7ec93c685703a178128b2e71e303b5de2a895e37736284510667146fa7ceb3d0

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
Size

206KB
MD5

6987d2f5262ac57d7c87b0eda881bdbd
SHA1

ee90f31a1c4c2a0e57dc768e80459affa1911cc6
SHA256

7ec93c685703a178128b2e71e303b5de2a895e37736284510667146fa7ceb3d0
SHA512

5f69baa07e7b4166bff3228c6325fd7c58c75df3dc7797bf5e2531f927a079089ae5f86920c2750c694aefb3ddffcd16d46fd8d360ea32c090c4d8de1333f61a
SSDEEP

3072:OCKmfuor9dLB7WcAk6XHqPnAUGpjG+cyDFWmx9WjRDKLsJYuuuuuuuuuuuuuuuup:8K9dLfNSHq/7GhBfUGEun9D

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	ZkYQcwwM.exe

Executes dropped EXE 2 IoCs

pid	Process
4156	GgkIMoog.exe
3148	ZkYQcwwM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZkYQcwwM.exe = "C:\\ProgramData\\OukMUYQQ\\ZkYQcwwM.exe"	ZkYQcwwM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GgkIMoog.exe = "C:\\Users\\Admin\\MMYYYcoI\\GgkIMoog.exe"	GgkIMoog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GgkIMoog.exe = "C:\\Users\\Admin\\MMYYYcoI\\GgkIMoog.exe"	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZkYQcwwM.exe = "C:\\ProgramData\\OukMUYQQ\\ZkYQcwwM.exe"	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	ZkYQcwwM.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	ZkYQcwwM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1632	reg.exe
3872	Process not Found
1384	Process not Found
1952	reg.exe
4836	reg.exe
4252	reg.exe
3804	reg.exe
1996	reg.exe
5084	reg.exe
608	reg.exe
2604	Process not Found
4424	reg.exe
1036	reg.exe
1684	Process not Found
2020	Process not Found
1880	Process not Found
4072	reg.exe
5068	reg.exe
1144	reg.exe
1572	reg.exe
4576	reg.exe
1760	reg.exe
3888	reg.exe
1360	reg.exe
2180	reg.exe
3132	reg.exe
4024	reg.exe
2472	reg.exe
2092	reg.exe
4704	reg.exe
5072	reg.exe
1632	reg.exe
2128	reg.exe
112	reg.exe
2312	reg.exe
1388	reg.exe
2540	reg.exe
4520	reg.exe
996	Process not Found
1136	reg.exe
2560	Process not Found
3704	Process not Found
5020	reg.exe
4464	reg.exe
2260	reg.exe
2232	reg.exe
1732	reg.exe
4132	reg.exe
4916	Process not Found
2864	reg.exe
3144	reg.exe
4136	reg.exe
3652	reg.exe
3444	reg.exe
868	reg.exe
2472	reg.exe
3820	reg.exe
1916	reg.exe
3004	reg.exe
4516	reg.exe
2352	reg.exe
4628	reg.exe
2664	Process not Found
5012	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4204	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4204	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4204	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4204	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4396	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4396	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4396	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4396	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
412	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
412	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
412	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
412	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
5068	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
5068	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
5068	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
5068	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4000	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4000	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4000	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4000	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
3912	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
3912	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
3912	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
3912	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4116	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4116	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4116	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4116	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
2380	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
2380	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
2380	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
2380	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
3512	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
3512	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
3512	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
3512	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
1796	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
1796	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
1796	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
1796	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
1224	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
1224	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
1224	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
1224	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4588	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4588	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4588	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4588	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4516	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4516	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4516	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
4516	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3148	ZkYQcwwM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe
3148	ZkYQcwwM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 4156	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	85
PID 1676 wrote to memory of 4156	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	85
PID 1676 wrote to memory of 4156	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	85
PID 1676 wrote to memory of 3148	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	86
PID 1676 wrote to memory of 3148	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	86
PID 1676 wrote to memory of 3148	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	86
PID 1676 wrote to memory of 4920	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	87
PID 1676 wrote to memory of 4920	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	87
PID 1676 wrote to memory of 4920	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	87
PID 1676 wrote to memory of 1172	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	89
PID 1676 wrote to memory of 1172	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	89
PID 1676 wrote to memory of 1172	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	89
PID 1676 wrote to memory of 628	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	90
PID 1676 wrote to memory of 628	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	90
PID 1676 wrote to memory of 628	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	90
PID 1676 wrote to memory of 3440	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	91
PID 1676 wrote to memory of 3440	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	91
PID 1676 wrote to memory of 3440	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	91
PID 1676 wrote to memory of 4140	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	92
PID 1676 wrote to memory of 4140	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	92
PID 1676 wrote to memory of 4140	1676	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	92
PID 4920 wrote to memory of 2056	4920	cmd.exe	93
PID 4920 wrote to memory of 2056	4920	cmd.exe	93
PID 4920 wrote to memory of 2056	4920	cmd.exe	93
PID 4140 wrote to memory of 1964	4140	cmd.exe	98
PID 4140 wrote to memory of 1964	4140	cmd.exe	98
PID 4140 wrote to memory of 1964	4140	cmd.exe	98
PID 2056 wrote to memory of 4640	2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	101
PID 2056 wrote to memory of 4640	2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	101
PID 2056 wrote to memory of 4640	2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	101
PID 4640 wrote to memory of 2212	4640	cmd.exe	103
PID 4640 wrote to memory of 2212	4640	cmd.exe	103
PID 4640 wrote to memory of 2212	4640	cmd.exe	103
PID 2056 wrote to memory of 3060	2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	104
PID 2056 wrote to memory of 3060	2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	104
PID 2056 wrote to memory of 3060	2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	104
PID 2056 wrote to memory of 3704	2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	105
PID 2056 wrote to memory of 3704	2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	105
PID 2056 wrote to memory of 3704	2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	105
PID 2056 wrote to memory of 544	2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	106
PID 2056 wrote to memory of 544	2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	106
PID 2056 wrote to memory of 544	2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	106
PID 2056 wrote to memory of 4028	2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	107
PID 2056 wrote to memory of 4028	2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	107
PID 2056 wrote to memory of 4028	2056	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	107
PID 4028 wrote to memory of 3908	4028	cmd.exe	112
PID 4028 wrote to memory of 3908	4028	cmd.exe	112
PID 4028 wrote to memory of 3908	4028	cmd.exe	112
PID 2212 wrote to memory of 2472	2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	113
PID 2212 wrote to memory of 2472	2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	113
PID 2212 wrote to memory of 2472	2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	113
PID 2472 wrote to memory of 4204	2472	cmd.exe	115
PID 2472 wrote to memory of 4204	2472	cmd.exe	115
PID 2472 wrote to memory of 4204	2472	cmd.exe	115
PID 2212 wrote to memory of 5104	2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	116
PID 2212 wrote to memory of 5104	2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	116
PID 2212 wrote to memory of 5104	2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	116
PID 2212 wrote to memory of 5012	2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	117
PID 2212 wrote to memory of 5012	2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	117
PID 2212 wrote to memory of 5012	2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	117
PID 2212 wrote to memory of 4836	2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	118
PID 2212 wrote to memory of 4836	2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	118
PID 2212 wrote to memory of 4836	2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	118
PID 2212 wrote to memory of 2332	2212	202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe	119

C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
"C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\MMYYYcoI\GgkIMoog.exe
  "C:\Users\Admin\MMYYYcoI\GgkIMoog.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4156
- C:\ProgramData\OukMUYQQ\ZkYQcwwM.exe
  "C:\ProgramData\OukMUYQQ\ZkYQcwwM.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
    C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        8⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        10⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        12⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        14⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        16⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        18⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        20⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        22⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        24⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        25⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        26⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        28⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        30⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        32⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        33⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        34⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        35⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        36⤵
        
        PID:3164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        37⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        38⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        39⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        40⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        41⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        42⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        43⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        44⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        45⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        46⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        47⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        48⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        49⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        50⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        51⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        52⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        54⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        55⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        56⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        57⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        58⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        59⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        60⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        61⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        62⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        63⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        64⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        65⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        66⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        67⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        68⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        69⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        70⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        71⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        73⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        74⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        75⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        76⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        77⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        78⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        79⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        80⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        81⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        82⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        83⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        84⤵
        
        PID:3652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        85⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        86⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        87⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        88⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        89⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        90⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        91⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        92⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        93⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        94⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        95⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        96⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        97⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        98⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        99⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        100⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        101⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        103⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        104⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        105⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        106⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        107⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        108⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        109⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        110⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        111⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        112⤵
        
        PID:432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        113⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        114⤵
        
        PID:2936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        115⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        116⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        117⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        118⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        119⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        120⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        121⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        122⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        123⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        124⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        126⤵
        
        PID:2736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        127⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        128⤵
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        129⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        130⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        131⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        132⤵
        
        PID:4480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        133⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        134⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        136⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        137⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        138⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        139⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        141⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        142⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        143⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        144⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        145⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        146⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        147⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        148⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        149⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        150⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        151⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        152⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        153⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        154⤵
        
        PID:772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        155⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        156⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        157⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        158⤵
        
        PID:1524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        159⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        160⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        161⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        162⤵
        
        PID:3912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        163⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        164⤵
        
        PID:3816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        165⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        166⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        167⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        168⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        169⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        170⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        171⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        172⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        173⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        174⤵
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        175⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        176⤵
        
