856b4970b7c9f02b05f3d0851aa19607ac9f3a20c3cd00602c27a90db7cf7403

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
Size

207KB
MD5

a15a2fb906ba42425a98b98c94e4f4ad
SHA1

ef86c496d4fbfa8cdb9a522826cdb14b1b4c420d
SHA256

856b4970b7c9f02b05f3d0851aa19607ac9f3a20c3cd00602c27a90db7cf7403
SHA512

4b061be8e56c8864fb245a12c4ebedea2156854dc197b5452e0725fa2abf1f61ef5cae5abe568ebe45ea8af6429daf312dbf7e87231fd67d7ee2033e3faadef3
SSDEEP

6144:fbZ7dlHxWinSO54nNQlfC0QqRWQCqeXhn3X7c7XPbzwc9ZJu:TlHP540fbzfZJu

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	zwMYcMYc.exe

Executes dropped EXE 2 IoCs

pid	Process
1632	MQUEEMUw.exe
1760	zwMYcMYc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQUEEMUw.exe = "C:\\Users\\Admin\\ZsQcYkws\\MQUEEMUw.exe"	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zwMYcMYc.exe = "C:\\ProgramData\\zGIQkQQA\\zwMYcMYc.exe"	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zwMYcMYc.exe = "C:\\ProgramData\\zGIQkQQA\\zwMYcMYc.exe"	zwMYcMYc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQUEEMUw.exe = "C:\\Users\\Admin\\ZsQcYkws\\MQUEEMUw.exe"	MQUEEMUw.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	zwMYcMYc.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	zwMYcMYc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1752	reg.exe
3808	reg.exe
4684	reg.exe
2000	reg.exe
4500	reg.exe
3764	reg.exe
1240	reg.exe
3704	reg.exe
2004	reg.exe
4652	reg.exe
5052	reg.exe
1492	reg.exe
2448	reg.exe
3536	reg.exe
1636	reg.exe
4408	reg.exe
3988	reg.exe
404	reg.exe
4804	reg.exe
2076	reg.exe
4780	reg.exe
4864	reg.exe
1764	reg.exe
2384	reg.exe
4340	reg.exe
2432	reg.exe
832	reg.exe
4788	reg.exe
1020	reg.exe
1508	reg.exe
228	reg.exe
3260	reg.exe
3552	reg.exe
2876	reg.exe
4572	reg.exe
4572	reg.exe
2312	reg.exe
724	reg.exe
4376	reg.exe
4520	reg.exe
2312	reg.exe
2548	reg.exe
4760	reg.exe
4892	reg.exe
3816	reg.exe
2248	reg.exe
3012	reg.exe
3384	reg.exe
3400	reg.exe
3564	reg.exe
4808	reg.exe
4420	reg.exe
404	reg.exe
4196	reg.exe
2232	reg.exe
2196	reg.exe
1860	reg.exe
2392	reg.exe
2716	reg.exe
3536	reg.exe
3288	reg.exe
4288	reg.exe
1832	reg.exe
2676	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4576	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4576	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4576	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4576	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
1752	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
1752	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
1752	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
1752	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3616	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3616	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3616	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3616	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4324	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4324	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4324	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4324	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
2980	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
2980	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
2980	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
2980	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3236	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3236	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3236	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3236	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3596	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3596	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3596	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3596	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
1168	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
1168	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
1168	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
1168	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4372	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4372	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4372	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4372	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4820	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4820	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4820	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4820	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4788	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4788	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4788	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
4788	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
2276	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
2276	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
2276	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
2276	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3496	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3496	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3496	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
3496	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1760	zwMYcMYc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe
1760	zwMYcMYc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 1632	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	82
PID 4588 wrote to memory of 1632	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	82
PID 4588 wrote to memory of 1632	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	82
PID 4588 wrote to memory of 1760	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	83
PID 4588 wrote to memory of 1760	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	83
PID 4588 wrote to memory of 1760	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	83
PID 4588 wrote to memory of 436	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	84
PID 4588 wrote to memory of 436	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	84
PID 4588 wrote to memory of 436	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	84
PID 436 wrote to memory of 448	436	cmd.exe	86
PID 436 wrote to memory of 448	436	cmd.exe	86
PID 436 wrote to memory of 448	436	cmd.exe	86
PID 4588 wrote to memory of 4572	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	87
PID 4588 wrote to memory of 4572	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	87
PID 4588 wrote to memory of 4572	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	87
PID 4588 wrote to memory of 404	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	88
PID 4588 wrote to memory of 404	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	88
PID 4588 wrote to memory of 404	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	88
PID 4588 wrote to memory of 832	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	89
PID 4588 wrote to memory of 832	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	89
PID 4588 wrote to memory of 832	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	89
PID 4588 wrote to memory of 3300	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	90
PID 4588 wrote to memory of 3300	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	90
PID 4588 wrote to memory of 3300	4588	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	90
PID 3300 wrote to memory of 1512	3300	cmd.exe	95
PID 3300 wrote to memory of 1512	3300	cmd.exe	95
PID 3300 wrote to memory of 1512	3300	cmd.exe	95
PID 448 wrote to memory of 2036	448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	96
PID 448 wrote to memory of 2036	448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	96
PID 448 wrote to memory of 2036	448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	96
PID 2036 wrote to memory of 1572	2036	cmd.exe	98
PID 2036 wrote to memory of 1572	2036	cmd.exe	98
PID 2036 wrote to memory of 1572	2036	cmd.exe	98
PID 448 wrote to memory of 4904	448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	99
PID 448 wrote to memory of 4904	448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	99
PID 448 wrote to memory of 4904	448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	99
PID 448 wrote to memory of 4436	448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	100
PID 448 wrote to memory of 4436	448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	100
PID 448 wrote to memory of 4436	448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	100
PID 448 wrote to memory of 1340	448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	101
PID 448 wrote to memory of 1340	448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	101
PID 448 wrote to memory of 1340	448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	101
PID 448 wrote to memory of 3508	448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	103
PID 448 wrote to memory of 3508	448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	103
PID 448 wrote to memory of 3508	448	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	103
PID 3508 wrote to memory of 680	3508	cmd.exe	107
PID 3508 wrote to memory of 680	3508	cmd.exe	107
PID 3508 wrote to memory of 680	3508	cmd.exe	107
PID 1572 wrote to memory of 872	1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	108
PID 1572 wrote to memory of 872	1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	108
PID 1572 wrote to memory of 872	1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	108
PID 872 wrote to memory of 4576	872	cmd.exe	110
PID 872 wrote to memory of 4576	872	cmd.exe	110
PID 872 wrote to memory of 4576	872	cmd.exe	110
PID 1572 wrote to memory of 4340	1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	111
PID 1572 wrote to memory of 4340	1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	111
PID 1572 wrote to memory of 4340	1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	111
PID 1572 wrote to memory of 4700	1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	112
PID 1572 wrote to memory of 4700	1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	112
PID 1572 wrote to memory of 4700	1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	112
PID 1572 wrote to memory of 4248	1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	113
PID 1572 wrote to memory of 4248	1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	113
PID 1572 wrote to memory of 4248	1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	113
PID 1572 wrote to memory of 968	1572	20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe	114

C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
"C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\ZsQcYkws\MQUEEMUw.exe
  "C:\Users\Admin\ZsQcYkws\MQUEEMUw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1632
- C:\ProgramData\zGIQkQQA\zwMYcMYc.exe
  "C:\ProgramData\zGIQkQQA\zwMYcMYc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
    C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        8⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        12⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        14⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        16⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        18⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        20⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        22⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        23⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        24⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        26⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        28⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        30⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        33⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        36⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        37⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        39⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        40⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        41⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        42⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        43⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        44⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        45⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        46⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        47⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        49⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        50⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        51⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        52⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        53⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        54⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        55⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        56⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        57⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        58⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        59⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        60⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        61⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        62⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        64⤵
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        65⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        66⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        68⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        69⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        70⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        71⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        72⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        73⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        74⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        75⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        76⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        77⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        78⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        79⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        80⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        81⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        82⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        83⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        84⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        85⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        86⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        87⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        88⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        89⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        90⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        91⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        92⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        93⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        94⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        95⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        96⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        97⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        98⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        99⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        100⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        101⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        103⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        104⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        105⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        106⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        107⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        108⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        109⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        110⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        111⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        113⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        114⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        115⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        116⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        117⤵
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        118⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        119⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        120⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        121⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        122⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        124⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        125⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        126⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        127⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        129⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        130⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        131⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        132⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        133⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        136⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        137⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        138⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        139⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        140⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        141⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        142⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        143⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        144⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        145⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        146⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        147⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        148⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        149⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        150⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        151⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        152⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        153⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        155⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        156⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        157⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        158⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        159⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        161⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        162⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        163⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        164⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        166⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        167⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        168⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        169⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        170⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        171⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        172⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        173⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        174⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        175⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        176⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        177⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        178⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        179⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        180⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        181⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        182⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        184⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        185⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        186⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        187⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        188⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        189⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        190⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        191⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        192⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        193⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        194⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        195⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        196⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        197⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        198⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        200⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        201⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        202⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        203⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        204⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        205⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        206⤵
        
