23f084a7584e71

SHA1
9a6b00beda977a099ae195109493c8075b2284c4

SHA256
bf4e3ecd397c0c9264b70869fd59a3a03334312dc0a2ce7edc14b029d37fa001

SHA512
8f9ddde2c072062ed2563bb7fca4f2f44fccc00c2ebe4ef02007688efcff06141f57723f6dd6bceec691f4629223395b572ad687a0c3b9b3fd166b01f94d28ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\DosY.exe

Filesize
120KB

MD5
31a4ac3dea5485a8e818d20ea16cf05d

SHA1
89736b2e5cf167efc3267fff0769149ef6ad4c82

SHA256
22ac724ddb9c91380702bab03738c15b6abfb5fb6bf266e6610f37681ac45749

SHA512
f2d248568a24f1ee7250d564637ae1d9b17c88269a56c62430a2fd7ecc2d55dc419e4880679c59f9992c153d376560abff04ce1fd318ad8d12382bcdc8e7b4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMAg.exe

Filesize
111KB

MD5
9f2f90030536dcfff87f127c6039fdc0

SHA1
dd31f07138499aef03b74b3b11272bd9a7f80b00

SHA256
fcf246bbb650f08f8f9f1af7a7d82186aeef31661033aa77f29c0aff2bba1811

SHA512
a386a6af051899b5a600b6e877e24a5e8831075a935f26395e48656e318063916f1c5564c5fe496a1afb0503e4eb6ad9928d62893edc1fd91b496bce2aa7f4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMIW.exe

Filesize
118KB

MD5
d8b7d654123f9336a4373a5b78ce11ba

SHA1
37f5887f9d1c0ae3cf5da1097ab3c604be4cc109

SHA256
c38983acf2f2a76c6f207adbbd6e1d993c7fdf84e43236f2112a3503587c8876

SHA512
21d4ab2ae7a4b5aa634a6804e4cf158c3f3f51009f3e19dc6f7f73ace28e3c4401710bb1899ef8fd71746a2a8d0cc05826e27ec68a4f2b37de8b75f6eede502f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQsK.exe

Filesize
111KB

MD5
670d693da730db365f2838a70b217166

SHA1
8a1ed0443af047e2985896884feb477d202deb9f

SHA256
371334c86378f3b6409448aa071e0b8a7a1a3dc416d1896ec5548ea2d6aa6794

SHA512
9597ad8efbb97525835d7bd55a14afcabbabd0e182a0bf6e43cb1e67e7266cf2b476746e683d9c52af97505296482fc4c00c522c931cb3391cefc59bea3b2d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoUQ.exe

Filesize
110KB

MD5
498d0c4b35c4e349df3a5d2b7755d07f

SHA1
e314711e985576feb8ee3ad4e5ae24b7ce23e801

SHA256
fe6dedadf96b85d828081c38a464a5996f0b6025ad4ced79f207b4335e428caf

SHA512
19d0d376b6d83d7e376a79f36c742f6a5b3991951ed655a3a41892371e168f8210a423c839645705ac0c6df5aa0f99ce085461de03472b38c751a20cd03be075

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQsU.exe

Filesize
117KB

MD5
e7f600abc715a4b2234920c240c9d9fc

SHA1
256c686b5ebdc3cda568cc4c4d54220c977121f2

SHA256
d29744324e216afc061ccfb47b85c33a3ffe90fe158dcb93ad5f0e9d72bf8f79

SHA512
c791075f7f45bca0ac09a0791447a2b683db3685ff61d6dda43124f263688619a2a78294077de9e6f6480b61803d7526e67bb81cdd34831cdee1e69789f6a73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYAk.exe

Filesize
112KB

MD5
c28dcfd4a5deb114d55cb93acbf0c763

SHA1
e1d43683404bbd866c9ffe5a1f0548782dcd46be

SHA256
c11b72452379ea350f454234e56f3e5285378f1da73ed2435828bdf06e5f51bf

SHA512
3c0354b7462f04c4cf03b8ac87af6f8c863d4bbc71fb9bf6af7ad03a1a3bd101ea7acac52fcec3b858bbf1fb344c794515dd34c4167218ca4fcbc50412c19475

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hcok.exe

Filesize
485KB

MD5
3d396d467a0d282472213d31f833b89e

SHA1
6a5014db8e28fe2de3b10ce407840b1a174bd11f

SHA256
c82e3f889cc761cb5cf9dcac01f7634c57cbcb9f243c4d18d3e9928f7b3912e6

SHA512
76e0136978011a3df9eb996a44c1f1dede81a0a50903909a4052ed3c278c27b69acb7a5fa1b1a3f0e4e56a8977ea631c9067e3c4be809e8b5e115eafd0b4beab

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYcm.exe

Filesize
117KB

MD5
c3e0dcfe684316200671e3059e1d1d7d

SHA1
deeb000835a38070519a08084f27dc8a7c502a19

SHA256
06b5e7f0ea576230da72fae77ef19a358abdbf2e9b7d15c3d9afc1fd8a4c09e1

SHA512
1c202a3795c1492fd234332efa4d43bfe590325fe2920068420b06bdb8d247f935a4fd0da09ec62018a330782d859d184a56676426c554c4693c2dcbbff4c5a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQYW.exe

Filesize
113KB

MD5
924f2314fd6774776ca83cef6d2dab67

SHA1
1855b053f239e8e566553ee0e6735c4a7d6b3231

SHA256
2904dbbba4b358645ff357bcf92b2b787f1fbd8966e8b0266c9a9a317eaf0c23

SHA512
fe4cd6e57f884845a0008e1d97e181bd3673d34fd0a7be9a6988e608429cee19d625b3a6f6cc727bcef1b0a68772db7121389e5ef5c0df45a752a39555f92138

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgEK.exe

Filesize
139KB

MD5
e32941d9f47df7b1a99de0ba8f6fbc03

SHA1
566c20935b7b6d23b22dffe270c5fbaf45610729

SHA256
ff45d961a19f4e6ae5113254301d934a8da440bdf638ffc94f44cc2d70dad374

SHA512
f58eddfc6b25eaa6da7ec147c9f4b12106ca4d679518ce7c030c3616ba444922e01c8c2e2cbfda8ad4ba8762818c17e1ee9ddaafc43f7c3beeab8d6a49bfd6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkEi.exe