        PID:3052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        177⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        178⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        179⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        180⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        181⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        182⤵
        
        PID:3556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        184⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        186⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        187⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        190⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        191⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        192⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        193⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        195⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        196⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        197⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        199⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        200⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        202⤵
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        203⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        204⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        205⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        206⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        207⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        208⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        209⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        210⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        211⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        212⤵
        
        PID:1340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        213⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        214⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        215⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        216⤵
        
        PID:1664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        217⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        218⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        219⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        220⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        221⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        222⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        223⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        224⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        225⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        226⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        227⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        228⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        229⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        230⤵
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        231⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        232⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        233⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        234⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        235⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        236⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        237⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        238⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        239⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        240⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        241⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        242⤵
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        243⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        244⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        245⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        246⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        247⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        248⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        249⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        250⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        251⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        252⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        253⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        254⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        255⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        256⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        257⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        258⤵
        
        PID:836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        259⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        260⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock"
        262⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock
        263⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmwcUwMk.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        260⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        UAC bypass
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyIQIoUY.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        258⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:3556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swYgEYwM.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        256⤵
        
        PID:3620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:3248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:3960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaMAkYoM.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        254⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWsQAIog.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        252⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maMMEsIU.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        250⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        UAC bypass
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xsAUogcM.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:1184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCAIIgEg.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYEoQYwM.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        244⤵
        
        PID:4136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        Modifies registry key
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:3132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOgsgAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        242⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKUccMcA.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        240⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKkkcUws.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        238⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        Modifies registry key
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEAcssgc.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        236⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngEwAsEA.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        234⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        Modifies registry key
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOgYQQUM.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        232⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWMosgMo.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        230⤵
        
        PID:3860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msUcMgoA.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        228⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWUUwMgc.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        226⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies registry key
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwkkAUko.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        224⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        Modifies registry key
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIUcMcgg.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        222⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwcYgMMc.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        220⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYgoEIkI.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        218⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqgkcgcI.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        216⤵
        
        PID:4900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwIYAAMA.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        214⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        Modifies registry key
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQYEMwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        212⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeQEQwMc.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        210⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAwMMMEA.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        208⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCwEEQQs.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        206⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSwAYocs.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        Modifies registry key
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        Modifies registry key
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUsIUowk.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        202⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQAwcogU.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        200⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:1632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyAQIYgY.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        198⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LksscYAc.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        196⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies registry key
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rowsgMQE.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        194⤵
        
        PID:3004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:2232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiwkIMcM.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        192⤵
        
        PID:2388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGossAcs.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        190⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmMogkgY.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        188⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcUoUwcc.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        186⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies registry key
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYoUEYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        184⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKAoskoA.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        182⤵
        
        PID:4896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:1880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaEokwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        180⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:2540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAQEQQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        178⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaYYAIck.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        176⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deAskEME.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        174⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KikgQkUM.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        172⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYIgggAA.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        170⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yekkwsoc.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        168⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIgMsIQA.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        166⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:4384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        Modifies registry key
        
        PID:4136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMgcAEQk.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:5072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xwwgkwww.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqIwsMoY.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        160⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:3824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMgcAggU.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        158⤵
        
        PID:1044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        Modifies registry key
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSkEogcg.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        156⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYAgMAwE.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        154⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQwsssAE.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        152⤵
        
        PID:400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcQkgEgM.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        150⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doUkogoc.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        148⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZekgggYM.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        146⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        Modifies registry key
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgooscIo.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        144⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyMcUEIE.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        142⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwAwkUEg.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        140⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMAAIEcw.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        138⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAsUYEQE.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyQAAQck.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        134⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baQgAAsg.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        132⤵
        
        PID:2260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISsgAQIs.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        130⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygUUUwkg.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        128⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwEgwQkw.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        126⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:2560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYwgwocE.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        124⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEQowMkA.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:2232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWkggkoo.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        120⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        Modifies registry key
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyswAgoc.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        118⤵
        
        PID:4560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYgEUwAM.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOwgcwMk.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        114⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUEYQoEs.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        112⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKYEIgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        110⤵
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EeQIQEcI.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        108⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIcAwcwk.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        106⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoUwUkIY.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        104⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqcgkocg.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYMYIwkE.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        100⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqAYUYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        98⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OogAYQMk.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        96⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCgwUcss.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        94⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beosYQco.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        92⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQgsAIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        90⤵
        
        PID:3160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laUAUYkw.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        88⤵
        
        PID:3888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fassEQYo.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        86⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsccoIwU.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        84⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMUgAoQk.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        82⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKMAkcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        80⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:2056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUUgsoQM.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        78⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:1944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKIYYIAM.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        76⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUckgcgw.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        74⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCYMUIcE.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        72⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeowAgwU.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        70⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWocMwQM.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        68⤵
        
        PID:3308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eogokgEc.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        66⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGIkkgUY.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        64⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tScIYEwo.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        62⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RiocgAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        60⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmUogYQU.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        58⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        Modifies registry key
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQYAkkkM.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        56⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quQYIIMA.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        54⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        Modifies registry key
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsokcMUE.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        52⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWkkMEEs.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        50⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAgIEsww.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        48⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEocEUAk.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        46⤵
        
        PID:3764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWIkEQwI.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        44⤵
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MokwQAwc.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        42⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmUUAQMs.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        40⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        Modifies registry key
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYIoIwUs.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        38⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkUcscEA.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        36⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWsYkEEE.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        34⤵
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYocssEk.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        32⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uesUcYUs.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        30⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quoQcMsg.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        28⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGgEwMMo.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        26⤵
        
        PID:1136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSoUIcUg.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        24⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqogsswY.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        22⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMQIosYw.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        20⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEUEYQkk.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        18⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkgIsUwg.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        16⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viskAsYE.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        14⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqogsgMs.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        12⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgEsAUcU.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        10⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWEYoYog.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        8⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3364
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:5104
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:5012
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:4836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xksoskkw.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
        6⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3836
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3060
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3704
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWoEMMEA.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4028
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3908
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1172
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:628
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkgMAEYE.bat" "C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1964

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4204

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5072

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
308KB

MD5
17c8423d42b26689686c42acd870ead7

SHA1
d7b8c34f82305ff6953598de39d08717131e1a3f

SHA256
d0183fe7acfb2c9e2c010887f668bca65fdaa65c528f5b3e0751a003e172aa96

SHA512
617b6f3ad6347b88cf521ce1a24e6ff1659887f14e8b0e1ef00f07c39459f4b9db3b43c3316f0b367f3f600be42292359ac36cac4b74a1e3cc814026ff4881c6

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
209KB

MD5
807999157a8e0156c5c384c7bafd0eb6

SHA1
fc81f1f074ff9b52b490f89a2e65dd5b8b879b1d

SHA256
e8e496d9eef566aa342f0a66c6eca635194479eed09b5a00e81d7aa769eec34d

SHA512
5b9c5995594fc79277096d802665adf85f35a5ad1edda2445b02da1ced8c18c3b8065e06dc99500bc71d91cfec71aec4ac436c0f68bd0b43cd901a4c1de4b42c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
233KB

MD5
9fe0430b9e3409afdc7d3e3d909aa0fd

SHA1
68d806d3dc6d28a503c81a7d5871d5e37a6ef68c

SHA256
fa6de8e82aec41386725e7a2eeaa8f7cb0c23c07fdf0e1804f49b33676a0d8d6

SHA512
a81aa71342c97e385c9e3064eda8c6f493d418171239bb6ecff40d82daeb955d5ccbab33dd6257f3dd0e5aa02ea30b159e290777cbece275c788168bc696709e

Download Submit
C:\ProgramData\OukMUYQQ\ZkYQcwwM.exe

Filesize
192KB

MD5
9cd636bf77ab21c83425ede6dda48760

SHA1
2ee987c2451ed6b0f7932f9483d6ec2ba3128242

SHA256
9766aa0f88d027f20f7c272a7a51f917e31b9b3290d3b1e94614df57b54cc43d

SHA512
abb801b27d2de7ad232b4b691ca0528928331dab1571653379904b992826b51a409dd2e1b6585c7bbdafd709e40d19037f2cf98e22a55b34b2a100e22a81a6b7

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
637KB

MD5
9dfcb5a8f3eae9f8a332a484287322fb

SHA1
942172ebbf4ad12878b3072d5917ee49a929356a

SHA256
7bf2e329e0bbb6a2442ace3ebf4e246c7d96b7507ced9136eb0c6d95e95871ec

SHA512
6da9bb52860c89f4c5e4fe09e647091a6fa041d4854776323b1f950e9f5b9d2725eea04a69f5900fa0c8357aa951bc4fa97ba5d72f67e54276ea385e26ac29e7

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
654KB

MD5
e8726e9fb1ada4776c142f46b55ac684

SHA1
c146ba1fdddcf1653223c7000fbe43fd5f3a8a5f

SHA256
55b0aba2a693d42e4a462e42eddb0658b3fb45f3cce9386ccd3f7cfc05197b0f

SHA512
f79064fa8f557cdf9104d36dde8dc7ab3585839bd28038b706daad1b91f71fcc9c6a3a6cd4f6204a3214340fa2f79124f6206734383252cdb20f8f68683056cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