        PID:2316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        207⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        208⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        209⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        210⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        211⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        212⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        213⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        214⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        215⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        216⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        217⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        218⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        219⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        220⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        221⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        222⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        223⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        224⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock
        225⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock"
        226⤵
        
        PID:3012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsYUEYwI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        226⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        Modifies registry key
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQcYMgAs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        224⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies registry key
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWYwYkwI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        222⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEgIowUc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        220⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEwIYYAo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        218⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYUkYowI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        216⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsUAIcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        214⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUcQYMMI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        212⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zwgYUQwk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        210⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:3288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lycsokEY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        208⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suosAoUg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        206⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        Modifies registry key
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIgAAccE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        204⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        Modifies registry key
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUUAYAwI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        202⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMoQYMcU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        200⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIAcIcEo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        198⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        Modifies registry key
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKsEIswE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        196⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hksoMQUo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        194⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iooIwoIk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        192⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmIkkAQc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        190⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eisIcIkM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iewQIsgg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        186⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQQcooMw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        184⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaEsUEUA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        182⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkswMgsg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        180⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGYscAkg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        178⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies registry key
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECIkAoAk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        176⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSUMcwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        174⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEssgAUg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        172⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsUkYYwY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        170⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGQIckkU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQwkMMoU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        166⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKssgUcM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        164⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwssEAoA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        162⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies registry key
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIoMAkQo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        160⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        Modifies registry key
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCwcQkEg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkgUUQAE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        156⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIUQUEYs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        154⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmUscsUA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        152⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        Modifies registry key
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCEEokcg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmIoMMYU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        148⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWYIUcMg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        146⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies registry key
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsUYQgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        144⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcwQoMws.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        142⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOoYkowQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        140⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        Modifies registry key
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qogkQkoM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        138⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iusMQYog.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        136⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgEssoUg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        134⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMoMAMAA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        132⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMosUsEA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        130⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgQQEgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        128⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POYQkYkg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        126⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAskcMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        124⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgcMcYIY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygwogowQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        120⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgowgQAo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        118⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        Modifies registry key
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqocgAcY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        116⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMEksEsg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        114⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWMcIIAo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        112⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XccogoMs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        110⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsEgskgw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        108⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCIMAUwE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        106⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAcEwMYE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        104⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEEEkcEI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naMwsYws.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        100⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boYUMcoc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        98⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwcgUgwc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        96⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEkIYcMQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        94⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIYogscA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        92⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgMoksoc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        90⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyAggIkw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        88⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgsQIIUg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        86⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKsUQAkY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        84⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies registry key
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOsAcwss.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        82⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kogcsEAY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYsEAswg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        78⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysgUgYAY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        76⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwAksscs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        74⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwYEgQYM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        72⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies registry key
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCQossks.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqowIUcE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        68⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acMkgcUs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        66⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uasMcEwk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        64⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCcQEscg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        62⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiIQcIUY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWIQwsAk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        58⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies registry key
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWwQYwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        56⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcoUsYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        54⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        Modifies registry key
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igowgQIM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        52⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCsoIkcQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        50⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWgMYIMg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        48⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQUsgMYE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        46⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKcEcsIg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        44⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies registry key
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEMgcckU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        42⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buQYEYso.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        40⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiMowMcs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKEYYcAo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        36⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWkswcEo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        34⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuEEkMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        32⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vesUYwEg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        30⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuEIYwok.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        28⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQwEsEEo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        26⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\micQEAko.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        24⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcgsgoYU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        22⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESQAcYoU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        20⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGEUcYIg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkkEQcoY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        16⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiwoAYIA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        14⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JeUwgkcM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        12⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWUcowos.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        10⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCQYgMEY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        8⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4824
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4340
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4700
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqIAQYIE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
        6⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2368
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4904
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4436
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgAIksAo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:680
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4572
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:404
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYwIsYwA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
312KB

MD5
6ef71d1bf3bf91c37305c423ed42d6f7

SHA1
e5e33da074caff0d3b2c2746489037a12f387fba

SHA256
90b9909e05ac93861887aeb5a138c16e6d81370cbab9fa54219725c1e4a90218

SHA512
97d39370b26045d5c2fe9106286c8737dc1ad432b0c1840ff5164160c49c51bc7f4b7055e9a31081de29014eef3936d9f2ed56bd41e330df95943b36fe40fedf

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
221KB

MD5
47101f5194a986c213863eda91571ac7

SHA1
52bd53b95300d969b504136b0b802ddf7b26085d

SHA256
e0267601c38d8c4d19362dd38743f5ba768dc8802c28c38875b704fc9ecc5236

SHA512
b630f6bc8d0263ed226e2b2a7c588b934485bb7b26daee42b8a65f12f038eaca5893ef3c1ce6c610ffa70af5fc1353b68e15cb91ebd43fd694046baa3065d039

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
322KB

MD5
3cf0487733be8bb9a0b283f9c40f4353

SHA1
b4649bc2644ead966f9f6a59f0a2ab9a079891cf

SHA256
96bef8a4b8db8f4d7d9bd0485d67f9bbf222cba28109ba5409de03d6d4a1974e

SHA512
7f56ce1db4a892f9cd887ef756b8db49e5589a2794ab21ab0e95cd48fb602ad431006201df6b30a89d2fbd4ba2b26fe1b5575231708cb09a761a8db4c44ff0fa

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
644KB

MD5
fc9638acc4e940fe22b37593b9bd804a

SHA1
a66c99b4c15958abb0762ae23900e1ce50eb4a17

SHA256
054ce95c7717e783356942640b5d1c0bb5844a3089bccbefbacd7db8d9b56fcd

SHA512
0ab0c98086ecfa9f23428b0e963ea813006b0c8fad7bb50987d4f00b5aba8017a3cd9b8545b7028a9e3fa2975b4d912cd9993b3aa666a4ffac30da7cba6d6414

Download Submit
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe

Filesize
796KB

MD5
e74885450afcf3d750c6e01472b427a4

SHA1
289386475ca3cc46e596c8e805d436c086d36e1d

SHA256
9492df460270b525ce2b11fdd008f0d1a53d1f807993b9721bf188689ddb6797

SHA512
6517dbf53dc80eb2a0b80b044914ad1f396f614b3f6b8c13331ece0e23415198061a2cc534f6d9ce6fe5c905ac3075b8c6aec54203fb9911bba8264d77782202

Download Submit
C:\ProgramData\zGIQkQQA\zwMYcMYc.exe

Filesize
198KB

MD5
1a1f00c199e4f01da7bc77fb60eb3285

SHA1
049dc786eba9389c59764d75b5e1ce4f8fe9399e

SHA256
f040f73f50daec8f394dff550ac59706d5f93a22dec28b850fe1e8ab6a293bfd

SHA512
b2979e27511e983e707900c24ce206555d841458405a5bb6ad84035c25acd7aff1219bf179aa6a692eda2a526221bd8378df3f9a235ff4b6311d575f905babaf

Download Submit
C:\ProgramData\zGIQkQQA\zwMYcMYc.inf

Filesize
4B

MD5
8f2016406a217c1325daf41026eb169d

SHA1
fd6e0e6c7ae5eb4c94cd2c68518e1ddafc2547ad

SHA256
7a78a0e48827045ac4a751d08dc64dfd7f596e02fb74a2cb2311b349da23642b

SHA512
5cdd9b636a078af9f5d4738f52e6aab1f1014b226ad7c8ece75532613efadb5c8c503245a344c000e170cef4623b5fc695eb0bf0ca9a772adac51107feb23ad0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

Filesize
204KB

MD5
e0b9052ac0e596838d938d0b3f5dc69b

SHA1
71e6c3b643f84be4e534e81c81228343e381768c

SHA256
584651d24e656d321b427b161f17c0821a48c27ae905da63aefaa4ff15d50b16

SHA512
536e1a4a8c98947cf20d0dd084a77e47764a5c66ce0180a67b0792ff08e27868fcd1fae669ae99664419f6f5112d630d959b23296dedb4378c118a5c674240aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

Filesize
194KB

MD5
e0a710ee91571edca0747ead958752a8

SHA1
2abb0e8c7b42450096b49695d2b2aa5a18ece3d5

SHA256
50cfb292768caae9e5ca686aeab2437137d7cc17bc05d96d5b777f4b25515d1d

SHA512
bc461f78db559e4ab9ab1ab79a695135b3a61827e42316619f456f46a37f9ab8fda2dc392b4e1421e1dd3c9fe73a2dcb792cfd381cb15ea79dad159b2bc5c1b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