Filesize
720KB

MD5
9c8ae9761e8035ae901f32a98cef6c91

SHA1
dcc050fe63bf9680000df3f9d439d4c7477e5dc3

SHA256
36db2e3de6190763bcbf1228c4aa7151a2323481f073a7f3b2c9fefb08d60f3e

SHA512
b8d24acc34207a0bff744e785b032e92335a2203a224fb97a3cf1f305111d1aee0aa2586fb5bf5e85c5c1c38f70375c2c0f2ad455cdea3286c662fd98d5bc2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUEC.exe

Filesize
111KB

MD5
1071fa3c3c404003b1965f9af09d16cf

SHA1
c37b4f37a034cd60d9f030caa192f773553354e1

SHA256
d4c3de1f7b0b6c29441b7ceb307b5cae2fb8e9b3541af9bf32e562fd95f0e38b

SHA512
3b6347df9940b4c0989aa9ab856b6a1e0b6635c387e618582770a3a0ac8e2a867d9cb96ed85a5e25c1977b4a6862a4b60aee29fb4be4aa09ebc4bcd20aa3fd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcYa.exe

Filesize
112KB

MD5
533d62520cedf4eb2420747ca425467b

SHA1
328d21561a95fd4e37b3027799a6d7dcb06b8377

SHA256
e90901fd9a6d7b1043c6920fb919be6ac3d0a353e639504ab20085933d029f8f

SHA512
a187fb7f226fcc8e6e362e2231ff76f0f2e0404b1917dccd6b5f1c86cff150933c9ab4c7045cd3b76387efe8a50c415eaaecd37615c5dd45bda85c72dd30681d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qkwk.exe

Filesize
112KB

MD5
00b3e332a870e63c567c206d10c1b515

SHA1
d291345b659557a96965395f70d2f65c655f2f46

SHA256
7e9927c6cd344f971f35a1caf2f8618f2ff2c142a6e5ee94c72adc76bcdf5e2e

SHA512
248875471023ab27ed7c132a5a646d5bfd73a04f55755b62efb72b6b7497cc66763ab5a77986dcc4d699fe4f8bf2ce9f3bdeddf51c842c04d96db45b7ff00df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwEu.exe

Filesize
685KB

MD5
5a4416bc56e3f4aa9ba05fe91aa1cacb

SHA1
e4e821aea33463622ba4018d33c4c721db847565

SHA256
3bbf5ec8fff074986422ae5564abddd0b3aba2b71a3ddecdb19ddc915c415330

SHA512
6a210daa2ee1bfc129f22545c57d1d422486a7501e3f50b5bf5dc1bceda0e9df6fdca92118e0a76209104e3e363567b5e23af47fd960d0c8de05c7b906b38cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoIU.exe

Filesize
116KB

MD5
053392afc56a7b904bc4a7b953e82fff

SHA1
fbda554574fca71a33bfaf8e1386488c3741507a

SHA256
f2af6126863ef24229219822419cd4cf67c5ae13c41d2669b85bc8d278ee6db8

SHA512
c7414d2ac0de8a332f2c87d9960eaafed631db1477754adc18348114cbcfd6d53f53417790dbdaf6b9247049d878f11fa0fe1405f9be89a7eec266f9be9fb052

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMgW.exe

Filesize
114KB

MD5
462c2961d7c873f43e7c7445fbc297cd

SHA1
1a3852197a3b358147fb41ac70053720efecb71b

SHA256
2ced41df161ae42fcde1bfdbda3790e0874f313e058ab205b6bef53b10ca7c78

SHA512
5781fea40ce29f0240fba2ef295eed8b414343b86e0d8f864661c849430f79c75c54c33e46c04033a24e05930c749d24eb3d4842bb11a678f1a377a6da71b69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUQO.exe

Filesize
556KB

MD5
071e23ab22eeb91efc67dd1d5ad27609

SHA1
f1c06723bb0fe6ffdf7e52cc5f33a501db54f447

SHA256
92933b1db90217f147b5be324893170ec0c4a8487e1e03ef92158c6be41671d3

SHA512
78ed6164b349f2fa31410d77687abaec55d79beaa1f46a97e990e74985669d52a333a278f904ec7e59d8fc515671dfed6b7f8034ae1ac20d12687aa6be33c76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcUI.exe

Filesize
118KB

MD5
20e4ac4831c15f0d6fa2af5cf7ac3fa2

SHA1
581451e5efdda1dfec01bdea2ab1620114bf7de5

SHA256
26ef7c726e07913dbd248c533b1d1ef0038981c9bfb788b372fe69dbd44d35a0

SHA512
99efde49001f8139dec0dc9602e8867d5db891de78cddfff6eb57b95cd17933ac963ae3c2ecf222651adca56552d7badd25fc661b1cfce6b0644d0c46ebadbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEAe.exe

Filesize
121KB

MD5
79fbf3f190d7351bc9188ab93048c2d3

SHA1
377cd70a4493cc65ed05795be8c904eb13511d04

SHA256
0e1fef8922f589de5cfe6438d9cce42d3dc26cb863733664e5f64553d9e2cdf1

SHA512
b8e43c58bd10f26356fd936ef61edfeb41bbc8f38cbfb8f4419f2fed2f7b3d87268800015a01061b3e5567a8b748ea2cd3ebcf9eb6b5bd6850c5c13c3c05147a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoQs.exe

Filesize
698KB

MD5
f2e6197d668af7e8c651b6270268bfde

SHA1
5d27be291a69bd3b9632a0c09775187542a9adc1

SHA256
4417173372de82f27cf174df672aa2a1f2b89590119aa144de14686dab8965f8

SHA512
8e462ac6c6ebe7b5d4335b10168656767af97aebe36cd2c89ab187df528457f8773a8b76beaa57e436b6b8c3cd239d5b92808dbdbd8b61506378c4acc952e62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UooO.exe