Filesize
203KB

MD5
076c48a94a4fe0c95c94c70d8caa2855

SHA1
c38e26ecdfb1af3d0db8098a176808676b45b96b

SHA256
6c1829b097259a27c1d99ea0297109289ea9d7fc4d51eed48e88514afe983c25

SHA512
dfaf8439274260d6b1765644d049616113de2b7c957057df4e92afcaf12725c36d37433334910dc4096fd9947ebc6736b270e8cfadeecddfea1cac8bf756a253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
189KB

MD5
6ad7882e68e053ad5d4c221ffd151a79

SHA1
c721d6f90ab6bb4a67e512ab7edc6e4b90d8cfaf

SHA256
b62137fdd96cc3fd8e10548cfb44a92d738d9035ef04b23648feb0ecc7d7d2c5

SHA512
a5041df4c4d09d149f3c3643ea307f76c8b7707f9344d251d0ce561f834d991c5492987e0b3374441eff6d78ad45c89dc128c130770fb3dc86e6ba1fc0fe4f7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

Filesize
199KB

MD5
8eae74ba13b112e394480bf1005514ec

SHA1
0ea91dbe783b7629d6270cc5ca5d07c9d442a67f

SHA256
8932039d578acef1afd557a5e834a865d98d6a8b1c147d6e0a250546cfb1a471

SHA512
6c2925c54353dfcb2a9a51d2c603535f6cac44799e1c2faec0c5e4531846cb745083d13e345f64cae9a87f728f98720093c3cc41fa6e53d8992d91b2a58253a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\202408246987d2f5262ac57d7c87b0eda881bdbdvirlock

Filesize
5KB

MD5
54bc31c6dd81fd170186697d266a6bb5

SHA1
2f1e67de5f3fb8c9ea3ae80fc6613fb69ba8844a

SHA256
b661d8b38e6562eb319668e0875ff8bd95fbcc1c49f8f6ca1dfec8902b67951e

SHA512
047fe160ca16aeb16f88c589d8eee68085133ea37bb6ec957bf554b263a5367609c59cce9f111abe88e3963bb168abe1c653373e141ea5a2057d02d0e5c8485e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAwq.exe

Filesize
640KB

MD5
2775be97329435188ff10bd4bbbf6100

SHA1
f08ba34da6f7035facbf48926e44ff705b74df01

SHA256
d650e5cece3e58a8ce93882e4428cb15c499a1a79f6d53fb835381c4e7f8a58c

SHA512
5644c1e9ec1fa9421a150e97bcb939f94dd34e2a162be5afe30bb2407bff00b32754e9e13703cad9bbeb14c10535b577e7bce385e9e54ca1732b22de2af0c6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQYy.exe

Filesize
185KB

MD5
3c09cc89b8b544144c33821b75c0c9b3

SHA1
5d2753c2ca2218fbc360129ccf9d47e3afdd44bf

SHA256
f1bc7645e94a0feb670ccb9a44bc5ad81e6b6a79f35a5b63b6ca3cdaffbfce93

SHA512
c4fb59f3249c5996f551858e1c220a77766fc454a6566d053c29a6c0ee0ddac0ad7ff59596a790d7c2c5db385ffd565a22ceb17decb6a9cfc31cb57e17c8a9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUUK.exe

Filesize
381KB

MD5
00bdf2a1bea74602920ec2995ba50806

SHA1
361e9ebe39c80381883676580f913793a411626f

SHA256
5493866e664b373a0cba748f5190c4abe803af09f2fc4d0b021ccbe933c31a40

SHA512
0629a323f9752f8ece8769430041c29d42d412f5b98107a71e2b45d8bf3f0afd6ef10cfc3279ddd39cd764a90f50ba3701cd0d103453da47b32fb620db44db93

Download Submit
C:\Users\Admin\AppData\Local\Temp\AokU.exe

Filesize
182KB

MD5
e4182ae66506be4cacf3da6039ed2053

SHA1
849de80dc5b2b7c2e97d7c34efcb7f56a2fbf6f3

SHA256
ed16c9cd52cc5cb332d6bacbcc06c680111e78ac1801f5c17164f29865498470

SHA512
d6568378bf92b3a820a3039cb34a1cf6ee336bbaf7ebad77fe922f74c34d39c6f7b55b4288b43107249f2e2ae2f6f02d76d04cc011232a1273644e4a6fe3d954

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAUC.exe

Filesize
1.1MB

MD5
43045ac59b449eac4d92b59012c84717

SHA1
21167f7507bdd7ec41f093c768cc292f3b2ca402

SHA256
19fb3284eb9d99f855a163fda292205cc7e11aed2943e9da98c90db607282c98

SHA512
24bba0638bba774e819bdeb5ce528a9ea4a2b09b4a1edeca118b412d671e72cd4d96d0c97c70a18a07293379eaeefd95aa51e86566c1ad05fa439c293f779ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAoe.exe

Filesize
202KB

MD5
ff08b4f339d1bf103a0625c783a16086

SHA1
074e0f0abdd5c867049c293633b529086ccbcdb8

SHA256
c509261197a546c4a0b0ca67c7d9a1e5340813e45610471c1da718a6f66b0d76

SHA512
637c3345ad02a89d1c0aee05f74a0b49a8ff4138f8ae2f402502362d6b052e1adbdd3900c22d7b38cccd447ac52131785aac33a3df622bd711732180bfeae9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIQC.exe

Filesize
402KB

MD5
140569cdf2a53e565bc6a4e003654bda

SHA1
4da6ec8b4388a59b3ce2a784afda9126483f3c07

SHA256
f9e611edaf9a15fbcfe9a2e197016ee68091175a3be7dcf428e6566698410691

SHA512
fffd0ea2b53f565d8ead5dceb81afdc490b5975cf7a74201a474a8cf6640691a5dc21c7e8cfad8f2e75084bcd8fb4caacc4e4fce829472e56d062bf949c712bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcIG.exe

Filesize
222KB

MD5
64a59029cb85b3522019f655cb790fd1

SHA1
5f8c6f0e0b5bf6401349528c3b6683436587d18d

SHA256
64072f80c9d106a56aa75eaeddb0d64210c24ee61ba1f4d22314b8437830179e

SHA512
5812477a08b5778efc25c793ec79d60b36cc4f9a31bedd84620aab9f156cf6cbb7877876940afc79ce4e3c068cbebe3eebd4c6b6c361f1c899c162b906f6e4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ggsg.exe

Filesize
316KB

MD5
9d3afda63b9262d5a13e01e5f564a3e0

SHA1
fca887f68054f3a2e037ab087da612eb2a41bf10

SHA256
1b2fc556f5e32d1b4f0f7e877a01688a11d9d483103176668fd5e67248c56176

SHA512
ac3ca3d9bbea6725999e31f2b49cf4bdd53365d642f827edf4671e456475e840fecb4b502a9eb57ca6afd5c80577454261171a46dd2bbb42763a12d0ecef9590

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAIS.exe

Filesize
193KB

MD5
eba0f2d5d35973359e42af6ab93b404a

SHA1
4ee0933fe44db2b34ea4634e77dc89438754e7cc

SHA256
caed527bc446d76d54e0a88ce3623960f5e5667efa213d48612da06412c1bf26

SHA512
fe394537767a64f1fb604418af1a7a7bd02594a674b1873242dd255f382e0325c4a8ae3e3d58d96e3fa4f635be6998e5130d4983818d49168842b6012f2f7ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQUo.exe

Filesize
193KB

MD5
00637ef2fba81edf16b4e250bd7b5cd5

SHA1
32ae15c0ebfe45c2eb7a370d8237e4b1ab176fb5

SHA256
fe952ea840db729d119b30f8e55a2e324f3a0ab1d31be6a5ce28707b1049a395

SHA512
9fd8098d28bd4cd6211a5ac9b08a531613ad4cb4242cc93da128b1e9d00cf8cb6313dd4c5ef82b62b4edede3af243c0191553c9154e104067479605eec7b5488

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYkU.exe

Filesize
5.9MB

MD5
66566027e74d5af2eed48d4fa8311c1c

SHA1
760abaf1b590b0907ce405bf87ea5270c23709c7

SHA256
0feab1ad6133c0bb7a9eb163c0dca3b8471c610920da21259460d24cceaa0c89

SHA512
30f5f943ce5f79d77f8e8d70161145659530d24aceefe7b049a3733419fd3d18a2af9db7d9d35c7cd85d40a8e189a48f865e100faa9208bce281009b8e601ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkgMAEYE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwYU.exe

Filesize
481KB

MD5
94e8bd2056b8ed8296843c5c6301f6e7

SHA1
3304dc3b22528a8ff7772c10d9b8ca116c2be50b

SHA256
a25cbfaaa5704ab06de62c15da1e2791e74119fd7f16970559f65ddf48d5a0da

SHA512
adaf3f8af1475288e35b9fb9d920e3935693f5f0eb62b9ece5a20b8c3a2d7fed2437ce876128eceeeb2215dd93bb5622a95e3bf8b8587785afa37b0deb5f19e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEQi.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIkc.exe

Filesize
638KB

MD5
dc1e381202279a52506772b051ab652b

SHA1
8279761924e1c9ca7072cf25a4c50150df156d73

SHA256
5dfed79cdb0d2723954d388ebfe1dde76fcecbe2a7db7d973f1d611e8451ac6f

SHA512
3a5c8eece44639c10bec7be777fc0c2aca9123b9456ffab34e141853fd52b36d551b00540d9daddc6be73947122da4c47229dd9535740de4d876ddb75da16fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUQG.exe