Filesize
197KB

MD5
d7467a3193b8e2bb336614cb8ff40971

SHA1
e7362a5dac96ff022008f35772eacd49b219fdb9

SHA256
0e6a5263b25c1da00fa8636f0e246663f4223a3db1ebe65da92827fe19208be9

SHA512
b908826fcc882e30e941e32b9abd74302c6c16ce3083f0fd1973178fea7028c612269d63f53bd90f66486d99c10e15d0f879bf70acf9746ccf63a92101f3f305

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

Filesize
190KB

MD5
6b3f7b3230ea53d1d87c51e14ee15389

SHA1
a9e651e67ec5756a8e3dc5813410b4efe723bf73

SHA256
979b0135a0e48570d65b9e7a76acb64d653b2decb113b083e952aaa38fdabb38

SHA512
035d366aaa8f1c6ff0094325aa94c00078bda7c12b74558b6dfaa33fd2e85dcc4cf6530d59c85ba4cb526e8330f5db22a4132ed718206cd7f5bf5e066b0d41a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
198KB

MD5
c89b0699e79d781f5ba9411dfd59ef79

SHA1
b0adcf8d5dd72124a939a52e308170793884c349

SHA256
606acc31421bc5e96bd0e93091258cdbf1c5819518ad2358f30582fe0589c9f8

SHA512
1bda09af521c8c5b31d37b7f3b26f2eb634c5322972c7d1973017afb6e39014add483a9657859a6bac1d3e7c5d4a0c0651441b5f7a7318e834a8a3ed585650e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
200KB

MD5
544ae6d1914654a9c38adec019f3b67e

SHA1
826396b0c6cbe66b9719a76e3461d013dafd5ba1

SHA256
f88d5b47a8cd590a031df66d91f9d6f0cd4a2cd442e0552d31bdff8f5880b061

SHA512
e0a3c1eda562c85fbe879513f10ad5c87d20a55f186d743ae5accb686d73c4b0b14ff85667b08e5731f1c249243551f24bf99875da236809832434401baee864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
189KB

MD5
b658fd1ba3772716a214d3db7bf8d4d8

SHA1
8131e5c1d896232435db2a01257b4e9334cd4600

SHA256
4857627b84dd1eeb43b7108bbdaa86a97489baf10bf4121edca072b96bf11cc7

SHA512
6b1f87f0f00a449b87f68b278d11f277d3ec216f1560dbd94576e31d11c2f7b445cebe62cb1a7f1cc930f3ae0f464ad5ba8eb959e82bccd34f07481c727778ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

Filesize
205KB

MD5
d24ba6105b6b18d401070ab3c7f6179d

SHA1
633ccbb318057face167e582e6dc7b849bde4f2d

SHA256
740264b1c45970d89ba8d48bc11bd9e6584ce188e916726f78221bbc0d587229

SHA512
47ac4a9e0cc7b76039c6a894aa44be8fee3cff385db45792d8e4aa7cb0daefbcd1186061568628c68058afbc91e5d43a3723107ccece54fdc013f7ab9c59a4b4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

Filesize
195KB

MD5
aec1297ec88bd6c3f3df74d88356512c

SHA1
9cf0c7b3153f357d01b728af26f03d819cbfd78c

SHA256
d68ce236bc04a56194e0d707d868cc9a915a5e12cba20336ba54f6d4cd60e982

SHA512
d26c3605ae135fec1bdaf10df9a20caaa7bbd989670ed82b34f62c7ce1a1a07ab01e75af007cfe605463fc5b7c95be7b6000ff220c830f26a37316db23028e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\20240920a15a2fb906ba42425a98b98c94e4f4advirlock

Filesize
3KB

MD5
f914e6e58fabc9e45dce8645ff188bde

SHA1
e16ba069be4ac338fbfb731d5dca60685300ffdb

SHA256
51d110882b29e686326a7f942b829e9d1df5c0deb804b59f4e62bab84cdac26b

SHA512
2f3924f255c453ee32bdbced2ca690ef6ed2ef1b09dfb4922bc8db48071c174d7217916109c63ff1a38b09714b5d5f3557dd6aae8edc99e775bf3fefa7d046b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAAU.exe

Filesize
193KB

MD5
3fa9d401ebf86d12e94e85578cd58d55

SHA1
bc7a2abf8c24c7e1762cbecad9b0ebeae59a5a2a

SHA256
e581408cd6f320019d6aee9540e9d106d9b8a69dc2984527be332477cb22dd7f

SHA512
1c703f9ffc93ab560163e1d74d103fe4a6aeaa0035bbb4a324c7a473e5f26f3e09fb36d2df40d2dee074effbac6f8cff6b5fb3e5e04338af1dedd353b22e1a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAAw.exe

Filesize
196KB

MD5
950dccc4150a33d080fdcd2f9b5c0d40

SHA1
2f38051565ca157ce7f8d684fd7cadb027a54328

SHA256
e3c3358ed3de39d4a65e4b941d4c23de2b2480eb679fde9e2579259a838408e2

SHA512
d4812ab73128f90374df4ecc952c54154c037acc19a6724ab79f1407859f15c1f07bcb570d3a0eb86d57e4656a070b61a5da239945591ddea6e1169c37dcabd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEgy.exe

Filesize
417KB

MD5
3dc49e74275a425ddf8bf7b39e3c5119

SHA1
28438d35557495ff0e508f73b979ec3e8b5ab0b4

SHA256
1d6d40a8043fe654886c3abbf486cb571107221a74616b31ca251fba7051af68

SHA512
de576abae8ff829d6254ee80950299cb5d209d9462c2e3fe9d958631d1e398f147d18e69112b8cc41eddf6c9bdff7c434016a480427a8a30ff28654da95ccf11

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUgM.exe

Filesize
203KB

MD5
e54709ac92f8eed2082f917f274ccfcf

SHA1
0037cccdf5e9ffb162f8913778cefec2cb66ba86

SHA256
63754da32bc1340d3fa3a19040a66cdb86288fddeb70ffa0b8dd193595bbaf10

SHA512
4f5d7c749542c05b6fccb1ad5a75845b62752778bea0a39fe0eefbf4cbe4113bfb3c1d737733d15610b42206e379881c2dceadc0880b62f929128be3a9d6424a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Agoy.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoUg.exe

Filesize
1.8MB

MD5
7960c6a782cb4d45251aa821938c42a9

SHA1
98bb90cf7af4128ba96956ee2922b58ef6980b85

SHA256
3e3b6e06fbd4214ce0865ab43cf4e7caba8f1d150f8f993b2ca76fd32d17bb49

SHA512
e69f6ab2398bbddaa05c2041e06ee73e2ce68c20325aee6351060eaa4aa4d092cbc1067300fa20152d66843280cf151fc6868665225bdbbc1d3e7164993208a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEkS.exe

Filesize
657KB

MD5
25ad9de33dda6e4413531dea91dbb480

SHA1
d8d50e93abe99982ad46dfad81f8d271eba6f240

SHA256
966b3d753ac08da1216024b2da8df0cb65c06d9ede44b7a73887de82bad6637b

SHA512
b59c3a7e90650906e29358ef6895f2436ec769f01c942e9eb67cae751bd0f60185dcadc429b9d7f08ccdf521dddabbfd3de30c9e6c403b084e608f249463a2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMEK.exe

Filesize
200KB

MD5
9c4eebf98dbe360fec04df5408480321

SHA1
bddf1cff8761b25779da724c8699b73b075e2d07

SHA256
65cc5eb65514013be96d318837e00805dcaa25f47725170a31977a110ac980f1

SHA512
e3d9622d4f88512f854fdd7d215cb0dcb5e4c361d7d38a01adda41821fa573128b4570a52e35f913cae6d4fe542773c8e56d70c17b15da52eb616dee29895e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMsq.exe

Filesize
197KB

MD5
abb2a55a3b7c615ccfb7c20083df405a

SHA1
e1442d739f72651cd1c7bee95c14830f21f7540d

SHA256
4078612bace161581f4717230ecfade5736822dd8ed9a4ac2612f4e85f5b0a00

SHA512
424a7e8282b750ebf0131fe2fbeaaa5e91c2bca4e628745ebd15890e72e3c590aa1df7f0fa404fc1ac598c6d32d7af61a4a8077aa0fb8397e5dfd43bceb1a7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYUc.exe

Filesize
458KB

MD5
30f6a4cbbe863d965235c1bbf30dca95

SHA1
4cbbb32e08d75703dae1d7017c2d8b27e6f15dd9

SHA256
520d0c34843cd1620576191034e61e2c3055baecff8a243ce858551b1b0547ec

SHA512
a38ede08d6214e56239471ce0f958720ddce4af09c50d52b146acb920e8c8035216e10398fe0e9abf2f84ad345e78d16ec446163fe4e7723f33a04e7eded7d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYYY.exe