Filesize
110KB

MD5
f8727cbff6b67d9e28e1a7311b0f8f1b

SHA1
2c98472cac7ceabbbee4d8bd6217d4217870c96b

SHA256
1fd04ac1deae1ff52eef7b6a77c370beaa94da6ca66878063c4565cabb0f20d1

SHA512
730048306c86bf3bb3493e1e4ef7dab545ef33cc6f78b2dd2eb7e2a3b6e3777c989b37c7d534bc403f98deaea410fa28e7466ea62192ac74f0cfa53bd2845f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UowU.exe

Filesize
110KB

MD5
01e5863a0666d5ccc1aee01cd3d9ca64

SHA1
0bf6f90db3f8513dcef71cd29990a15879edaeee

SHA256
fa3e35736272491df153b786d8c321b62aa55d92bcc2563ae28fdf74031cc5dd

SHA512
a8096820022d95eb5972542478b8ffdf7c9691ba869f975190bbc48e0cefa4cce04f72fcf0881da4d5e4232ecee11a50b029310353f93e62692dfc9479fd1bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIIy.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\VsUC.exe

Filesize
110KB

MD5
c92af3e9f8c1cba846d2164d243f8aee

SHA1
e818672653fd3b913abd334c268273dd63f87a12

SHA256
b63d0a22f833173cd1d9087bab7c03e92452d4218422015c5ef90e3d57077d1c

SHA512
ec167918dac070363c79a7a3b014b4a0409ffda8f4cc18fffb4e154088a4b57434e406cf82c65d3e1fb7577f12f3c7373aae87fcf5f22fb7a503a0fa0accb161

Download Submit
C:\Users\Admin\AppData\Local\Temp\WogW.exe

Filesize
349KB

MD5
9901eb4da24faa3309c2fcbb086b9a22

SHA1
d9b24b682fbebcab1acc09ff3fd21b0ff20ad78f

SHA256
3df38caffc05875f7ff311e2c4676d4aa705f0625dc169301440e423747ad46b

SHA512
7a2892dbd4b253a7465e3d79de17356d443d51a6be6d8c9240372f2343c25f437e58d207fa7dea2bf9166d168d38fa1dc7d631e69dee098d25781e33c27d00a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAMO.exe

Filesize
112KB

MD5
da32cafe6f85ac1506725298ebc6d7bb

SHA1
0cafed5ca9ce7539b7a27e6b7ca29ed51efd9d2d

SHA256
83c9d0de1a4329193d4182e5bab3be4659286f3e360a3617ba993bfdeb8740eb

SHA512
2eb158412c240f34bd28626975601cbf0c13d74f4a102953fdb12acadcd891c29b965167e25eb948985dff8c56fd58e1b6969911f9746fc27e01bae94b8b7ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XsAU.exe

Filesize
111KB

MD5
162d6178d7f719bc401aed5ba4a4dfed

SHA1
5822653cdbafce32535d9686b613234619d27fb2

SHA256
cf6a0dc95034ba4a7919ee4f71bd6c4fb945945ec2972bb6be598e9cd0cb460e

SHA512
df1d59a853052130b6e5f9ccb9d8cd29deea9cd6188607560f50b008b2f525698fc8543d0182d8e39d39c824e8cd9c501e33ed8214316f2a70ecac55742430e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAAg.exe

Filesize
114KB

MD5
902509fa376c1cd86ed336168a5f5b14

SHA1
6af5711323131aaecebe54fde9c6a89ee0320253

SHA256
044709b0ed7f957bceda77d777035738c01fdda13dadbaaf0283d66d5d280f8a

SHA512
4389e2db318700bc7df38801a1daa26352f402bf250985d87fb7f6cba5999fffbdbf213f6a073c9e5ad09ebba6d396f2e3c37f9db705c00c0aac75797fe5ff5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQsw.exe

Filesize
113KB

MD5
d099710e35b82f9039019fff9074afdc

SHA1
b23ada9ba6254a1ab2ffe8fe4f77680f601457d7

SHA256
acc40aaee2dd875d4eb52fd529c399710077d05e19190978315155cbaaa8489b

SHA512
30ccb29f02a17ccc6f7a26bfc38c21ef288f7e93c28c13654d5cbddb0bdd7513fac959090d94896e43fa27814c700db00789b5ebb387b68f7be055eba3df6ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUAy.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEgm.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zowc.exe

Filesize
154KB

MD5
13bf7c373e306ad277e97aa88db7d070

SHA1
5025d4ac758c4c4fa5ce1d0495d1be3a385c4ee8

SHA256
5e170d1300d6b1f755ea04d639a526911ec4962dd93916231f3b7333ca1b62cf

SHA512
00b9bd1ffb6101fc7739263f76e6ba1583ca0007001bc6c3d7c93359fbdd832a7494d9965ebadcd49b2771a8f3d537adafe0726480e152722d3a4d3610e1c20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEwQ.exe

Filesize
720KB

MD5
ee87ae186370634cd1a2df2e8a0c2712

SHA1
bd94079657a1c7d54b740f1c96808a2ed7bcfc3c

SHA256
e3e2893a6220e537a05900dd460f3a0bc77bf7bdd4434f61fd4853ab600589fd

SHA512
9a58ceaa5de6ecefe280d9ac44a7f475f373988c3c2f21a5f555d60f7302bcc180243bd888b1e1662278b28e78d85bf7108c39233cd5ffb414db6ce1a193aea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMgI.exe

Filesize
554KB

MD5
d1d4ef6bf4885011606d99db83bac6c2

SHA1
52bf8a76dbe34b3b0a3f0bb2219af5cf8b8211ce

SHA256
b8a37cc78e73e04457cfbed0eb2d9368dbd829a4397ae2b36e1728d0ec7fc8d1

SHA512
ca7ad1d7cb8305c0441bc357f3babdc14456101900580df9cd464741791237e4655897f151342f7dddb6709b9b5302664b38ab426a8c4c6ffd19623ebe3d928f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUMA.exe

Filesize
116KB

MD5
79b1d4534f8584e610dfed774d5e7098

SHA1
12a4e1014b732cfbc81315ec4c58059c562da078

SHA256
80e8b23f72e1621a4f6bfdaedc65715b97cf45a2e72ffb00a76b741a77527ba7

SHA512
7f0e00d90d3ce5b327874580310b4673cbe1c2b7845191acf592aeaec03d10f91547c356871d0877f412de836db05c82250f8d40dc53d2606ad4cb7f3fcbc712