Filesize
195KB

MD5
c30e4f7f7228e19bdb0c19d649bf8ba9

SHA1
03a071eecf314d922a59529d4a2e3aeafa8fc775

SHA256
e2fdca1d8f6c89ccab82d7c74108fb66e7322a78a3ee666db8841d1a8ff27e2f

SHA512
4ec99f3a4d6c8487dcb64b3c34c80368e4660018512bfaca4dcddbdedce9cbb0e22281148465b29cdd98f696222f79cda6941c4f3a87a76a2bdae18d50481532

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgsE.exe

Filesize
193KB

MD5
5bd39c43e329512d05141dad71fc2d54

SHA1
a35a888466240d856ca2b6efe71f4233308c7ae3

SHA256
c48fa7d5c6dc98b3e59331a0ca6c071793e6641c99921e8f29bcb8b375262175

SHA512
1bf81e8881f0cca12b5bce73f1f65645f10c8272a7aec0b48e1bfd79241f7e9bab7331c182edb246f9d6b2b56f87792f38c7b62304f4a1dd1c48ebaae7b61968

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEoa.exe

Filesize
204KB

MD5
96e5ec9a810d505dad562c8d7dbb13cc

SHA1
31a556dc91b16ca3d066f5788c3f7527938eb366

SHA256
01ddc2269a5e985061b35f7f042fea252b7b476083c38383da2b7688c30f5b4f

SHA512
492b25936754734bb2be18a1eb8e13b7ecba32ed56351526913655c0e5dcc4340f1075bed8824b57e90421952b9adc19378bbe54b68d8305896400378a86c51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIEO.exe

Filesize
202KB

MD5
ef19fee98f00390bcf3e286fd6b464fa

SHA1
2faefe6b1294e2c38b9c249a1a3fe0331f292fa9

SHA256
0961cbe93de7dade9d3523ea0ce16563df2fc836233f974b699f10cc3c8dee5b

SHA512
26afe0026817a214d94b72da794bd993035bc9f1f6168e9647d240a5feacec50e96bafbf0d0674e320a819e288f535647d41da4e7fa5a5386df99d6898eb666f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYom.exe

Filesize
848KB

MD5
2c39be6f575ba620f91321fa54c5ac77

SHA1
273b04e15924fed351ddf545ccc0b19728584089

SHA256
b7a3e55ec8316627605afa9dad02661d95674208f9c2f7eae5c4fb73a41e4e56

SHA512
040514f5f4576173a98e4bd9425db9663bbfa83dafc0f34b1efa09f94657130a1158bedc251b90e6d0e0145d5ac1d6965dd58eb53435c38e7e9b77bfcaf6505d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgQk.exe

Filesize
332KB

MD5
ae6d2972fe7c945ac25a85926a813d10

SHA1
16fdbaa836ee42fffd8eb1e231d2a179457b15f4

SHA256
e4e4d4d5fae7bd545bc3ddafb7adab842c0c3373b34e139e130a968992db75f0

SHA512
dbbe2276993606fb3209a710ea029c7b22078a40a0b0cb7ca091e508d395a3b44775d4a5240732ad68a9e2cb616c1b7bea2e27507c2da7b7b45a98decbca0d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwQG.exe

Filesize
218KB

MD5
b765ebc4be4a2fbef9c82cbfd72a21eb

SHA1
1f1f229b18d483ea7222b7d301b575d1c0fc1cf3

SHA256
e8eec4848a842f0da1bfab994a9c019b42538b5e5ef8d225bfe44705c25e8099

SHA512
c204439901108612a4090a85dd6144145543d406e5a0b6b27357fabf000a2dc5e26241da3552c254b0f1ee9fb437873d0ce38983e5b9c75f6e8d9c52964491f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Occi.exe

Filesize
185KB

MD5
35e6bb33b4e5edbefe0080d7a132c35d

SHA1
e95c40c04a9f6fbc0e2fd311c219e35b2d9131a2

SHA256
7bc75f4e576264abd4f48659ef0741b1351fbddb1c3d11dca6462797b95245f9

SHA512
785934da77f8e8cee68d87b663b5ddff80d023e290e6ec87ea3e258cf81ce428f0f4a356b6e7af1b474266fda5adb7b9ae6c0515e067d91c2f43e3ce3bd73999

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAoI.exe

Filesize
203KB

MD5
5d2554d8ea7d780039d549d735deb1b1

SHA1
9b7dd900b41cd6f3bb89595fa50bce85455f840a

SHA256
81d45967941327ec613d723f0d34764ccb4c4db3229097bced1e46c865ba1a13

SHA512
e714f6eb35afc4d9c928911e67ce8f4c5265dc3b601e13029ad3270effa050366e3ca9e96a12069f1b3defda1876b919368cdc041dc1f7c6b3c282879a66d779

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIUG.exe

Filesize
225KB

MD5
bd1e0a48153b8d4ef62d372f71c7024e

SHA1
81e9a18d085ec43e5aa6a5315f4887a399148bce

SHA256
2c3e01a53e7b101f912b13fe81c16511b7b3cc9e9690c82c2fb257415fd5f1c0

SHA512
5a0a745afeabcd2c007a5741b95816407b38e4f7813d1a7bb0ba910c24072229af73612821b2f68e2839aed208885996ebd52893e79cf1948bb1f522602ae1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIce.exe

Filesize
194KB

MD5
c73325f21b81626c60e2f000281981db

SHA1
33459a631f4b16eb2a99795f49c12610d81f0e79

SHA256
91872fb4ba24777e4e3384495257ec276e212b7ff4cf02fa98b09f3f88173a7d

SHA512
c28448e004d7a6ffb51bf08fe3bd5137dac3c978566743fbbedb7469884d089bca759945910293b71d324897aee45805596defe24e2a4ca0a05d56fef9b25ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcYm.exe

Filesize
5.9MB

MD5
676254a7c96c17851e702d436ac4b1c7

SHA1
b75fdba7a6c0709a2b79ebd75d515413f70f6c19

SHA256
c2c14d00fdb9acbabed25b80f35c6f37424d9e9722b55f16df75b8c51edf134f

SHA512
17b0de829730008d4aa6fd898fdafb25cd1919b709786b0cc04e5f175d1ef3c38970bc47ae9fc063f99185d9830b0a4398929bf6e09addbdfb0f0c0f3dca9393

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgMY.exe

Filesize
197KB

MD5
5b0c89b47cea588b9946235ff4b7422f

SHA1
db7d83129fa3c38c805c161d0b0a6b4fcdfcfe70

SHA256
b1221b64eb1b10b4a990b2d04fee6ffebc00784d53be478f745029604da78f45

SHA512
b9d1f28cb0723fde442dafa0b48dd9d9b2a2aaefad34a73c59d1a074bf462ff8984a12adb2ee351721f8c46fab250cf5cd306739340ec15ded72904c86cd2e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\QssA.exe

Filesize
316KB

MD5
75cd0dead4ac14f314ba83440f9ba9ba

SHA1
dd6efba4b91a597267728443d91b97778c74a2db

SHA256
0f1cb7ca59fa7400ab245430cca1b3d3ca602febb3bd757104859e993bc60eec

SHA512
7a20e5ac30300fd5481f9436f2eac9d6fe84522b8450681a93aacb55e44431482f1a3a6fe724988036fa198ea119275ac22e0ac35d61904136b130d66d30f248

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEcG.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScMc.exe

Filesize
5.9MB

MD5
8980c226f8fbb40b70ef8292aa183923

SHA1
007923526e09020c26f594a8ce10908cf3b1cf33

SHA256
8448e2b338eff8c9e0b223eeec045d1d8c3b5a441ca9b0df4a73a75376dcb4d8

SHA512
65218a29b8924eb3842f289f317cd5b629662c75dde21a64408762084c1a07743ece3f8bb9a61ba286d1e49df1af4460bdf4711f3eb75fa7cb6ab39f53afde26

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScMk.exe

Filesize
198KB

MD5
c1d26191bd8f36f79adf831a7902df81

SHA1
4757507264b6eb192560fc84394973a7c92ac9d7

SHA256
84237b7cd73206fabd65f8a0542e86c07e99e9f1f11d9ef555c681aae061ac72

SHA512
e83089f12f0ecd83de14e89c4067ffef4061a67d2af2e83831ac81739c61018c99cd6a8b96dbce1606b6e94b4d6b2eac79fd541981648b119fd395557c3ed75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsQe.exe

Filesize
188KB

MD5
d4c72ee3b067fd8d00fdeeb591564b85

SHA1
113954eea8632992989c8001c7b3cc96433a7998

SHA256
7573706cbf96ddaad784befb6774bd7e4df1311dd87051dfa9d28796235faeb7

SHA512
702011f5e1ce8a886b82c86012ef22885c3c9108a1426de45609e9a87f9e4e71c9d0937260343e9c890a39af64db4339f374e62d9908495abf697a4bef65632f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsYU.exe

Filesize
261KB

MD5
da8e6b615edf9ee3a9f3d21e54097807

SHA1
44d14ca38e15d6bd411598bda11d4f059f0207ee

SHA256
2fb9c813463379d3d177d829d97d9f9b71edeb1e2ffab2e8dd0a98948ea1d91f

SHA512
57d72d80c4ed00bd6afa33137b49abdac0e0b1024739d763b75e4841679027c3cd13156c1b7aaa3935c42b49c146e0683a0ccf7d9d20a82c1348c64175d42776