Filesize
183KB

MD5
9807a4a6aeb26ed6594ef5e1e0290508

SHA1
740dfa1a2cb5658a52bc325d3cfea94de0d0053e

SHA256
6604a79819e031560491b064f6f29a8c5d31420d8766d57a2f336c5d92ffc805

SHA512
cad8267a09b09a7d7385b99fc828953ff6b5349ebee28f1723c1b84d87474d8161a7af255c103bf94b30190feb17fa7da38c64f3470897722ffe7e376fa0dd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgEE.exe

Filesize
195KB

MD5
db079f00c6fca381f52a40ab1883e5c7

SHA1
892b4eebe573786d9a69b57ba7951f82cd7379d3

SHA256
6b73be7e9e82f28f69799a9dcabc3fbea321c7c94b7de45b9f3bfab4ffbd557a

SHA512
4694454fad59d1f8a3acecc3ac0067f0a6acf3ffda00a6adb551e77157a9e8eeacdb592e6594e16cc2d05dbcdae510c6521e216d5814a4a89d628d9b3b74866e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcYW.exe

Filesize
560KB

MD5
6ab8ad382ea5f8978f172e6fed5f9bb4

SHA1
905e300e87284a5c88af3d6116c2ff6cc55f1b02

SHA256
27625a6c86eb719a86377de6cc6293e559f79ceac746bcf854461044ca45c4a2

SHA512
89525514fa0d4f6bbada5b6d6d572700d735dd81b9d1b6c6563b3c80b0c7e201a5fc7e3c8925c8e375fdb8cdbbe280ad84f84f0962c63ca4f982de87eb399574

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIUu.exe

Filesize
644KB

MD5
57313e8346e072d154e2cf2658681a92

SHA1
465be78322377c4413718cee401b8fcc2beee6f0

SHA256
277aca08378689c96f3ea304aa12a4cd989205bb8d9e1295b83ff2894598f188

SHA512
ad82615988cf3353acf5419469f0591ac7f8a531098010a5fa7b04a910b94a64a65450301a4a02a360cd7340d444aa00127cc91c38700e5cbc63c6a2511f7b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMsK.exe

Filesize
237KB

MD5
01980b1d25bf1515b28ca815f06b7e3c

SHA1
34a2d6306aa635dd2c99d6714476d74da388e724

SHA256
f945f3dd400bdbfbfc6ad7118de8a6ae654ce3251bb5225cd4d4e5c1f4b3ba46

SHA512
35d10a0c346a72521ab5a5f1a45b8d100c766783f5fa69a20fbb3a7c4a4a35880562376346a01e0d9450e3ab9a2039663b9fecb019db0cf7c5a3c6556e4fc11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUgI.exe

Filesize
192KB

MD5
a3a3728b43d028de7401d950955a7da8

SHA1
3de73e6833728fd58f3dd05289885f3eeb9d32c2

SHA256
0bc1e262a12541ce001a8808fa96805d1a050d229c2e107a5070867eda286aaa

SHA512
b5dcf3e89c8bb4bb60d1c4022b934d291d435e1bc98618ee6b1353bb06cc9d3318b3309ec712f1ee79f1d57635975fc5f48a7c5974f98cd209264c5857b86069

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcUk.exe

Filesize
202KB

MD5
13d25845fcbab4dfee1e8c1607a2946b

SHA1
9ebcf599beca38e53796b89624ccaf6746e9ba0b

SHA256
903282ffb2181b06420440ce3a58163d945d717706b1421eb70293c607a9d01a

SHA512
54a834bebec6bcc3736dc6d319b53a41b24dead671dc81cf4cc045adba9a2912471c5769ba1d462be3ea9333fa225149b21da3c87f7499485635661b66c31398

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgsS.exe

Filesize
186KB

MD5
be3bb7fb3df956687d91a4c8cb8691d0

SHA1
5121a89a8a4171ba2a1f802aa148da653f857a2b

SHA256
caa6a3793b5027aa139a9ccbc4d02ed0560c2715303b443d7ade94d41a265bb0

SHA512
e539903b1b0e760714676c4ecdaf47a73567a7f61145b97fb7ede54f7f0a676f81585866040fb4085a72ec0f736ad1888428dae9acc4aedf6144b59522e7c54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkwM.exe

Filesize
464KB

MD5
96a7a10ea920f4f7465cce6839b4dcc2

SHA1
19c71af3f2148eec8107a86764eb6cd65b4ac2e0

SHA256
d69477f5da654d2e5403fec70d98b89fbedd1f716fc483194ed45b043a4799f7

SHA512
49b9bfa6a43bed3b38a7b06cce0c4c0c55ca8a4ba942582c70bb0d5a5ec5cb70e4e41af5e68023bd43886e19c7c2bf31fbb0c32514efde6f0dda3d40e08d71d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gswq.exe

Filesize
204KB

MD5
e76d3a7e0454d457a94c6422d5486ae2

SHA1
7c46a331b1f0b54fcbc2413eab8596a89a0733fa

SHA256
5e6aaa7c4ae8211e4c12cb50bc23dd8223329274742c6e54c87b003babaef544

SHA512
a1139562c16b04f67cf65912dcbba20ce313d9b92dfb15b7bcc9729b72898ca5de4bd7eb54007772012d06581832cb80c111046cb0237ea647ac5ecb19619cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIwo.exe

Filesize
228KB

MD5
fc90b8e75d781aa6c2db3d99cdfcec6f

SHA1
ae725126b9f855341d8592ddfdfffc0d850d64a0

SHA256
14e2fd05c57d5492932ee3b614b0b6902ed6d7098ae977191057fbd993462954

SHA512
fa2f272f571e5f0176533dddd4db61735444b8ee81f734fb456ce875a2bd9083437124b14f268d76eeeea3df5f2e713497e877d45d2868ea183c022fe9224ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IccY.exe

Filesize
5.9MB

MD5
dfc61e4c713483bff4d93eb405db77c4

SHA1
1d4498cc401dd71a21f1504e6c41c5c14c19428a

SHA256
435a13704972ccc7539fe1a1a47185a5472237305f6b074af320365f5f743acf

SHA512
b4e17242e31ec4a6bae9a7ffea5f6cce7922a16e161f696d6d6049f246ec14369ba0bd07b3d5460fb53b14e5ceacd8ab426c6db86eb37947b69f95f0265582a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgkM.exe

Filesize
650KB

MD5
eb86c97791238c3e8fd11bf60f4527ec

SHA1
d3e2e2b6de7f6a21dc55d1c2108bb748772d2a51

SHA256
92815ac925abc13d69a4989ca849a915e33eadf692408654f26d93c7a809191f

SHA512
167f8b51b38e70e755941e5673ac25da1c9b5c9356cf53ed65c2091baddb4aabc080cf69b5660e8a23165db6125bd1e25060ddeb4f82b14694a4c97f69063e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAEu.exe

Filesize
5.9MB

MD5
f900dc3064e286be709763adf86c843f

SHA1
5d33d599ddd004a3c3fc5bb2d995062777b5fa01

SHA256
3f1a61e78d8300543ba2fc9337f357de9f77d14af713a16b80b7f40265dee0d9

SHA512
997e5da563244491bbf262d95c2f83a1fa0e0644b45d357ebfa27f8f40693bd62223f0c0c244d6f9ebb86c8aff30ae642d2606106a8376394d5ce1578700cb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQMU.exe

Filesize
190KB

MD5
3bc39d6a05304aab5d9535c864e559d6

SHA1
d7e6c6e24939d616bfa871637e7eb21ccf2782d3

SHA256
bbd11b774a364e8ad0e492f54be4b9079c094efdbf0ba32bcd30fc22a1b426e4

SHA512
dd0e3b24f4c61362a53cd4411a261ca323ba175ab8cf3d530a6be70672e02b59ffb6741aa1c3ee959933748615364b6ab7efe96d3535403dca32c306b32f77ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYIW.exe

Filesize
196KB

MD5
23270037cf942f4bc2af9330984343fe

SHA1
d44106f2422c51e232c1cb0fa2b0dcbba9b00dd4

SHA256
02a61d1532711849f2914068d28321fdb84b38adaed3972a4760dee531a58ed5

SHA512
729e2e2f09ceaccd6a2381a833771ee5d522229ecf56c0ff114202c0c7511db99ea5c214af8aaf4bf1ff99a7f68d61f60e66b4c4c63d821180597dbc275498a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoUi.exe

Filesize
5.9MB

MD5
c6aed52d4c6edcc6bad8bf70dd6b8048

SHA1
f6d5f4bf97cd6e307d1648ec57c5d755fd064be8

SHA256
71148042787d13597297e0a19047b78b5188ce0c0c06900f93ad8a8c8dfd9bec

SHA512
d2739bc866fa1f9454f0f20c98a68c5889f8a3f23578830cf95e5d6afdcba749e74cbdba912610a1270a0271d0b3df0f695b0e7c271d0c0ee011519f51fbe4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgIG.exe