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsIW.exe

Filesize
114KB

MD5
88ef315bc53ecb6270c9cfa4a3902133

SHA1
1ec8a1d6aad972376156fffbb1002b3aba08d775

SHA256
e8ad650491aad5b8a917113a4608988d0c2c96bb7aba06972f96be72b023c84a

SHA512
0a04ffc7a0d1873084c255100cb64ae1eb37c495c68a98ac0ebcb490f385eb303e6b5451c2aa0d44619c9a25e9e9aafeb9f53fcb7a2f4ef9b9e06b9cb4679217

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsgK.exe

Filesize
565KB

MD5
8905ede6b6b64bf3e098802b33da2d10

SHA1
43b2d3c12536e6b206e0972ea1ae4b69b587e3c7

SHA256
04131a8bb4d62bd8d45acb80a64f0f00d90be32764bbfa576ee2c89a5f66772e

SHA512
779f28a7bc312e8c99b3822d11c36a6b1e1351293f1a31877e18537da5e4505b27fe470a1cb7e555ac40fe955c2e1fd16e1c2c6eef4193f3de58e5c3a9d08bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwUW.exe

Filesize
237KB

MD5
c041c000f1eaf918ef30ab0e83858bc0

SHA1
4866cb9c7411a3b81651105c25c1d6720fb054f3

SHA256
fa8e67524dbae4fa1779549b5b4e7dcabb6f5ef0c8c6f291bb1a907fe8ef36d6

SHA512
8220d071698225283020361498cc9ebbadae247b796e0be011d6c261afb1a6834cae960d53fe822c2a687407b6bc6ef467a2787142ce4b6e52347786fa00b97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEwY.exe

Filesize
564KB

MD5
2696c56f952fb41a93dac200f69e6de6

SHA1
ab9688212eefb67e823c1df322f58db5e0f610f1

SHA256
f287363ee900ec28563f8c98c80548f414d1285136706477479ff7570d518a9f

SHA512
8614b39f8aa0f8e02138b5cea4076c04cca8394754c5092372058d0e8d3272496056cc33d9a71b47ccfb32be7aeca690978cdf837b823a5f733221f61b08538f

Download Submit
C:\Users\Admin\AppData\Local\Temp\doYS.exe

Filesize
302KB

MD5
cf72f8e10ee1111b38147e773c6e1ec5

SHA1
1056e697ba944cc8069448254e5cf3cdc27710cb

SHA256
3dae9888561e8ede075f7abeda1bdc430a841f4028b6f2538a719b55b0e20499

SHA512
9e130ea9b3f4afe3d5601fab018e5ebd0cd582413ba6458639394a0602cf099885b070abb91cca979431261765d76069f6e5dbe26a52687c8069b9ef2b9c7832

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecQc.exe

Filesize
565KB

MD5
917c891ecd35411fec89c1eeabf34173

SHA1
7c11c17ed9b89c06d4a1c0dd4393103b3049e4d5

SHA256
0d9ef49e381be849636d609fc9ead3e40e9d37ff5064803a539f3b37ef894182

SHA512
e9d417d06fc9208c083e9c06bb34e1540ffa77ef918fd3375cadc25b7499c5d5f823c212044e97949d58ef73c5b924778292521705acfe62d540e82886f344aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecsk.exe

Filesize
721KB

MD5
d5dff296749ba9d676f6fdee016eeb82

SHA1
c97041f424f9520bafc9e4d8487cfad9a4c7f615

SHA256
6ae7b3c1a713204f0d5b07865231be3d61dabee23dd18bdb0bbbb3ca781309df

SHA512
f81eb7bc81c85afef31bbab4d15acfb85a6daf335cb73c108cdcc907f05826c075be0308940e03e12bd30afbd856ab8d436c7664f22d1ab70c9e3d5ea376bf1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkEq.exe

Filesize
112KB

MD5
18f706e22102c9adfc5044acbb1a7652

SHA1
634556b61800dd70b9778f995dd5275f5a76ce41

SHA256
122e55040730529062ab90d60e7defdf7f5203bdd725d34b98b059f39ec3b16e

SHA512
6daff323fe12296fdde31bcab3220d769b9a117fe762738ff58ce93143f3f369c44221ea26626f427bb0ba6e1397b70c6ec5d3e11fc82e515b32825ce7500836

Download Submit
C:\Users\Admin\AppData\Local\Temp\foIe.exe

Filesize
113KB

MD5
7ef6339753d1907b4278183b3f209924

SHA1
79663e94e90476c26c156b7122253f20d6137e47

SHA256
d2f6da4bd35cf23e1bf81aa1513e217055fded93d47bc5849e038d4b11fd55c1

SHA512
03fc2854f3b331eff232da6b11f4509aa837b73825a501f7acccc61996db0d50ac28a3444411b2e90c850c06519b9d84709795b59084f253983a629b19566a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsIg.exe

Filesize
1.1MB

MD5
4df11d714661525efc17c82ca7634ced

SHA1
ccc90046dc7a9f74d5715dad0dd15e07009cd782

SHA256
0c4d7016fc077e0f9f3a83c979d1dfe7e53536f8cf7fbca171bd229b3280e037

SHA512
f5d19d224dbbac2322b3a89fac62ed630e9bd4ec65b12f08fd7bfcb11f3f393899347d2b6e5a1dd91db60feab7c1b422cd9d1ed233a5496de7b70b62a9945126

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEcy.exe

Filesize
239KB

MD5
e6ce91cbeb53ad863a0e72169dae6554

SHA1
e4439c2fb9533249c934dc538b3ef90a6e35ff9c

SHA256
18a1da65dbe9ec9d25008211e863511c6f9af7baa42e58cef607c41aff21d97c

SHA512
fddc867985f9cf084d46524f564a7b1f2175c9b109daa35d17b9b9d2614e26d857ac58eb9e753f5b3ef7ae6572640711177c5b753b00ea985242208488a90028