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwIo.exe

Filesize
211KB

MD5
053e328bdf20923b4d3d2c622f090a1b

SHA1
0725bf318c453f15583e6b3fc67059b33fb65879

SHA256
45a13baffb318c0a0abd99ed45c494febb7c9c8ed3e7fb9d6ea7e33b8e9198d8

SHA512
7cd5c42ad4c406c51607f3573e0c71b347c023b27c25f4caca9e6c1c9ca6769ec2a393f6ec516e114ac72243df8790a4e5ac6a9f257f9d4db43ad954a2f46da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIAK.exe

Filesize
196KB

MD5
7cbba925b336c8ed09eda1aff2409ccb

SHA1
357b44894abb3db4c9ed6a07d82ff75fdcbe49d5

SHA256
cbe2acf7a7db1ae1c87740b3b84c352343fd0d40e33de6e8e7a0ebb82f6c099c

SHA512
55629862da24ba44793589583ebd871490d02469a461af8918bf4d20d8a925e60685026948d6456c19040f412b1ff90f8f96e93bed1c22839ff87037259d14db

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIcS.exe

Filesize
204KB

MD5
f3970c21169a31436a159299e5c11be2

SHA1
48709b31833778858e59bc854724280802dc3ca1

SHA256
6cbe4272ed07f552740444330fc020e91c9809ccdc0356fd1313602727515ff6

SHA512
e8f60b33e33c099d20894c3f39c06eea482eef1e97fa1937c2391e822bfc292fbe830e528242d2ee3332badd39add998398d7cfbdaa7609933747ffc6b93d188

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUsA.exe

Filesize
190KB

MD5
b36fc037b29a12e842db6ba12b42df5f

SHA1
83a02cd47631eeb0b9081abbaf4b36c482c73f42

SHA256
cb43f8fcbc40f5cc6b404b2e0bc404b5610ad7043c64915182adac9b3b0fc602

SHA512
ec450966b3f2f093d2b569ba2fce9e511f0f61757b463e73615a3806228867d9f3a748ecd72c90a91ee16202bfdedb7bba1fa16c6f1663b910fea4fe0c83d3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UckU.exe

Filesize
194KB

MD5
26938857d1dbd6d450a0767f4b0cce39

SHA1
97ff75019111f3c7a26987b489c9b7b5e3764991

SHA256
57ec8faa39b45a57a5ed5935ee15b9edb3322d24f9dc1a7252de0e2a1ab0728f

SHA512
3ad5b9572ca7217f48415522a6482dab0858131449ed7b56c9172f2f58982f08c871e774b61d238c53ff55a7c0c9e5bdb58a79cb4cf94d683d831b4c1c759c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\UooM.exe

Filesize
342KB

MD5
8bbce34d6b9fe6c7661253c3b83c8aea

SHA1
90efc8f90b2d5d76b6d2a80f364d6f366f637dd7

SHA256
5086edb2e9a560b2c8ee0844f37b8ef856621775a7df3f44cf23d08b44070c7f

SHA512
c36955e50bb763c6ecbeed87ace6601e429cb5c50bb5f431899230441023ce0fb6631799897add1258443b1780a605635e3b6e8509b696cbaef59c2e22a41e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsMQ.exe

Filesize
192KB

MD5
da2010f54df5c9fd1488a6f59fd439c1

SHA1
5c349679b65053075e7c7ec9ba7cdbf97f607b87

SHA256
f6a2d2abc7e52406f58c3890d196db570aeee352af915b8fab323efcf1810360

SHA512
941017b1da22f51c79861833c2d07e6441e0900f662dc4adee4dc9719d0f17e917c92a2dd4622f085df26ca0a42f5355ea11beb66ce64a606de6728c5492c751

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsYU.exe

Filesize
772KB

MD5
6c540148462f4bb8309b5d77cc23a9f8

SHA1
e494e739f449b7fee0efc453aab62d07a6c9fa57

SHA256
926e3c0ea52badd3eb32d15ce89a9f5436e466d1815ba31c9d738a10b030c431

SHA512
49bfad20a8fe9dcfc83b5915121fae46bd9ab9a7479db1292eeaf03e0572c4ae7d0efa1133077f4f2d726a02df3a74b16d47b5d1e0810f4c944ca0d18e0876fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwME.exe

Filesize
185KB

MD5
5e15bd4972b7c56e2af7723d2a7cc524

SHA1
d461615c2df4d43a35bf42891874549e0c14fcb1

SHA256
3f4a8de29e9b9f804f917e3953515dea98317e34c9872ed7892c9fa974df01fd

SHA512
376101f27957756dbc58582575a1208bbdeb6883df91220e5bb6b65fc6095ced34a50ed0bedc094f1af8eafd8b48e6e9712cd041a3dcf20aa7f48edb192243fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAIE.exe

Filesize
208KB

MD5
3c51f4d575267e1eb4999dfa2b7c0a1d

SHA1
1eeb8b27ae5d549d13cc80af2560b060a6acbbf3

SHA256
0a53f8e146c4848d072f9ae5d266cb2c34ae9f1a491914937d4d5521c386f420

SHA512
1d092d2ecd33c0e38968f3d5ea6f293fe6fe9fc34e6f6c959012e5d2bddc79ef98bbf92776ae9b53dc87c36d3f40d350cda6a477c1f52ca3b9b37e0988a2296b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEIm.exe

Filesize
191KB

MD5
f93d070c57c620b895dfff0d139944b7

SHA1
82b2f4191e9a9daeecae6223d4422184950dbf8f

SHA256
aa3be50d167218e20d442c2e0e006a032b6ab782306cb8ce78da4ccf1b405d39

SHA512
2806923b3358a719771b54ec663cabbe67130ca140670cfccf0b5f39a81b2744cba88489f6880ae24390efbea30b0a48b4cb42d40f10082db492fb459f766341

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wgcg.exe

Filesize
188KB

MD5
87c43ba481f776d0ca859cc77baccd84

SHA1
5043a5d6e115795f2159293d3a0b8fbc704bc2f9

SHA256
dd381eb1379fafa09e52699f741336680bc804f8c5b27c8877951e321f2df686

SHA512
ab707f54c9403d88ad04bdc1f1ec5dedab77c48c97e83be549b174707f922b9bb7e3be461a05e6e665b0600a1725c3a7fe1d45ae8cb01354fc44a4385cf27378

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wooe.exe

Filesize
185KB

MD5
037f21154873398f3e0d58b87d1ae29a

SHA1
e2d7afe7e25dacf6b0c722f4ca59544409421281

SHA256
62ab383b4b0f3302a0ecbb38a8393c66ae0300e380f54479b14628a1b5d240d1

SHA512
1065f03b1742aa4052ade788555d5cfcdabb859f13a80982cfbb4219574b79f9a8915d952ecb1cd941c978589802c40c277a42ab131205bf75313f8098642838

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEoC.exe

Filesize
195KB

MD5
6a868f62dc7a985ab663a0bf91b3a32e

SHA1
3a036801c04d5089d8113729318bb23597af236c

SHA256
38a52d0292818252e42e11fa35e935fcb061ac9ce2c309c68d5d2052751599d3

SHA512
c4dc72b110c6a2a6923d51768af86892fe8ecf054dac53ab216a0f8ea774ddd3126e8636d19aa70da8c1a24cbeb669e5f89a81ce04df77620889f7ec2c4ee5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIEe.exe

Filesize
647KB

MD5
176ca700759a1f3cf19520cd8cd0f09f

SHA1
187e29a0aa6366fb5dbd2f9e0aac18c475da04a1

SHA256
45e13b160164f7354164555290aaa53f4c11e3d14fc25995b9f01511079687fb

SHA512
025199c12725d736695e59c6a69bfa45edb11b6a4245fb9659f39b79d302ab6dbc0763c1fe41baafcba96b75f0591fb669a5e3628ed11691c4b0821e49bbdf84

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQkU.exe

Filesize
192KB

MD5
8a229dc8171e02b7130e704e757de90e

SHA1
fa98e94c7900728a3a736eec529ac387d4b37131

SHA256
98758eb59846d1a24e2e2b0c0f1b5dbd8ccabd502d7d37ffb5b1f9076e615bf7

SHA512
2675e05fae2a2aedaa4ed7107e0d29943352a7d52bcd24b1e6d3cda3cd08d50281ca348b84c05ea4e3ab435b2f2d7d7e38520bbb830112ba13fc4826ab2cd607

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUow.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgEk.exe

Filesize
206KB

MD5
d391f5ee66b86795d49379883c30ffa1

SHA1
c2441938a5f3c319dbe698dfa11bd3970479e95b

SHA256
4902a9e886d7ad99f9c1a89c2c67790873a4893cba75086d1901551d7d6c2522

SHA512
7455a6fb60d176f541bbd6f0cee30dacf053442630fb56e70b9d8ac16689ef196c19fe65cf8212d7657dc425baea372435fa471ddb5b050b38b0bde205e3f829

Download Submit
C:\Users\Admin\AppData\Local\Temp\YocS.exe

Filesize
819KB

MD5
67f63794e76a1a01f32d35ae5f3bd492

SHA1
87e54d57d36f7b2f07f02a2ca99fb154867ce947

SHA256
2ecb921d4d57723ba211bb26ca6af6dc8bf931ee12e5441aae77ff0322c9a3b7

SHA512
17c3aa74d339fc38d08ad38f497db536e3c8b3250457c81684e70a8065219c23746df0099854666589094867473142896fbc8eb7a5ccfe094cd949d24b9b6a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIQY.exe