Filesize
239KB

MD5
6747f6c43e79c7e69e56466656c1f0bb

SHA1
720b245fd02c4334f4fdddc57a034091d59db3ab

SHA256
4a8af4d026f97a33eda9c880c3ceee95f572501b1139b76d6477c88fd50a87f9

SHA512
2baf7f7f49b680bd77f4bdc933a1d3ca85f271552f03c11a2f22e486f593cebd6224148ca5bac6c85e00c86be488945a12d139c0d37e1f8f6b8fc86600c3200a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mgog.exe

Filesize
204KB

MD5
9528a63919dc660aa34f05474d20a57e

SHA1
e6ab9014fd9d940fd617f46d5027db325e61657a

SHA256
39839f949ab00b6fa6f217ae2b1709939ed194e1327c1b1cd91ed847fef78c66

SHA512
2865a1d8511f5696647a943e0ac0f507a1892abec32f068dc57f8ab88caf23a1383dcf69794a6f71808ad2cd220dd334f740b0f00ba765497b15c99699201b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoUM.exe

Filesize
229KB

MD5
cd7773e0aa0132ae8222b2978cbb5712

SHA1
8e98e52dc477cccb827625bfa6cf12a99e775129

SHA256
a44ff04459834d726ab1247202aff2e2c5c5e0b0326dcd8083a4b75ac31ffdb0

SHA512
cc3acc8252aac65c50f89bab4ff79f8edf80cc99c08545e3fb37ebddada91ba862430b3ec67468e16343f2bb0af97ac2fd95982ae75d2ec4508d8fa31f7166ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Msgu.exe

Filesize
777KB

MD5
84eb83414ed48dd4102f43137a82a2f3

SHA1
82fd955a443f2dba7da1b293d5aacf3dc01041cb

SHA256
1aeec70cf05d5e87d4a79460ab542e94ea1c18be3f1623284f82adbf160aa1e3

SHA512
41938802151e1bf5be6be564cecd7295e4e38b035624241e809449d839ab61db183984fe5130ca67568a3bd168c9d12f91be0b837f50cce5180905f29f1809c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMcg.exe

Filesize
1.1MB

MD5
cc0833d82fdcf87599ca0a5b4aa75cee

SHA1
e1b99358a6d7c99bac459f22d7ce730019605001

SHA256
138b8bae633265bb5947b04c433d0d4d4cf3b88805e626a7e5178bdac48b7340

SHA512
2efc2c28eaaf36e12654750777ccd348ab4f650a12bc73af30b0e5a9f9290e91413fe995fe1b44e0ea79d3938beac8c810be95b115cfbf65935d35d24be70dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ogki.exe

Filesize
498KB

MD5
d5323f49dc0e06a336fe7dc2f8c392c8

SHA1
2b720388d9556fbd8484f4129733131f3e0d858a

SHA256
3eaa9f91c1d7ce6d50e8b2aedc1695432908f42f4ed30ba071fefdf6425e706f

SHA512
cd239e9e09b6a65acfc18943d4133a84d52e3957cd66f7efed421012f4dff3c047e0d0a93efcce6e7597493aac6697308e4c2e26417d6cab76199f9b1e88ca66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Okcg.exe

Filesize
195KB

MD5
48c9f63627ae9cfe19bc3a7bff012af1

SHA1
1f0f5edd2ab19f29ae9fa2f8999dde543d42b26a

SHA256
9d08bedf97d88f5bb7e4f7efaf47fc2fc0733012fe895e10dadf6a165097f601

SHA512
5ea429394c0071dd5c6125d49022527833dbb7b96aec6628d1cf91a8705e01e649b6916f133d133245cd8aa05ca18d4dc63573a50bca5566f06ba550cc693c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEQm.exe

Filesize
203KB

MD5
06f3ba408c5b98bdd63756589d7f7618

SHA1
de93955afd6c8c719590d7eaccf5a8eb6f3e0f5e

SHA256
e93753f23a25816d3b0d9a0b76972cfc57f3ed5e295b1378ba161c192af44389

SHA512
a8783eeb9b31fc4a3885cab48b843c2428b2605aa2c5094174979f95d8a888c3ee7276aa72bb7e601ab968d7c4daf69587a36f1b955caf4e47b51c22d308a511

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUoS.exe

Filesize
207KB

MD5
820dd2c042e36987a49b3ec14e9a2bb6

SHA1
60721ee87b599e552890ad707abd9af785084a03

SHA256
cfe1307c598fbb75002ebde54ec216f2084e4b70fc23d1edd676f1cfec0b1cb2

SHA512
b9e449b5d6b243e3ed62373fc99f9c44b5b2687cb01ac66a8952024925227ada7185c8ab2a10598c398c3b8ed3a552c9832cffbfab03af45a344bd06b2c10c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYYc.exe

Filesize
439KB

MD5
90445029cf5b49b2427c683f6001add7

SHA1
891484072246badcd07167f387914b47d3ef9119

SHA256
b83839b74a6ab2d6994552b13aecb209ce0330d1e764baabc420f06cc2f2bfa1

SHA512
5b371941a1022f48409f2de01221ef4044952b737fe273c8f7df302050e79731d6a3a953637beedc7855d1a922c2ab4ff47f705f76c40b56f90975c7521185df

Download Submit
C:\Users\Admin\AppData\Local\Temp\QswG.exe

Filesize
713KB

MD5
b8bf218538acef988cff37bc0ae458fe

SHA1
586aabe2e097d0d1225a393d1f473a99635e2388

SHA256
eb127a37794737d7cb30610719504805b64eaad7435b6cbce56dab46e054bc6a

SHA512
33f091199a177eab08244db9a28d8c2d0d309b19a851f5c264cfddeea43675049f7ef5aa640c3c03e75bcf6ea6c53ba856af44589b405f6e3794508225c24885

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAoS.exe

Filesize
213KB

MD5
43b9f71a971cd3e36cda8ed8cdfab0e7

SHA1
212c2c87b0915155b335bc45a5497bb511807561

SHA256
cf505131e661fc7f5585fc0e63aac2cb7df4dae3d3b00cd3d098bbd7cf75b8ff

SHA512
87ae92ec6dd5a6502b6e427d6ceb3cfb638d91b3c81502b5e8b38c0859f436121331a095a40cc95daf3fab7aae9dc0f8de284e09fff1d283e9927a44b98ca1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEIg.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQMO.exe

Filesize
205KB

MD5
1efccdc50ae7c4d26495d5134be49936

SHA1
c8abc0d6afef9fcc48ab03662c55557eff861a67

SHA256
caa846ce8fcefa62c5ac20ac17c1de493dbe7f7cb1c9a6484d74a5a07622a004

SHA512
caf2a412fbda6a57a22020bf0fafa4eb7115f757c7d31fc2b100ca52829dd6233001e27a07412961b9e7eefcaafaf25f39310fb9a5d20ae99df3fdd4e1ad0f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgQK.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgUo.exe

Filesize
197KB

MD5
285b506e4019f1e7df3a51e2ac0f97aa

SHA1
2401a731487a3536244d407b7ce69f8405e6ef22

SHA256
06d65089e7c3fb0e0801432b812803b4e93202f5debfc4c8de331ecc869f7353

SHA512
90d87477c4d7bbec63c548dfd48b34bae80176d1c04b732d93e12f5939b4c2bbed213730ab2b1ea51ccfdd55c29448af538b0fe1e9042a54fbbb12e40a5693c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwEC.exe

Filesize
186KB

MD5
e5881aa95058085522e8995856db57c8

SHA1
48eec7c58c094ec53937e0d5bb63ada42109e368

SHA256
2055e6bcc54a260f855a3b6920d38a28342c65aeca1a9677df87a1476ad729dd

SHA512
71db257dd4e4900c15380c02beec77a90450e2bdb3170883e68bc72db93cfba673b187a9cf352c2389ee93da55a905a423f952fef86db444de1ab8035af85bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMAm.exe

Filesize
197KB

MD5
a74e0d438aa6bc5f91a1cff619026277

SHA1
55f4f4f0182344b017b07f8e0ebbe30446cb43ae

SHA256
09851fb92321fb97c31c5f6abbfdbac884929af6db80d505d82164159e3c83c6

SHA512
3fcdfc349646add7ddd820e18f12319341820b8650c63a5b168902e190e82c61f1c932bea21cf0317054813d5dc0b45089d9a3cb4ca938157e56386fa8e705f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsIu.exe

Filesize
392KB

MD5
7b6752afed90ceb7fffd2974ab2259a8

SHA1
6652737778e9893dbb192df662ad3eac2164177b

SHA256
0c4556937b9f6a9d2f48af7b7a669136116a031c0a59e2fa36dabc6d4d52e193

SHA512
9b05cd59db8117275e47e1c62b465ee75c8473e6304439b7cf033b89a9fd2ab203c46a079440ea508d34ef76431510f211f7c149fed5295cd4cc08519ddf067c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usko.exe

Filesize
183KB

MD5
af7165e2b7507f6e11c6901a29011450

SHA1
067f90126206be57d8a55e750d5f519019214869

SHA256
6aad9c673697912c78ddab0d83e2be0adf67eaad847f5522f6c10083839751f1

SHA512
bf01a94d3740a9e6404ec3bc0222cc131136d059ee5ef97c2d5ab75de4a5f76571ba28a769cd87509796970ac45fe940a883a93846d548f0c68eaf382523d0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYEQ.exe