Download Submit
C:\Users\Admin\AppData\Local\Temp\gssy.exe

Filesize
110KB

MD5
3793f9425c78ed9a33ff3792334092d4

SHA1
5a154a0fd3ea51e73880c456f13a31e2109a73f2

SHA256
245e539a1bade21d8f34aa84192eb9b785840e413a53a645feadc8db62fe88d2

SHA512
19e171738eac03f95642f002298a01da99705c6f36949b1f2ec81263ffe93b4c0fbb47f77f00c06b2f7e66a406c51344faacbb9d64a79fe71261e275dad174bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwYu.exe

Filesize
116KB

MD5
493a05deb6a4812d63f9fcb9f0b0fb1f

SHA1
db321871b54b322af4fbbf398f246a85df88dc74

SHA256
c1087380cb0b14f3946386d527eb56513afb352c4114883e2aeffc563143b435

SHA512
b2accfbd50a1b9c8c6eb1b1ee1d593d6fe9fb9f789f4030cb1260b86421200223288cdd54407e94275c729a59c5f4d5a247f2d7956e6bf166f126adc41e40048

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUUk.exe

Filesize
115KB

MD5
d9c88e12ba306b77d633c988e7fb74f3

SHA1
d5292e6064729c1085091cec8c8378b80396fc0e

SHA256
550234d4e159a3a6e39e3f7bd5af8954e52809606d6b9b8e88526ead24b7aa4b

SHA512
c4487032ce7c25d176ac308d1f54938c15afb5be0a2437eef53730f5d71d7864a2d83b415dc0852562342f8fbba8800984e8b7c8db85f42fbf4cc11573fc57b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcUw.exe

Filesize
140KB

MD5
8d9b33cba4310b60b8a16e1f16191e2e

SHA1
b4e2ce686e1a8736f3064a0d1a2415d049e20541

SHA256
67175a036273502d5add5d2d71944cedd397512ef14abc64d8aae5bbdbee1574

SHA512
f1b78e3b734fd6c6161bc3f33b7859721e7c2c28b57f0e75ff4d96fb1fa1809907bc69cc724fa23f96b31209e073d92d44d230240a00b31b0c17d8382a43f40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwUQ.exe

Filesize
697KB

MD5
3d92c87684395fa5a50fa062e5b59b89

SHA1
bc12ce0ae77ee832e68c15bbe1861d107ebc0952

SHA256
9d73bd1e4f2ab19d397f406089b88cb31d5b9088ddcf651b2d74a6feee846f84

SHA512
10e054bb4c8d1c24636d8d8ed1d45b4f57077c8b64c6f61fb1692074b8492254ed95d864260c3c8f547e6edf8fcedf3a23b3ca5b59895e86b415293cf2ddaaa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMwk.exe

Filesize
127KB

MD5
8f1f407a95fa2bc5ec801920d04817ea

SHA1
70f4aa90a5d3299bc4fde045021f30bbcd2a3be2

SHA256
a43ca22e0ba280c2f9717adbf2af91d88621e88548dc32baf4d3a14e5dc9c1ff

SHA512
6c6ab9a7c124c75c6ac62bd1e6f062262f65f4b5fda3ace0d5976fa15ccf1951d1aee7dc78aac8daf66e51bb3df7214a300ab6615027cf3aeceae2335c4698fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgQs.exe

Filesize
745KB

MD5
765546f44aafba3c8b709199fe96f942

SHA1
7ae21323b0632a47b4269469159419b72558198f

SHA256
829fb376d731932d18f7f8613ed9273812d886d6ea9de1c1054bbd0af3d290b2

SHA512
abe2184ab7e5c0497ecb46c489f2460b2360dc727197b27bbde23198a2221fec03dcfb595add835da7dbb97e527afa61c460529fe0a539ca4dfa3c81af373e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcwE.exe

Filesize
118KB

MD5
70414b600bbe7e1f57efd3a7442b8c47

SHA1
f4a2c09de3b53651169fdf9f936dbd896ff5b997

SHA256
04ef080cd2d5facf8891419e19cf62a9509b6e91853ab879706226440e747db6

SHA512
94a2eb35527cb44ad3c558a9dadb0765c7c1ebbbe077cc11244ef0ad86272edceb553bfde1cc55f1ba42fcfc60d0b54794dfe3cdac8d911c90a7406ea2207019

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEAu.exe

Filesize
118KB

MD5
bc97f0c3c674a6207c0401fb250ad6c2

SHA1
e3c65708612ccfd72437dea57dd1a37d3cc41729

SHA256
a239802d4a139df81c7142065627821249db17e80770ab5e1d5bb88ac1b2cf4b

SHA512
1dc2a0262e11ec537cc47b5043c938b69771f76e54d8f7c8cb065be1295c7470f173ecdf221d88a4d85d257ec5e50baaa8e13fbad17a263b38f350e372e9a4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUYY.exe

Filesize
116KB

MD5
6181795d5ad855ecdbac1aa5525a8452

SHA1
707307b48054e3128da165c43ae72eb709368447

SHA256
5eef48c3814463d1476cff328ca7b5530272d51834e50df7e191a1c6dc588686

SHA512
6fe660474670c125d29012156f715f5d0b4d3afaa6ca86b3f19cc9f45d87fe239048a15cab9aaa950c85c43165caa59f84b71908d887857b3f7c61031699ac11

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUgg.exe

Filesize
110KB

MD5
3b3d8e303487b9d65cf1c54cddfbb2c4

SHA1
ec2df30a06b1ef0488541059cb8ead3233723fe8

SHA256
d9963ce02cdd906268383810200faabfae4adc3c28545ac04b6a167d98de9d8a

SHA512
ab51a5f7bf6c75c89e0528b69ac79ac6c8ec6492b29e884f7d18d9233de2cc1d512f79eac651e7bfe8b92b5a57427540513044697937f31cb263b723bd31c105

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkAe.exe

Filesize
115KB

MD5
ce056470a688621d9c24595d77c42d95

SHA1
e2b3a0504de717ded1f78acdd2dbaaff90790285

SHA256
2d85fa219473ffdc81f3082ae3b02ebc6266ce9f9418dcdb6975195579e6e865

SHA512
650841fc26af9eb4cfe276433928ac969293ddde5515a4e87cbfa266674aca166800804b5ef81d51eb77c08c46667f63328d39d87c94e78d4281c882cba090f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkoE.exe