Filesize
1.8MB

MD5
902cddd959c238df6cba82a79e3db00a

SHA1
1f4a8b99927ea70ce6ea004f5357c599c5132224

SHA256
9928c351f840c45224e60bc486b5608c20c60590d8a6cf7770e7518b45e249ef

SHA512
5a3881f922cb0645c4cdefea2781ded84d3a9e417eb5ceb7e809191f1766332e6c41897c4925ad5d17825ea00ff0de14d1b8f7f5d11877ae81a38ac6b7485231

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUou.exe

Filesize
193KB

MD5
db9c615f0143caaad407e343d6fd71e9

SHA1
802219114370d5239e57f687ea72e354ef723833

SHA256
a868d7b3f71cd656468532cd9dc7f8c3e4613a9b1e34e20d876a5e4d3ef81442

SHA512
78372ad8cdf0b539f7338d6a98a8ad72345ddf23f1c99e3c5853d7c3ada9a16fc519429d2c697d432ffd47b2076ed74125abac37cfc2239283efb95f22a09971

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAEy.exe

Filesize
196KB

MD5
4cc43ac8d35bafd3a08b297613a56c91

SHA1
391b76524c7264d2988d03684e9d6344853ee94b

SHA256
3dc747b48a39ed17851b4b3bdcd6f2bb330867755fbe5b16e2a18edfa3c19d88

SHA512
29c6791bf3e622e0e3cb323de6042dae0baea5948d424383b96c8661cdd69dcbe9b01b1d1f5d8058e1eb8ab850e71fdd4a11acb1c922e3769b765c62b97b55ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAQa.exe

Filesize
975KB

MD5
70f3d42fdd8b3f5a72a148c9a40260e2

SHA1
2fd6a95c2811954078f9bf18d470d1334184ad3a

SHA256
6ccf3709dbf571a768a96e9e00a365003f020811b2dbb36a60c2951affbf2351

SHA512
c9cfcd5b6e363582dc0de095dcfd796f3f40de254843b8c04bddda3060a43e8422b003e146971d2e6b4156fe99ee7683b05f741145c4983ffe2c6ed1aba64e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEIY.exe

Filesize
828KB

MD5
81efabb5e69d86dd28bbfcca9d24af29

SHA1
dcabae6da373209ad0cc01d33b49dea914df515f

SHA256
972ba13a1647a6561aa579abf11dd9acfb1c679cd43c886b0338da5bcb8fffd7

SHA512
a06b45bfada5892c57f8d718f68008799eb5dbb43afd68fa8dfb47edb1f701b405528ec9fba57556e4fbf4e55b3b9f5b8561da65da246acfaac168db6c572e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMEc.exe

Filesize
198KB

MD5
bafde0f5995a83fd597d08af9e68b993

SHA1
4c18e08a3649342bd9916bf3c03cd8a4036ee711

SHA256
82d464dddfe9036855b50daacd55608f3de95972bf950752e7126c303b06a6a0

SHA512
b3159c2d145f434847d1e689e706b10d668b482301a0c8bcb8b2ebe703faa877df9848c0bc67b88751052d73c2c2c635625baed0a8f0ba6159095f18accdd617

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUgQ.exe

Filesize
232KB

MD5
f13e1071ac630cb0baa52f047b184463

SHA1
6d357d937bf63a4c349c79742c640c4c7d62cdaa

SHA256
58842ee00529b6371623c39f09605416f698f590a33a86fe5f6dc476ce3271d3

SHA512
817268ff68699e01147f039497e8a49c86065da2b3e4093ce78368f1c0a225e37de99651d30482f6df673448e147ef7198b9372392f658826d87f821b2df9897

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckoe.exe

Filesize
187KB

MD5
9383165df228a8ac9c8122616a7c46f2

SHA1
0f8c7b5ebc76b3c15a865afaa95e2121db3b0dc8

SHA256
29826d88f720ac34b37fa040c89451c79efed039d80bf8bfc378b7da375cf3cf

SHA512
82b7caa9fb1e73318d08824509d3d60c7e8623b34afd9b58ffd20dae3b7b70de550a2720b1bbf23037b052c52ab6b3ca666afb9fb3752ba220ecfff7abaef290

Download Submit
C:\Users\Admin\AppData\Local\Temp\cowE.exe

Filesize
189KB

MD5
8c1efa3e7e92d3d3d11cc27148ce553e

SHA1
f8814653dc740aeabaa4934116b375f35011d554

SHA256
b59b89de8d25fd89e9721b873a52521ed13882dde6ea622e54961b1e61edcb48

SHA512
8512225edf5045b3cecd8e3d04ec1f684525df6390689e070a1ab94418fee9e2050a353d4267d03d69eff0062998746b363872d1f670a1fa6b60b48665b261c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\csAs.exe

Filesize
573KB

MD5
19fb26491bf47d383a742d12a5396021

SHA1
2e5427c6e53dfbcf4e32e71fd7e35415b576dae1

SHA256
b80534b200466c1a6d46720d495bb0ba233da9e08b0f2e730c5e4aae9083a599

SHA512
cc01605c2ad081360ed8820ca06a5265ef0f4816e33ca0cd347fe04ed686a567ce0f20ff51bc4cab7da15d46eeb24ac765ebd35c7fabf7e4eaf70f8c195af6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMUi.exe

Filesize
203KB

MD5
486532bb4d7a5da971f6e305280ffa57

SHA1
921bca592907c63807520be3196c8823b279e491

SHA256
dacdc5801d1bc5f12f98bce547431a220021b65128d4ee157f890af5248213f2

SHA512
b9308b3ef617cb578f4031729d989f0bd1d8bf77342b0aad4c38439d08b81e37aa8ac216ece957370b9f764515ef844b927ebb19f55eb4b3b4f7e6d45135ca5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUwy.exe

Filesize
218KB

MD5
6c798c02e9123a1d3f9eac656eb43114

SHA1
95f42d283264d84546e236327ac546a0d20d3d09

SHA256
426306e6ef79757e2b203b3f4cf042e40b55665fc3e9834e1a5c3929dfa97812

SHA512
45f5b8673fa21cf9d7eb3730ca703518593b9f6b5f1d2a07866b3a855f2336f8140db2b289774dec10f349e257b9f5349f929438d0e6406ed264a2cf716316f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYkc.exe

Filesize
199KB

MD5
16d3d85d182f1411e56d1cd7312daddd

SHA1
51b99daaef1e5ef763149cd79897c5e1a18c4eea

SHA256
8468186a59e573d1566169f40adc77517ec73fed0907215d1f87c3f47617df4b

SHA512
d99f4c9cae9bf48700668ebc88f31cd3ef41419cdd8c33a3939d3c8b6b92af2dc2b9ed5495fd141954c844a04c8537a40f8463a8b064200929aa0081246a117e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoAa.exe

Filesize
186KB

MD5
052dd49f7d49d6d797a6c417ebf1dd78

SHA1
5d8947d755a10656dd810c60a6a6889814d873c8

SHA256
e200a2cdd57dc82659c347ef973779a12c4e190ec8882eb92b3922917718bf8e

SHA512
60c933be3a72f748a1d2a6b9f82f9e5066ac828eaa5bdef6e0af63805a6ac891b5d668c3165cb6a1642fdc4d73a00825b31411c835f29734bb1aa0c6310c2710

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewEc.exe

Filesize
815KB

MD5
e0b1d95fd4df6747ccf1f28daa666a16

SHA1
0cb60c069d4690a849cf411f86e27047fcc54a36

SHA256
0ebe9967600f129da24ba54aeb39b6ae7a97cdd62c1bc073aa48a73d32fa2542

SHA512
80c42423a5d15b010bb49009bde682fc3ef025a73d7d6b44db6fa412427960c200fe22ca614c012af80d38e3c592a6261dde748d828c06aae4c9c1849f65a65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkoQ.exe

Filesize
199KB

MD5
afe199a25621600b70750a7a2a9ee929

SHA1
4e5cdad87cc98eaaec3afe386e5b4b1ef239ea24

SHA256
e2f23da7e18987829f4a00bb5a7b8bc81af5373526bccea8c55d2a688b945571

SHA512
81b4279a3ebb14aa54fa236dd3d5134e46137da24c638dfbe119210708045eac1db8d06b834afe7e396552f265b89ff489bfb2e95c897434b61518312d64e889

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsIU.exe

Filesize
195KB

MD5
86584efab4b720c043d3580727049a74

SHA1
764754dd6a03bd1c9c5f47729bb5eee17b8723be

SHA256
120d2adf82f60144e00029d141e3a26012049894315601805a3a2bf4f9e89355

SHA512
83d4940f9f36929f54ce4584ddf02c5bbe7d8a3c02a1721bd92566239c8c26362b75f3daacce34358ede26a10309d23eb241174bf93011cafb3f118c9e41b8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwkM.exe

Filesize
189KB

MD5
9bc78f0d09dce53c8c3b94c579ac4e89

SHA1
ed582f44b77b931902790b6029fb2746ca13447d

SHA256
1930b52ec4a75df6295895fb7517e4dd5811ed5f044bd5e37b313abdb50bc089

SHA512
e696c9a5908bad83183c8428cc7920b5449bceb4f0badfb06b1e52e0e115105d95454f875c9326686a4e1468120c62c5798aeddd68486eb00ca9b8878b1baf55