Filesize
962KB

MD5
3def913fcf21abf46304e737205e5583

SHA1
e9658f63ba847e03ce4411289384fff19246756c

SHA256
503e9b0d3f6f02d73c27fa595c0a0aa08384c04bcde8a5bddabaef41cc3361dc

SHA512
92136a4fe05b633324ecb561a5d121781c4d82be0257261c578de8318d255c4927f3db61383e0514c7e53ce7b8aa2a194a44ff49d56e9c50598dc28d85c927a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAQe.exe

Filesize
657KB

MD5
f11a60a86ec2f989474d395f64073921

SHA1
61fa74dd472e70c6226e293e80181a5ac198625c

SHA256
f9a28486d0b5bdbf8de1791af63595c1846788b1b0b42558996f2cab34f33da9

SHA512
8cbe65949b92e44dec23b2f2d293d3867da9d9f7c354fffd7d989ba4278b55135566799879a1f07372260f041ad8e00039cc5ab53d2bafd56624687617020ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUEA.exe

Filesize
623KB

MD5
876cbc753eee5a159ae850e8b0abffa1

SHA1
baf0c878c0811c92f9a574675aad17cc9bd614b8

SHA256
d9e250d6684ba3efaf83fd1992fb90c7bdf5b25a72eec1d735a02afecaeea16e

SHA512
b134a6b8cf69b250b9b8281df4ee4b31cb3f6137395343d645c2dd106f68713a7e7dbe4ad2b655ddf1b5e1f878390d699f83f848021267d0288d9e8afe0ce7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoEk.exe

Filesize
203KB

MD5
c7a39c64a35e540fe4c867a1c54bb689

SHA1
8ab008307a954bb6353180fca8420e271ad37970

SHA256
b90b7ed5cf87d016fe6f584a470e98bb23799790b07e1d31f9cbac2eaf6b6507

SHA512
c923acb50be16bf9d9a7f15c1a495c3db6ed5590a68a5b2eee2178f9b9cef452f34e71dadc8e84118f5823aadfd48d97e3447400c106efe6c3b988176de67725

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywkk.exe

Filesize
228KB

MD5
0dae10027c9161aaf3c76bbd121f1e2d

SHA1
8f3fc0f5b76e33c3266b0606846f11559941d67d

SHA256
a429cbb4ac9f5503712a9345e47a711a8e3e91084d4edda46bab164fa8820f13

SHA512
3f2004f1c8d78229e501d878570942f2e4cc1114748026f9d1b7260f017e77d7cd23eba8302f8e5b3cc75c5768c23a7ce423aff0fb958d0727c8617d827d8724

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEgg.exe

Filesize
650KB

MD5
43e7f73edaa09b94c0e2fd563fafb00f

SHA1
ad1b72b80c1d5a20cba69b6306fb1401b33eecc2

SHA256
eb996a6c1b0c3abde67df137f24b99e6f1c9ea2dc0363c312edda86c28f07799

SHA512
e27d236f888c90fb547d9eb542307b45ed2b0b754d9daf0118fb5ddc2410bf0ff239be6edc1421f7543ff86e9df41b0667020d76cb764a7bd1ee2c58f8402807

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQAy.exe

Filesize
900KB

MD5
4f2b803cda8ad1a5966040b0bbdb5eb7

SHA1
b8235ef86022f10bbbe92e17df14eb5546bd2551

SHA256
aa45048385eaaecaae8c1041aa4c31b94aa348195f7c13e17554beabbf921d8d

SHA512
d30046e17bf0af942a6d87be2cf6b25f902b5a4e7c32f632cb9abd6344ae33308d49cc4ff779cbacfa60902150eb6f2b5f9fa669215f917de89355f913993314

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQMQ.exe

Filesize
195KB

MD5
c79dccf290a65d2842f607d71ad0e6a5

SHA1
1480e6d356a19c9a7876e061f3dd41c95d21ad4f

SHA256
085b2f53591935fb4dc2dd3cac2fab9a800e07238af0584c8c6ec7a578caf1dd

SHA512
abe9e10e67136ae9bf44565ae2a9c7f568ecc335b0da26ede03423e8198f648cc38aa7d5aa7102153fb4a68ce4e2ea9950ed85889fa09a57ffd73dcbe3780b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQQm.exe

Filesize
185KB

MD5
a460ac2cdfc8fb3d433819235eb064f8

SHA1
11892a4ec858fdd5528d7fe16051026ee10d38e7

SHA256
4e363d6401c6dab0a4697c846d5f1592fbf8540c8751603cd43f16238917a554

SHA512
7bbf65848275c66b5b7024c1cc38728ddf98e731556fb15e985cc087b1a8479fc8ef71258d1dff3b27731490186ea9fd60bcc06ea8cf1d5be4ed8754200bc1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccUQ.exe

Filesize
195KB

MD5
5176fb58d346d11c3abf2bd6022b5c00

SHA1
e5ccc0c0d774b8fcf17ec39d65544ebd0a413ba6

SHA256
84d4b6bafd3fca88166f31d725d32b7470d5dbcedd10d823f1a1454e00328c18

SHA512
71ff6f2fdd3a3664f705d4509d7b1482d4f4863677e18e4488a18d6e85a6f15aad243362f0700d1dbdbc75244d4984c19672d28537844ada21a22a8af2f38567

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEgM.exe

Filesize
830KB

MD5
a1a96280193628da06ae0423a6400f75

SHA1
ebb6ed428206457760e1f569866453359463f6b4

SHA256
66d781fe0d403ca9ffb8c9067763411967639af040964fdb6822f1b7e24275a6

SHA512
2ab726fe40b5c7040770ff69722d30af26eade5860c5d9567dd468b8e598334458b4109795b51abffd191a7def75f8f28d178b44314e4068ae6d4fea9ac257de

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIEg.exe

Filesize
216KB

MD5
d59dd4cd447b2e91b811be90472fc0fd

SHA1
0834b17d4a6c7f3be2d7bb4995e4e4e7a0c2974a

SHA256
d668f94eae0b96787314944b7cbb880792990ef2ba330c10e8ef9aab7f69b882

SHA512
931641277578160ce9448aaa9fb0beda66bbeefe2a70fb0e2066a4329c46ee0a6b1db84744f8e2f4ac1da483e75a1aad11da3ea38ce943379e5f60f5f9ac87a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUEQ.exe

Filesize
803KB

MD5
a7f103b9b380a9ba05ee1fb666bef02c

SHA1
c4749496dc45872737744aeb9a38af94393acabc

SHA256
2f65bc8907b5614a328f6a965ff3f427e260abec5b956e2e76781e6dc27eb88f

SHA512
0158063bc96be5ac4cdc184b00105b373b871f3a6fac79fc749c704d47dcc6b4d8b5e05732bf7212451704d148d8a65bd36626e3a8e37cc62ec528daf490c1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYAm.exe

Filesize
595KB

MD5
203dcb37fd2ed89cf0bdf3a5cb56a656

SHA1
a81cee29060dc0a32449378cb3da87f17c869a4d

SHA256
99eea4b9cf009182f798bd6f8ecfb508dbda915250f17d9df6e29ea847e34721

SHA512
a9fbfdb10b85646aa72935181ef52cd32fe4a4cbb8d5feb823ec65b32ee6b9cc0f727bc294dc569bab67d70b9f4536cfbd58d711026df5f098ffcd1713a85d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewoA.exe

Filesize
191KB

MD5
4b019b2d2f7b8cfb61d65f45fcf46ee4

SHA1
78d3435d31cee23fc7cbda7fa447213df0629f7b

SHA256
cd4b5f4c03f1a7b71684556ee0b12816b58c26e468678ff0208dceb36084edd4

SHA512
0affa55f738d33a8bfd3825b6d498d192d3ec810b32fb67b83ac7d93ec30030494120d07c31981caaa8d5055a9e1641a8e67254093cdc837be1b7e549b33f035

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEMU.exe

Filesize
890KB

MD5
59540b16dbfe4626c0c433d3d79f9846

SHA1
2479f3bfff77f9f2724f1af73a0a0eda0e5884f0

SHA256
296e96991d0abc0fd07b924f212fa0ff5c9a7abeaeb4eadfefd0371cf13d59e5

SHA512
2ce4d2345b67c9c1af3b0800f2b82f7b1645729790f527c4ec36e41b8816ee7fa3911e70465b6bcc2f204cf0a0e6cf00dfa1ab48fae84f99999ee99b223b9be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gckE.exe