Filesize
139KB

MD5
ac00bec36435b454986a4961496e9528

SHA1
f991c369471b10b2c73220894449c6585c632a2f

SHA256
ea7b798e8120d7dfa880056e6552ba855ac507837d0b92a69dafbe543a274f84

SHA512
d3f708088127a6400a0c3ed3a507bac945d2950bf39f914e5dc696cf84d971dba2ef727aafd79f9a136fa5b9bfccea981623c5619275dad06f351c22a11055f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEsY.exe

Filesize
237KB

MD5
b8967ebb28b54a01c449e0f658b868af

SHA1
3ccb1460a900fa9d6680ae3e2427359720310550

SHA256
ecf3009d8916339366ce40e479d62ecbde2f54ecde790a546e052207fbe51f3f

SHA512
77878827079271c828111190fdd954b1121244c81686152881ed0b55b954d6a95992507ffb6d9fa376ebae84d57fb2b9327b0ea46fc5b303c1adb5bf4f38befb

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYwW.exe

Filesize
115KB

MD5
457afd4febbf4085a1c61c7884ed7325

SHA1
2a83d9fb2fd82c1e740d5c5f7d09411b56850af5

SHA256
a3158166cb3ccee366d59460961d32aeebd60c509b1333c584f61f35000af15b

SHA512
1f4acadb172340db7933dc9e0b884f0b31374681cd9bf5b47c39a1b78708add98e277ce3466a9e3a5db55bb619f46854bb4bd196ec930934d1bc1a10cfba139f

Download Submit
C:\Users\Admin\AppData\Local\Temp\osAO.exe

Filesize
114KB

MD5
bf1f3c146cdead980cd6d820f9f41993

SHA1
a693b7a4f5b0a0e9fe2b08a5a995a4e4c38c51ca

SHA256
a6396a6d1ef18071ffa7fb0bb623e8b3f412c5dcfb85274b3bb2d5102ab67e27

SHA512
884dfec1dba68fedc2ef5a2c011a34ff112d8f86f1cee5f5f530aaeb1fa27659cfb2a148f2e768ed11dfc9d119045b2e3749580b17ae47e0043cf31d1610aa87

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwAy.exe

Filesize
651KB

MD5
4916312fa3b644b725de174803d5af21

SHA1
52a99f0b3f0c31a5c54a88495e44081090132686

SHA256
1ab1a22da644330155a26f9a06c13c9fb9179015dcdaad4b1526ab61a1804077

SHA512
110f0f8b08bc0bb5e1c56267eafec35e330ce85c22ad1d717500e8fceed5d641c0aca8b91722ae22454dfadadb29f41fdcab10c4c4d77e038dd404930e25b40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYQM.exe

Filesize
150KB

MD5
52101e0df36d31afac6fcab89e8e6e9c

SHA1
b9278289dcb47f30dbfc19d10f26621feaae65a0

SHA256
ed9bbeed94212281f4cf162cdbc964a6bbe0202eb904c6383b3a7c34f8e9e26a

SHA512
eb4c36da160b4e42c25491b351c99b66ab3351297e74d6a6748ce58d5a44d54de43b3639be6a0051674eca87fe8aaf4aa70fca05e138ff3298e321901d509e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwYA.exe

Filesize
113KB

MD5
ee061cc5e35cbc8469b502eae8fb0fbb

SHA1
1376a97b2a44dab694aed6940adee2387afd4de5

SHA256
7788bb2b066784c45217c985ce51c9d5b92d8b6d623b38f4fd25622fc01f879f

SHA512
81a52e7ed0e4102beb8e45f931c612a8f14ad631d74372183315f01b63cf965a5a47e5fbc9ad18e85e4a518ce60e9d0274c87cfc13e0ae2c46238471faac7816

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEkW.exe

Filesize
111KB

MD5
99668471769072d2e3f6aee2fb9ae32d

SHA1
8a12acc48d705b74db5b39427bda6160ba3261e9

SHA256
19402b30b859f24f28776e2dbf8240577aed6457ea907ae82285396a22c436ca

SHA512
28bd4eb5e05ef396bfd2a1a3f926aeec8bf29297faeab31e718a8fc40602aec6e161f6624a8ebd55ef23aba8bb73c7499073538745a43f571dffdeb0c1c29ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIwe.exe

Filesize
117KB

MD5
c81e206588b80a6eac6c7d98aabb0136

SHA1
bce283411e652ff3644eb8a5474b3dcd05985d57

SHA256
e65afddab5993f80de4ed6443fee33de7eea0f962f4266f3a5f4ee9191ee3cbe

SHA512
8373b620ca71f6354e438f39bc43afa445531b14f86031156d9cb3497938c20c84002d2c55fa7ac9a7a46e16b09704492e658aee584bfe7d2f7bcaeaea5c978d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUou.exe

Filesize
113KB

MD5
e43882ab6f59707f9f350f6390d11d93

SHA1
f7870f619309df7971d799331e2ab3e81e768c05

SHA256
ab146174e37fee4e3a24511fedad7fc9ce8ac1add71c6b728fe6e66ecdd324e2

SHA512
37160fbc40c817d98fe5b7314c7cd1262ff5793d4e57a2732163ffe6571f76375591f9630c0bb72708b0f9dcf293fdd62e035731eac36601e8e616530cfd67dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYQc.exe

Filesize
5.8MB

MD5
f8f52673086db2dec202eb3b086a6471

SHA1
b81ffc8165020af20a4ec131a4845b985026d91f

SHA256
22b56594c6aecf4b7bb5ed4b9b5831838cd7939d49c8bbd249fd308b4b413aea

SHA512
3b2369a517ee2fd68c4d15d778efdc88bb83ba7a36cf71b7c380f80883389e89ea61e61bc8655d58c9b0682dd6e741aeb195548dfe196cf3093f5d329f47d2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYsE.exe

Filesize
1.6MB

MD5
ab31176fc218342c79f6d6c89544a58a

SHA1
946b50d62307ab37a95c245be29f655fddd68088

SHA256
3ee73e47cbde70c9aa06b77dd08fb620bc93d78a1d38a9379faa28dc9baea6d5

SHA512
d11c66b44d288f9d1efac0dcf4064abd2e87843bd1fd17cd2ada6d9714dec7177942eea564d41d49699161efc21a05aee300dfe962897d6c721d49f8e08430c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMQs.exe