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMMo.exe

Filesize
185KB

MD5
80e9b20f754c6564833625adb02ccd1a

SHA1
e00fc95b1f0c2015343be38a46a229418bcd3e00

SHA256
e5a304b681db3f990c99c1a4efe3beefe017dc07470ce441ad2d3322144b4252

SHA512
d757c595436598d75644961a6954fefbf83f86983a558c9d6f955bc14ba8c7251f259e416dfb1bd7595f75799fa2d4ddc8ebcd32bad02e647d164abfa5d0ccc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikUm.exe

Filesize
190KB

MD5
59195ad3df8e653c6d19eada5e132d09

SHA1
4a4f491ac1f9da7468ebb6f48dfce2a9507aff9c

SHA256
d7c3c14450c17cf61aca6343ced7f5667296a6ca41fedd1e5bd31cdf5b42f577

SHA512
a3b3f8284001dc8be9ec47dbdcbf46f84909d207b85f1d86ef80095be712612bb856ad3300c165558649c207872e5a5614688375dc921504ce201fd4ed0a91d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQsg.exe

Filesize
213KB

MD5
2316e8d9e8881a8778306e29b4246bd4

SHA1
ac290fa22ddf862952860ec1b0df3c60fc2fe064

SHA256
8e8695d8ac3c9fc2b1b9f7763c6272924b7bf180337dd2b4114c98e61a57dc6f

SHA512
195e133b4ed88a3ab754a3eccc70194fa9a0194b5c3570bff08c4b3527f385d64a92023b59258052a2f6ab03a9f24e24e926aad3661d38001871d71643bc540b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYIa.exe

Filesize
873KB

MD5
8257414092fe54e51ebda07209a2f83a

SHA1
5968ffe6a5a2bf915557ce35d58d79e905a13c61

SHA256
bb1b53f2742f98c50a05fa865cee472c478421c0f6fa728438f8c0bd32757c98

SHA512
6d12e2a8c8c1faf642a8d2d377e6ceb746c0814e75d2dd8d8734e599e053320592ddfa25421a787413fe8d593a521c752f997b45d6c0f7ed5c3fa6b9ae61422d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcEA.exe

Filesize
189KB

MD5
d629d9f5403e27f81f2a95442252825b

SHA1
b85bb4c158534cd8ab44daeece490de653225495

SHA256
37277f777f6b2c1ea97be5e35cdd59d6d5e3049e1af6ef24136312d553052695

SHA512
2e786e5e93310d908fc74d1937db9a30b06c617a636265e5b4d2b59031df5d8402c8abf57fb124c4b29836ef22a187fa145565cf39f28c73198cda55096013bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kswA.exe

Filesize
238KB

MD5
57a0b62ac60ddcafc4d9ad945c4dbf12

SHA1
12be8e718afcd3f9cb1b93121998cb8a062fde6a

SHA256
0f6a66dde086e9ceb9a17c59985db6206fb19652073a4efa1cd38c9413e9fb11

SHA512
c1430bd591fe2bc7c2fc1bc3393da166bba923bc92b6941516cb16e5c435ac175fdfcf150a543241a5765b721641f89a3bfaef10671da2d8065daa84affcf4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kswq.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQgw.exe

Filesize
440KB

MD5
9a3537f764f975722d2eacc6963de0f8

SHA1
3916f65cf11636781aea8eba79a499a768f4403e

SHA256
a0e89a7f689d5637ef91e392a5a01593285b6cc9bcb2b7aa28e4a4509c64d260

SHA512
16de16f7cc41b457f4eaad9c3d4ddfa27e76c3539310e9d046138d2a1a7de016da2b23ab92f839595313f2b529a88af2df93d9ba5671bb58c3a07c1676d4dc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYEI.exe

Filesize
189KB

MD5
1056e1fe68ac7e787187e5133851f11c

SHA1
eec40c9768cad46dfbbead2d68f86a8394c4336e

SHA256
9f658d466c6da34d27f0b4925de7b8a2e55791c877601261f9e72867cfa83a62

SHA512
0a76a5a2d35a71582a54f838129e93e364533d656814df6d98c4b583ac09c788f138bf4a705cddd274a9536c5209c6012fb2740b101db4d7409d90a719cc7af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgQS.exe

Filesize
189KB

MD5
606bf7870a4cad8829cf390d7c3c6f25

SHA1
735db57b20ed6703b4655852089c72882db91173

SHA256
071675fc16c2f60428297476d8d7ab08da72c29c7a146d95752b906d9813fd3d

SHA512
e9e8a4091df29365f633048ab0aa6d2050dfe8569d373f6375f23c7b934e61f6af50ed4bff9f43781357fa0b9bcf51cbe72ec993697ec4619c5560328359b40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIMY.exe

Filesize
191KB

MD5
a7559096c9b51138e0c658f4fc3cb3c1

SHA1
15c916313366ff0cec5c0446e92ae0879ff1c7e0

SHA256
452d28c00d19b701ce1acaf433dff03665f8aa43c5df10686bd8e91fef906a89

SHA512
ec71bb553f65b3a02d924ba329d571a538f380db4ea7a1abc4760bde2f346540eabb6bc00d258d2cb95331616e7e01c3b2cddfdfaad666442556ceb3743ccbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYkY.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocAe.exe

Filesize
194KB

MD5
a2d75f95f6f86833c9e5b6d22e3f8b62

SHA1
de4dde09ed71699f8f29af11ecf9dbc795e051f8

SHA256
90ace0d3afd77074f6baa6028ac7dfda4b12248affa773c9cf9490f8128c6498

SHA512
a3eaa4c15db474c9664274f7d2b5b30aedfd5aa9bd8c192efd339a3b313a3bf8306260c511de72805b7e99ce69cb678bfa8525f80dba4963c0f619a5fb5f1e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocEs.exe

Filesize
315KB

MD5
877be61d03164b804a4f47ea43775d1a

SHA1
ef5c0bbabf4f773ea537ea039b1ccdd6b37f83c2

SHA256
b4b8628d54ec183eb27202e3732d0088159cc9deeb9309c51d4e071a5d3de5e7

SHA512
77ed5468abbc6f37702b2ec59de121fb0e71efb0f6e9a40c94617257045e80a65d8a887bb002f9f296b9f1e830dafac92708be4518acc6743883155ae6894bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\osYw.exe

Filesize
751KB

MD5
89c3a5fad311c4185a28244f51fd51b7

SHA1
76ed9a1da5eb2d0656d010c362bfec2f7c0b5220

SHA256
55dee4b2847ded9f2ac2b921a84b83e4de5aa712adc9fa0e6a321e14af98abbc

SHA512
928fe2edb68544e27250bfefd65cb1f090579cf0158a0b7567e27f7da076cb513b52d2f6ffa98bedf3eea4125ca5bf1be81dd2a6bfbfebbbee84a640614bb641

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIkw.exe

Filesize
184KB

MD5
6e794fbb5fa1b4edc0836c3863030502

SHA1
545043471d3bfdf2425d7000f36678a2b5d38efc

SHA256
d51885a4fae77f40716ca67a3e4d04511715d6a6ce4444591085f5ee7df32bda

SHA512
713e994d7d582d2acf4d96ea73fcb42c8d6fa947257fe5bbcbe1814a59d5fccaf070965e3d82eb4e7d14bf6ba5792a9667a50f268a8e03e90f467b734b75a33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUIk.exe

Filesize
194KB

MD5
b304e3a50a99909b3ab250452ab3afb4

SHA1
883ce1593f322415bc274816e477de8323708f29

SHA256
0c428b914ef7bbd320763602e77c5c09bf1347e350aebb43d3bb98655a37f2a6

SHA512
d8108bd986a0b46bd6a862c1709e84c86afceca886ffef61534a1153a29c21b81d9a25a5ca9f02ef6d4846af8a61206ba4ec8a878677d103632d75e750b2d77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qccM.exe

Filesize
228KB

MD5
713d5d65658d084a1ca53e39f06c4884

SHA1
bd5a2696be658fa7b3f1b2124d7551c1ba8b0878

SHA256
90bb522aacafdcaa8e7d3dda361541d7cdea17b437d58d843d2c5c2268f4f79d

SHA512
c3673b517100b5cb49cd7db62a5b67125d3dfa9d8602aa233c73c2c4fe2cf5b3a9ecb77b464057af2343b4c76ec9b38bc0cd74dfc58f5f3de86d7437b558496e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEgc.exe

Filesize
193KB

MD5
e84f59c76082aa5609e456abd2b1db5f

SHA1
23284ea608e2893f62b71509669466ccff8e27f5

SHA256
7df5c840cdc907c69593e9476a36a0853c9492efe7944ff4452edd7ec8cd5374

SHA512
bf5990643b64c8808c2dc8ba5f8356eede194fbcc659aff1722c1d0b455461bb4a5be0eb0fc1f041bbe9dedc69b0919765ce51e844cd4987638f32d221a0cc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEkA.exe

Filesize
798KB

MD5
367d8c5afbce4e25019deab590c2d470

SHA1
04b378f7ba87590089a84e9663d05aa1111ef2f4

SHA256
c1e52ad669e3aef290945bc812935280aaa0b8281ee036679ac5064a34251cb9

SHA512
42e8d97df1e641d9fbb718546dc363e9b60ae38bf3b5428c31ad9be2a7fbbc3a48e1e32f07bdbfe8cde72c8bfd46900d40a205ef4d369372b88531cb0bed2a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYAI.exe