Filesize
822KB

MD5
1d4af42151018b41425b1f4f9bd278de

SHA1
60cb7655083fd0c38f85fd57447531f8bb2d129a

SHA256
4d3ccc6820b3aa617b44bf11966ff0fba7fc3ff95d843b91ed102b91e9ee858e

SHA512
c593a3c0c4cce4c1d2b2d79a851032b5802fd2061d5482c8be63f751fd74801d1f59a7d813e690acedf6ffeb2fddc0a6efa2e087c385777565c4dbdb4baea5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggYG.exe

Filesize
184KB

MD5
81c4f017a6cc0950e037067a64673a8a

SHA1
659dd19d19a6df9cb43d757d48a5ee3002ae28c6

SHA256
3fe3aa3003e19a12f3ba3401b3751900bcd0ecaf4ffeb56e6f4661e6c22efae3

SHA512
dd02b8704fc860147486594571dd13e0b6393641e28a913ecf65f723fabd9306b160cbc09c5ed908db9e53a2e39d3092a21454214af34648ff6a7cc02338a49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIoc.exe

Filesize
185KB

MD5
d56423e4fa1c796d40aad5d53b121175

SHA1
f555b9c06e362a3bc34db71f1a121ce98ba2be26

SHA256
944e4c99b433343de3caf355598d4b402213cf08cfe3174364f3307e2f878d4f

SHA512
6966de5b0618e0733bcab5c4f98bc2c66565ba40a7966cc762cd606adc358c7948bcc9c767b41583c0075d1dbfe5e13ac278449e8073bfc9d99a378121d83a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYQU.exe

Filesize
208KB

MD5
9da5bf11d81ce19567ff6948731f55ab

SHA1
de71b9e648363f8c1e10dc4e43fb14e5a4c54fbb

SHA256
cbf4a56949a4abdc745b5c320f3991f2181c558ce0cead26933bf49c72fac0e2

SHA512
966f3f79a4e145b4c45d4d677b78321f4d306437dcd0a914de3a11cb52f172979d9a397b931718359fc4582a3932ad09b5d1d9888f3e4fec943b2cf72e2fd77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\icQm.exe

Filesize
5.9MB

MD5
2c3ee99cb7818f997fc06d2432fd9060

SHA1
1938003894925919064310c112196fe3fde58369

SHA256
f360d8f244ab2ac3c707aa12562d2829b670e778994d6347acfea3691b397423

SHA512
df98a7cca68a4c6f0d2a4714d9c02db218690977a85e0b729d6e446504cb3281b9abecc89299e4e67191d6aaeffee6f4ee47a29acf2615e1856f4a59354ee175

Download Submit
C:\Users\Admin\AppData\Local\Temp\icgi.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iska.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAEu.exe

Filesize
207KB

MD5
4457e14c0e5910955c8626fefbda8a7e

SHA1
a055fc1604bb2333760170c5947801e84e19356f

SHA256
38d3ddac4aee4911666d2c237ee0d045392cb9545ea66bc2b99c35b90d4d6b5c

SHA512
bd665ac2b28a26517ec386a119457ec5c96ca2cf5cff610b964f069fa8938e8fc923b6460b8c09a2537acba6af4d90e56d7fd8302296edf3bf38768d2179c7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAkO.exe

Filesize
212KB

MD5
5c944bebdb67abb36a979ea97202e476

SHA1
bf39d9d4eaf67dd399e6ae7b98565b67908a70a3

SHA256
15b6124dd184ecdd83443400721a65801179a600e4082514882f8dc72aff680f

SHA512
1882518739929954a58192d7a5807c576fd7b91aa60d3ed06e9d8055b80b6c9353a0051cb81dcb1ea70c1171e21093bc4eeb0f22ea0a1d07f1ff04b12971ad21

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAko.exe

Filesize
205KB

MD5
03e382c4923ebe447b73bf35d60b2c75

SHA1
bc1687d10b54e40e1231b94796b2ba0c14fb2a7e

SHA256
7632fae58554726d5ee77e5ec92379286ed902d65b44d887ec1062ab91ac5bac

SHA512
7ccb05f95f348284162e04c7bae03b98654208cf0257ae8be532417939a8e7162325bf6ddbc2f92804fc5d164bb7437fd7e752524b3711dd10d47d395fc94867

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEMi.exe

Filesize
209KB

MD5
eb30091789b581663d6637796246f5c0

SHA1
9797af61c3193e127326c514a5fb5af99ebe8897

SHA256
468cbe9fa90308c056f35712d434a207ebd130085b7734421f8b50cd907b0f7f

SHA512
33b12a1575b66700ae51b9c565fc33dffdce1f9882fd9b2b78abbf76177b3bc75738ba3473298a10b0071d5c5b532be127fe92f20e73fb08b11911128e95b392

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMsi.exe

Filesize
216KB

MD5
cc72096f9e28d91cd05f5625cbbc51d1

SHA1
26b2b322a24d6e9b6d3e3aa8a4acedb259962475

SHA256
14f073677bec311dcf4eba4081c1dbf50164a6e176e0020798720e131666536b

SHA512
9b73abdda512cac6324a0affbfbd28e0683cba7840507b28bd1c2a7005fda627200a5771d473faf82d95c52b075fa90aa9a6388ce5a138dfc1311fe8e746466b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQgK.exe

Filesize
321KB

MD5
a1a4ac39de4f541d8e99613112ca69cb

SHA1
647b1348fd7b95e2aa2f08bc9cccfe089cdbc466

SHA256
21b95ff4b75e2f817c6c64fc8f992903bde640c2cc90ec2e265aa51af71d7361

SHA512
5358da8086ad978ef8db1096836bc35922a9df02639f544ad37b83f57c380deee89335e460c6ce71f5215b576ab9de7962f89c8fe348669f48b55cdc2e65649f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUAc.exe

Filesize
226KB

MD5
92565b8e2bcd706ca9e367b2bc008eac

SHA1
bb100b42413f5f2151b988470155f41afcc667fd

SHA256
29706317e571a9535a5cc49e5f214397e4abcbef35872bdf37593febec7f9efe

SHA512
d37413a2d8ddea92246ab7ec28f039f834cfe1e5f382d66db9ac76968c1ad42028ee2cb64493ebe59c5a011b472d98d808ac162f7f2aad6eb10afbe5ce73342c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUMm.exe

Filesize
206KB

MD5
a509e57cadba2a07aa77fc4da13db910

SHA1
b2bce97dbd56017ec8717fb73f94ae9b4dcf3cc2

SHA256
b00a5a8da1ee7addbed2e195680ebf8dbfd0968742a0303b6b9634a9dac31d71

SHA512
6734439dd2bdc57498968a7b73a3e325e6531690b18054812e732fc1a56954265a0536357143234efe4632ec98783a90a96066a809666a225c065ad628b25bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkIS.exe

Filesize
199KB

MD5
96b7782c33c4d75c3c8d5c569e738e22

SHA1
159b683540300e496e4b5ac785d4d90e6b7bb153

SHA256
2ab83e39dddc2f403c3330ee26901f55ffb6cf321caf40c115de67cee466e9b4

SHA512
e19638c428a3e7b756b0cc54e6c220100e9fc64a72fd2cf938f8a8ec7e8a99c514d0e818cec93652a0b4a7041f2d4dac7f6e792ab298675a4cd83a5987fd3354

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksEG.exe

Filesize
557KB

MD5
6c5836c21636926b5bd9a2d9f3aaa54d

SHA1
d04d856680f969c6c26ab1d5f1e657fe6db2210a

SHA256
ad72e51e6c22e26322cc688c55fd3b4d3599318fed0bb148652acede3ee6ad3d

SHA512
6c0fe2036c2c662bfe2376e2e7cf3c86e666d87242a9c0124fe7424b67c37fa7cb52aeb26f39b1a2b5e770c630eaaab2be5383167856219dba4f1f5d6d05caac

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIUk.exe

Filesize
193KB

MD5
3f6faff1208b816445a2104649f4c787

SHA1
2dc3b1f50831d1ac2ab1538c5d06e963498d1931

SHA256
f9da8c09805c7660ee916f7c542d10fa826fd70bc1a236d44b80e802d4000c03

SHA512
0efb402f856f9df871df5ec4c69739720ea006f780fc1f5b16e574e6638af8ff7aab8e9c8cce67323f8257b819f855aaf44bf966da22b94e20fef0335e5c03ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIcK.exe

Filesize
215KB

MD5
226f17cd01826f43a87ea3f7da3899f8

SHA1
6b81302dab7ebaada9ed978582df81f853df82ff

SHA256
7ff42d8196779a6eb8c6d03325234340e70b73f2e12eec6db50786044a8ae056

SHA512
07b4a5f847a6eb458f87ae6be615210d2c7f90a4971edd8d79f53b32750fcdef82bdaae38aba5a93cbf85b8a290e914789234dea1e659bf62f00b1313f288a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEou.exe