Filesize
120KB

MD5
52cd38a2e3a7faf7839207e84e30bdc5

SHA1
b43c09e81b27d38017cdcaa26b8eaebe3a929004

SHA256
eddb1e773d6a9cd5816d52959dfbecfa4d45a1e9a1f8cc4122ebf1c5e7c20e7f

SHA512
fda5c4437bbe0cc3d121580b77ae3b5a7f7af9be18b25ef1dc04c0cd1584cac4efd685984e0ea21cb4fd071f2b50aa2fbbd748b59745dfbc13e689555ec03fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukoa.exe

Filesize
151KB

MD5
ed99f82cfb95467fb0746f617e172e10

SHA1
ad4b070a748c0e111b5d4c5acb437fd804f9b1ba

SHA256
c31afb490ba2db50ea073137af91ce1b237026b02ec7d2c7260673c8a900bb62

SHA512
825bd0a819725ff49af8a86aea0895c364a812219b4dc9b1ae81db9e7a5d4d0cdf328340af12cd6ea6e7dffd6fc8ace28de8989e644e74b82df7c5d38379423d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIgK.exe

Filesize
116KB

MD5
dedc73a4810bad663f71b1a46947f8b3

SHA1
7b0b2d7495ab3bdc563c796c6f14ad55dac2909c

SHA256
9cf0be229b158291445fde6c5e80de2708d783852b41beb878672f5b65955545

SHA512
7f19a39cedf0ab6a05d597b7c0da1e7728603c0ac44b4e4bfe3f0ae688ff33aa27bbbdf4439efed13bea43ad93df08d1f2dd4fde0ebfd8354ead818b229da977

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYkm.exe

Filesize
827KB

MD5
94af98a93f2e0d8641bc198dad297a28

SHA1
b4d6da486a4e02a03dc77249e6f6cfaa0868c33c

SHA256
7420c4ce0020f97a65b3455eea672138ca2d521a8c8970ffc9bbef8e2d6e201d

SHA512
1c1598f3089ae8c9c0806dee2ed5d3efd1362d5cdb9420ea7b617c24708157bc3a6035cfccb66ace9c0127f8a7c0974d7e5cc55df9f95e44765758b640389410

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkog.exe

Filesize
110KB

MD5
ec9468577a40c83b9514bd01687cc122

SHA1
1068b03ce84244707014abd7bccb70919fc42470

SHA256
9575fcd4f7dba64333e5bf601ebe2e31d91f64c57d0879ed2a21deba6472d2b5

SHA512
b4c06c59d0772298d9c30ab1527b0b03016dc4b7abe60644415b7d16eaab40c52c96ad74ba2e307b60dcb7a670fdb8fbe61da5a51e94acf9131b5b3462e41aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\wowy.exe

Filesize
115KB

MD5
a8407bd26c019f1c1127b1b6278525d3

SHA1
11e93cddee08842ac131cd7775758bdf2c3b7a1b

SHA256
090651963b243cbc4eb12d23ad677664fe711a64bfec31bab243a7e3881f0019

SHA512
ec19d75251a1053791be3ae19ae6b9a30ed002df71b4688b67a11cec7706d0cef76da6cdcd7e84c7e140f97ef6db3e2b75da5bcc1a735f7755f027c0e79a6bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xswe.exe

Filesize
116KB

MD5
dfbcca24c2b954f42870b21e3b42861f

SHA1
b063a54f2fa50a36f24d18c2f866be0acef8ecb4

SHA256
09a6d6348e8ddcb4245fe81ad890b578d65b88f539a8d8c57d30065b2e84267c

SHA512
0fe8bdb9fd019e2a6232f27b73929d42f532c2c9c71be905577a4c8bc3731d63cf46033a15caefff15ea4ab52524ec989651c103a8f71ff7dc996516412b39d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yywswUEI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zccI.exe

Filesize
112KB

MD5
e76a58319a74618514350bdc280cea9b

SHA1
0b7482a345fe2a02f1f03effdeb2c9247fd8e957

SHA256
4bc61512c4cd37327fc926ba1f6eff890391598205cf6437cdb297177cfe6940

SHA512
55f446f32ae0d6a9232eb9fb0d576e7836b56678a58cc39ade3caf607164921208207814890219dd122e15d13f5cd57c4854bdf5867a33c258aa0f11102c8c7d

Download Submit
C:\Users\Admin\AppData\Roaming\RenameSet.mp3.exe

Filesize
775KB

MD5
24bd8f262ddeb5655790e7ad427e1d3b

SHA1
4d8cb19a5230cbfb12fab2c8d9560f85a9870e3d

SHA256
6b5a6d031f6f24c9fd5f297a7ac6d839444bf49923275f1300f28c0ff23cdbb0

SHA512
36cf4791d8ecd7478d9b39a83251274ad769572f3bdd8f21dbff1602a4c1664eec75eed93f4161d81910b1c5d94732f189a0bf5bc73c0954bb1c4939fa456026

Download Submit
C:\Users\Admin\Documents\FormatDismount.pdf.exe

Filesize
593KB

MD5
7ed22af89dbdde823b52ad52485fa2cd

SHA1
752367ddc964c388a125894ae0aa61ea42b294a0

SHA256
ff7bff5ecabeff908cfb268d6f9bca7d59ed877024b230cdf15a970fc0ee1316

SHA512
6a5a778e273cea187cd737afe12f645eb3d207fca279ab6577605b98cf83298df2e8c333d2d211efc805beaa6fc3290ef1597c5cc243c3c3edf9762b90d5977e

Download Submit
C:\Users\Admin\Documents\ReceiveOptimize.xls.exe

Filesize
476KB

MD5
962630fc84c53db38b882d1cdcae0ac8

SHA1
bd08ede5633071222196c92ab82e972b3089930c

SHA256
b3a294b017ac4c350159aa4a32f8c3ab789a98b0006dd90e97bc477877b2de42

SHA512
c64e3fd29174cac8ee83c5c1f4f64f72bfca863f01c9caf64efa905fdd4b5dbe479fb772b5d4481962429c981634bf24e20b6c31b3415490a79d3d0d3c6b517b