Filesize
772KB

MD5
a6488d23ed2460a730f71f2d6cd53f3d

SHA1
8fdeeb1d5a99abd792a77681a1fc91316adaf37d

SHA256
e6c948550f01f90926ae2c7852442ab9a52881600740dd41c23b29072bc14d41

SHA512
2e41fe52774b638b9e6364c1247ec1fb8af572dc908e6e4da28c1882af158f00ca8db8ef6a33fee43e9ccff0e02beb5fda102997c670ee87770093bdaf891f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\sggq.exe

Filesize
230KB

MD5
d185efee8994dcd49eb607862a8330c2

SHA1
2b2778c608da3bd3dd2751cb7a2c35ef3d2f2fcc

SHA256
212c8b40d142c4f8f47aa3cacdbf073498a7a41025257652dedd604479fa6fec

SHA512
a368e8f0524e05fc452e515d102aadb355033c52f270a2e244a3a0b54a555f5b2117448dc47d81d9a769ed98aba90db5a125566642b33bf3ab77c25a4c11bd93

Download Submit
C:\Users\Admin\AppData\Local\Temp\sooM.exe

Filesize
818KB

MD5
eefb7a9f080726dc903028d1c949188d

SHA1
5f18c2bb45416f3bc3b41acad474c14cce928d2c

SHA256
f6fde09665638c7def3f3bdf25d0e50f407441ab802d865fa296e0b13ac35c79

SHA512
afaf04b81ab1bb235f8bc82c2816cf6c52036d4e6cb5cf5cb124d0314711c0b4bd8b984dcf31df73f256fd05e4ba83b9822a0dabe1e6aeefdfc50166c1485ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sswK.exe

Filesize
203KB

MD5
989cee1e3bdbd102624c22533f5110e0

SHA1
a160a2463626b4f8f34cbd717d05f4c65b721641

SHA256
141b883fde97eb885964f2d838ed1af3690134e83f9f05ea38ea8e4721330f11

SHA512
4e294fcf4eb28e7275021a868c72ece915e052763706331a2137be5e5eba4c1e3a670e55bb8cca55c694791e6374f6aa1610e32900c97b6c9dbf7d34865c735d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucUQ.exe

Filesize
1004KB

MD5
4709b3399a9af578d21c2cc1d929b1be

SHA1
37de940759b135f22c4ce06b82ca0c40d1768bde

SHA256
a0c1819ab9cb40956faff3dacbd65dd8c9ccfc1a6eb893e9508e528e70a03819

SHA512
37c3668e3f0f414446c96f12544496c9c5501c427f439bbceff0af24c04671f58e8e9553cd12f45cab01d96a9ee3b94e3c19f5a2e166ba75abeb2cf4587eb765

Download Submit
C:\Users\Admin\AppData\Local\Temp\woMk.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\woYq.exe

Filesize
813KB

MD5
86e7f7ebff94ab48bc5b6650d61837af

SHA1
5c2ffff5815cba825aa90ca7192abe0ae6bd8103

SHA256
1c69ca1dc637e2d2ea0622ce8357a1d7942748efda074286ad787338035e0e52

SHA512
1ce2dc9f1e699bac69008dfb2112084a7136ba71d49ef4df57a03972e82951e79a38ed08424b1a8e5156810d6762a2f6da59e557000944d7d6111aa3a79366cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEYi.exe

Filesize
334KB

MD5
fa5531d0bc155f681cd798ceb8de747b

SHA1
943d47a315cea3800e4eaf375f0792c56e80317a

SHA256
77f3cf4c1362f96694566c2fb35df7dbf649ad3db53b654ced05a3342ce9d095

SHA512
1672d3780af348377e54e3c877a1593aefa884bc9bea518b3e88c04f59271c920ba84aa1a4087306508a05d2875666b5bd4f955bb71d3294dfb53ed761cef9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIMK.exe

Filesize
200KB

MD5
24b816736bbd70c31db09947cf8f8015

SHA1
eb8437ae2c0ebb6683ed931f9cd8a908bd88ef61

SHA256
5cf43e17613e5f4a4807214270a2f26c90e39e644df508122fb054fd7610a6a1

SHA512
e9273d1a7789469b0fa9c1783d5755a0c7f41c17e445e691218f64387069a1f4ba8167e421acc637ace76c6f63d6e8ad65dc93c5eafc27687afb965a05975635

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQIu.exe

Filesize
205KB

MD5
4040c97093ba941f0f4104b3e119bc57

SHA1
df189be67a97b3f03d1f5ebf60a8fb8e6a907985

SHA256
1516ff452fd162feb8a4876d194099171e1afb13f9221009507022dae67f00c9

SHA512
5c71ac3bd518a3575d920227ed09f470c6d04580aa270f4b32acb4371c2023a00acb5787678b12e1a5783be946aef01ec40a66f8e8b9cc219ba15d1899ca518f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUMc.exe

Filesize
480KB

MD5
ddf0169d5a97c7bf5cdd6f9b9e865458

SHA1
edf4e84b96928dad79eefe16fe9dfb0caf618987

SHA256
5827d517671d478a244a5769daee9535425c2e7378d59853f8b72e0e1deb0b21

SHA512
6d64706bdc463b1427de4e4405442b6f767fa9ce4d75e67918176049d6d5b73e41aeb8c6d971e3257b5a2180e2df18185236c1cd7386a33ff812ca5e35779ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycII.exe

Filesize
197KB

MD5
d3c3cf872b8570470bf1082385ffb7b2

SHA1
b914cbabe0f3c5cc1ffa91092a5d515fc42788c5

SHA256
1f858712fc614b129577dd0a310d2fa1c2a20d3c50a4c0c5e8a0dcda841b7cea

SHA512
08aa2fbb50b67fdf314030f0c9d85592c3e2947677ae2f2fa785ee0acfc17e644b477d873877ffc79f1fa95de0c15568a40874a069d191965243e3669a3a3881

Download Submit
C:\Users\Admin\MMYYYcoI\GgkIMoog.exe

Filesize
189KB

MD5
8e6c1baa4a345b36d7ce03cf095238cf

SHA1
1b2938fcb8addf4428a9dfe1939e190796568e91

SHA256
ca96d26fee8b06dbebc61c4671cce6e91a50adaa52c77a8ac9200c58a90cedb4

SHA512
bc7ff14290b932185af354d06fead24847cfd57d2569aea009148ab0cbac26adfb532f2e20f6c9cae4b25158edfa704ab7adcbe35c4f882ace7204bb2c35c73c

Download Submit
C:\Users\Admin\MMYYYcoI\GgkIMoog.inf

Filesize
4B

MD5
2f4b055248c587634aa3aa2bd2ad3f95

SHA1
04266f5fd1e43cfe5af3a069105674b982263873

SHA256
2432b973227da8c9860285fa911e336f79f9e18f011894f5241bf429406b9f94

SHA512
ffcf0859ba0c4b8aff61431422c72d4889b7dcedafab9f879b5aebe209f482fcc1384048d7339f2041700438a226c8cb49e8a492b20c292cbb570430f0074cca

Download Submit
C:\Users\Admin\Music\DebugUnlock.mp3.exe

Filesize
332KB

MD5
27a5e0efe77abcc75a1658ff01c50da2

SHA1
7e1fee6eb36990320851854810798b83a6d9b132

SHA256
f58a063ac8f660e4f5b65fcd984c85fd52fa5dc1140fe5a869eb9a2eb06842c8

SHA512
606224a4565cd090577eff401f4663bee6cc58cd9aba0869fb503d6c0ac5d9bdd7179a0fc969155a5f5e05512d38168281487b80dc1cd09579f1b8f0a14bf166

Download Submit
C:\Users\Admin\Music\SetRead.bmp.exe

Filesize
400KB

MD5
cc6ce3152408e0c1fc927005af977a15

SHA1
5c28f0e2376fe0b01bae3c650a4af87e6cd72056

SHA256
661eff03788b7d9cbc915428f856c05e932b528cd51f205f4c5e0a1ccd3f00a5

SHA512
973aff4c1f742484f4a55c9d94683342879bd587ffb49e7d0592b5ab50a8859c294770e0bb63f4feed1e8d85ebe03d2de70b2d48a268f5485a2444d793b2589c

Download Submit
memory/412-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/544-619-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/836-638-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/936-646-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1000-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1224-172-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1348-360-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1352-253-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1528-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1536-715-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1596-1056-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1596-1045-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1676-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1676-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1684-666-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1684-674-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-490-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1796-161-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1992-288-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2004-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2060-448-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2180-414-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2212-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2220-517-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2220-504-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2312-828-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2332-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2376-682-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2380-139-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2416-233-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2604-585-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2716-498-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-525-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3028-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3148-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3160-333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3252-422-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3368-315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3368-324-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3408-593-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3512-150-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3556-628-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3556-620-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3684-656-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3684-665-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3696-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3704-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3836-551-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3836-377-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3860-567-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3892-559-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3912-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3956-879-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4000-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4080-543-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4116-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4128-482-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4132-1044-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4132-994-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4156-1052-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4156-12-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4196-980-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4204-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4204-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4256-533-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4324-456-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4372-438-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4396-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4396-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4404-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4428-219-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4452-577-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4516-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4520-404-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4520-396-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4588-602-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4588-185-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4696-430-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4788-509-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4888-373-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4888-387-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4896-654-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4936-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4936-342-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4948-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4976-751-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4980-272-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4980-261-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4984-915-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5012-691-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-395-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-611-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5068-93-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download