Download Submit
C:\Users\Admin\Documents\ResizeLock.ppt.exe

Filesize
384KB

MD5
082ef3a97eb82f7e1d7738b8e7e1aff8

SHA1
6a4a353483395e9cea51af4a5f459e01b46163ce

SHA256
01a9d4d61329aa5bff774b580623471dab05fc880c64468d7be8e07912c52340

SHA512
d6eb067ddbb8528442feb14759c0e81c9a3e3bb906c1a2a210a9ba6b760e9008e55fedbf2ec7b0e9ccc5b78830f24b82e9b6eb04602ac26fc0e027a604924888

Download Submit
C:\Users\Admin\Documents\ResolveRename.xls.exe

Filesize
332KB

MD5
256941f0dfc977eddce736136bd99424

SHA1
bb632077d78e11ec099e849b359a953199bfc1e7

SHA256
af11416cd24321bf6c8724beae6de5b82c56a944962e010611633bc4aefcfdc9

SHA512
9a839d7a78f2fd7afb72a25ad06838d8f4c4e7329365ed4a0e1c9e8087676b8a7c6a3adbad65e93fd1ecf37bfa4e27f008c563dff95c224fe43264f58ec5d86d

Download Submit
C:\Users\Admin\Music\ImportRestart.png.exe

Filesize
987KB

MD5
ddb8b529ea7ff6021ecc27df8353ed1d

SHA1
21f28389da38542392243def3b78cf63c37613e1

SHA256
be54a83525a5958dcd34e14f6d0a5f729ae206819110e111f835f4b8bfa1f626

SHA512
e05cec8a81fd90738fbe639250248b2150927ea698afaa2bf7fffa4617135889fe55479394d258eac234cbe45338bf0f2ca7f25be9c94183509167f8436264a5

Download Submit
C:\Users\Admin\Pictures\EditRename.png.exe

Filesize
398KB

MD5
c2d49ba14d6e88f975c4d34d9bf65590

SHA1
b44168ebb456cbbb25a54f6beaa7c064fe3f02fc

SHA256
ccd715bfbacab04b4509c6d52cbb5b909e7e0d7accae959539025f250a9b04f0

SHA512
d7f618581c3456a9c0587a0f32dcfe48bbaad8e00468bed526d1b39bbc1bfc6c96b2f33148ab5e0ce0f65c39e8f0fd67a9a6f4eaa34c899254f5e54ed07ca5d6

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
135KB

MD5
707f86739c1e9bc800ba2ff6e0ae5805

SHA1
ede7b5cabff557a46658c19fa32265189ec518a4

SHA256
7dcc952963eae15865ab0b3960a6792759c3fbefe5a7cb22a05ff7e81ecb924b

SHA512
26da84763b0980188c9fe7bc749f65608f9cbb97a81b961aabd62f8773c663b9bfbd78623a7432675a1e38d0be6faf6718a33ba76d132061f181e52d80b64bcd

Download Submit
C:\Users\Admin\Pictures\PingPublish.png.exe

Filesize
662KB

MD5
00449e014b7301d191f02189017b564b

SHA1
a02d2d4b5de5a644b2592c305ca9a3527c13f74b

SHA256
c6123a35ad8811f2ce032dbde4cd53f3f005db477f903684ffc24bf1fdf4b9db

SHA512
d33acd10382c4b2fa7ca42d4b8bd4a9e12d94875509ecae8199b339dbe1127502b7f2edaac9c35344b70d12c87acfe948255bdc1fd5741a9cd05b0b4312cb968

Download Submit
C:\Users\Admin\Pictures\RenameAdd.jpg.exe

Filesize
897KB

MD5
2ab848cd528509eced1032af5a8c84a1

SHA1
99a0ab9ba0f60d4f4504e2151038597aeb9c87ad

SHA256
f65de4f6b255dc7ae65bd258589d3787b86bf6e64f21e7f7c6580c54d837e73e

SHA512
1058f1dd423a7d523e697a45d5587260b0db8935c950641d9e27ce7b22b97520a96c35f1a8c1a12cfbd05154eea05419ff371db5a811a3cc58e2db079ab8ab57

Download Submit
C:\Users\Admin\WCgUMkso\lAQkYcQI.exe

Filesize
113KB

MD5
eb64117f9aba2ec31fdc2a40de533059

SHA1
e4113f3363e7dde523260f07fe8e3ad51acf9ffe

SHA256
d697b4e8ecf80b5bb708d09fa24d719b5bcae99eddb420160e65df806848dd74

SHA512
3d622b2ebd8e61631090732259d60ac69c92cdf1cd0a0317ba49418ad57c8c7e1dfa1445bc5e1679d62fbc064902ac3e59291376fe22b0df8e8d9016d9ef9760

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.8MB

MD5
c7baf9298f3baa5cf6baa1d1bc263102

SHA1
b63f1546936e4b3d685ceb79b725133ca9ca07a1

SHA256
b163f423bac8372f6f8449926097827443969d3a6fed74e0c4fa73919ddfdb54

SHA512
0e0af97e177200da7da17f7b053c05e9812ab172564cc5667d1b5132d853d758ae6a746d900ee4093d434e66e62f24ae79bd977925702180de2de3c4226ef1f8

Download Submit
memory/236-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/248-910-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/248-860-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/412-447-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/416-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/472-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/472-331-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/488-390-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/700-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/760-2172-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/760-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1104-988-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1112-120-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1268-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1268-2173-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1284-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1284-415-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1284-407-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1400-1336-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1404-1116-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1416-339-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1452-439-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1464-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-365-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-373-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1632-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1788-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2136-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2184-431-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2220-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2220-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2304-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2320-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2320-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2344-1259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-398-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2528-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-846-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-795-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2580-463-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2616-347-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2644-1181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2644-1117-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2724-423-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2760-98-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3188-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3288-364-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3432-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3508-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3520-1038-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3588-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3848-486-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3940-109-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4048-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4084-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4200-382-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4200-374-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4200-651-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4272-455-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4288-729-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4336-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4412-142-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4416-406-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4504-785-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4504-730-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4508-487-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4508-523-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4512-587-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4576-348-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4576-356-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4772-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4840-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4840-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4852-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4952-131-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5092-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download