Filesize
201KB

MD5
5b4dbe76545f177e37f1c9765450984c

SHA1
f2e351e9addb8ca9951f4de30b59d4bee095d87b

SHA256
49fa1e349fcba806f1d6a22c1fbddfa6fbcee36ff948ed698b893e43d5753e3d

SHA512
2aa4ef5bcca93ff09c57fd1a6846bdad0d735ea50ce2d22f82af0d4e9338b78127c980bbc948a6fc548d037764eaeb75d1b60f13aa4c49457b083044826e46c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMUI.exe

Filesize
203KB

MD5
bfdbfcf931e9f7e2bc125eacfa1e7a40

SHA1
94dcbfd8fd1e147cae32d553edae5d07f8fd8257

SHA256
37f06c067d8ac930eae2a03dc51cf29abb38071d6f3131960bfb428ac25eca72

SHA512
f1c24f12fab531b682c478768341f271a760a38a488c9cb1fb6e4b451ec6d2b789df967929fbfa762aa261824c6c178a04abefec4041327056e2c4193e6a1616

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMgO.exe

Filesize
661KB

MD5
b8ffb6d1cc2cb0eea06baf3172a88c54

SHA1
2dda1d921a4a71617694b29930f76dd8ae9ccd74

SHA256
220e27818c030eec386a03ee5d233ba0089e43d3f8fa97c3e954b2bd3654ff60

SHA512
a05a5b704f0936e9fad115bf82e99cc933fb39449bc0ca9b143e4a97965c120f36cf555290711a98d9a1056f9130bf143d9bb59092904f1f9f999ae55adf4f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\oocI.exe

Filesize
189KB

MD5
52f017e710c603803f6b71d86b2833cf

SHA1
b9d979c53d43238ed0bd38a05928c0edad014da8

SHA256
0fd388556e87ae32de9d4a19fa9498140b3a9ea78f692d8bada7e12e16256604

SHA512
4a3c5ed7998a6baac7aec32a8a2b6c117002b6ca97e5c82632747c4360c63664f89583c2ee8a62a275026bcef51a9e43b97480923758eed33dbfcc8709006988

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEgG.exe

Filesize
208KB

MD5
2dca986458c1213a874e4c2e3905d16c

SHA1
e8dda0c60026e72ad1721a6c37734225f63e928a

SHA256
059191190895ddba3795ff065d57bf388f551651470920b1839288137a488122

SHA512
001b65d9620591f322733644f8655b61e29c899a37e9d9b71e6cd95f790281c1b2424f34fcfda77c6bea9d6bc79ab5a28433f65e12690edf401279ae769a7f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUkg.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYQC.exe

Filesize
183KB

MD5
1b7a418e1722e3754211880c7253090a

SHA1
cb7fa82d5cd561a980bc53b5436bbd0d22a51054

SHA256
eda095f17f435c445e7088145eaba6aa0498bd0f906ec65ca49d6943d7efb3ec

SHA512
483990b76cc36455d2f49c347f861fb1ac44e70df7b8c9cf6f3736989d5753f8adac332f6f93e215969c69ae5a1faa1637ad221132c62a6ce6e784dbc21499b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgYE.exe

Filesize
812KB

MD5
436033b73f9646cc7741b4d1de8b6e24

SHA1
2880e37c30ee23d0afb675136a2dbaca2d0d8d86

SHA256
2d00de06cea5018ac153563d94b59961be563e1cfc91683c864eb21de15a9e92

SHA512
4ccd19222aa2a51d9e030ad93face0351208eccba36fa6fd4d940f7226485e23b89e24455a24fdfc46e344c39918c3edcfabf9504d908ed51d6fda484871525a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgUU.exe

Filesize
204KB

MD5
051af15ebec644868f1486f6f3b4f41b

SHA1
cc3d29fc0cf4f4952a08dd7ece75f79316283672

SHA256
a0b4f85eb7ac5e7bc9ebf949d0c292c0acd4365f960dccab35a261cddd126cd7

SHA512
0ec9a2214999b8cca211f96145cedb998fcf7443eafc0c7d5825484db955a8bebc1af4cbc264f9777ddf889c6dc23b7443b19139b0362f9dc143057486901640

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMAy.exe

Filesize
956KB

MD5
da56281d33cc5c056c08cc42ecadb6d1

SHA1
a6b9a331982d75ab13b3d506486c22d38c9054ac

SHA256
3cfd5ecffa66680733585d65d9be76bd8b92290a82424172312b30523f65e2f5

SHA512
889fc838c40fb8d8a5455767e3606ec82ddf5af10a59a7c7612fae4941ff677245b2e28cca817e72971e5d99b8482dfc925ae8ea2a2eb405e5d64c03de9640b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukkW.exe

Filesize
841KB

MD5
6aeb298ee23d32a8382673be01379658

SHA1
f6dd78dc57bc758f4311c08bf5bb443d2a47ad30

SHA256
c1bd2d12aa03ba19db382892ecff52b5b50c57121daea289891e2eaa3c859284

SHA512
c10f3003da2da1ae0ac31d65b4222f8ac127c27ec547a7528c8b4cf2b0ef56f43937e3c15d3f40ddc0840b91171f24f9286c28e0e9bf3ff3b8e3af9c55bcba69

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYwIsYwA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYgA.exe

Filesize
200KB

MD5
4ea3ba2b4d21679f910750a57aa00ed9

SHA1
4f8f017b54230a4f07c829a6e6aab3ef7816f256

SHA256
0e34b43b62d9a36feb5291ca8a5d23bac539adf8d2506ebb7c7eac8c03fa3889

SHA512
46c3ab6d2eb642ee75cefcefdef6800321ac9b2f8422d890054ae730200d53c7a3aaa9e4defe78f96f38ee225ccd811b95582392efe8cd364771b963f2c98fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\woky.exe

Filesize
202KB

MD5
e57e057aae25f3afed688b492f3f510e

SHA1
e01eb6b9de950356dc9b11e7398c9892b7a2c8cb

SHA256
de8668790edf5f46b3770392e561f5bcc6701fef25058c285dc8b52fe4f61d5c

SHA512
f65bc49525a4b094dde6c33b1a8a75b43370e2b365b4915e3253f8d634ddd1d4610f91bbbbd9b36dfe8bc273c6601910cbf78857a6e8aae6a0546f706faf89c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUEK.exe

Filesize
569KB

MD5
b563e32851fecc22ae4d54cea541b3dd

SHA1
1ca07ddf2f27f515508699a30ff1118e54c79cd0

SHA256
d132c422b507a92f7583889deaff01952cec8689ad2195d8df1c35d650fa4f6d

SHA512
a8924437ebf5964f62908e0b024d920430e2ec99f5ad2a762fabc64f550839194b9fdf67167dc227576b2945204c46b53ce7acd6fe344c13a8126551c6a9fe26

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygAG.exe

Filesize
313KB

MD5
6be66cd58e06abeead834bbfe54b790e

SHA1
5115ebcbb95288bb9c66612b17a2f7d435e8396e

SHA256
7b6531798b161ff6af27f1300c49aabde35ac3fd9e21ce93aed90e29d374e0c7

SHA512
3bdee869c863e42acc476dec59db32c8f21a1cc8e2ad79b35fc21eeba7802a86c4158c9d6a9b2b7b5c8ff191963c09c32c56bda20c0db913a8d5e0c782d3e63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygMO.exe

Filesize
184KB

MD5
ed7b4463ce5c1e25152a083e96da2a87

SHA1
746dcdc522607d1f74d281375ddd92c52e1eea6c

SHA256
f8bc9699637478c808b692596c9db65933d9988ba10fd26f6e682f5ab6aa1af5

SHA512
edf21c73932b8dff4b5f906f0dab40a7e5ca6190a79c8d1c856dfc975aa3e5ac83da074ce524a2a2b4e23153a8ccb1de89c346c8704ac99d2b0261971ae4e347

Download Submit
C:\Users\Admin\AppData\Local\Temp\yggo.exe

Filesize
182KB

MD5
772f2fc0fec4eb6b4b06acb51fce2ada

SHA1
4aad7305b5fb22ce3afdb70fe96f65cd2b774b97

SHA256
78c23f19f935f8efcf0002411ee55a895c4bbc3cfffb97abf7decba68d81e6a9

SHA512
2399e286ad3f1df6c1ab0a755bac948d9a7cdb471774c88f0e44a1336db7db947eef0b5174f660ce3d7b35515fabe5b69d24096387295d05239cdbd9ee82e141

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoka.exe

Filesize
771KB

MD5
7d06ad948563507e861ee6dc85d3ba31

SHA1
3adb9472cc591070dd73859981ff3397b8bb692b

SHA256
6c57deb37fe62d7d41e5b5290b0139e52b02f176f39a069c95a29b8e2c81011b

SHA512
e8afcc6e2d1a7598e07aa38a2e727511dcf33be8ffc44a5688a3ac37a2822b3e86382128093d1b04c8e134e2d6c811ba9395edc6c11c54f68334952906acd8ce

Download Submit
C:\Users\Admin\Downloads\MoveRegister.zip.exe

Filesize
916KB

MD5
7ea7e2742e3d1238dfa051794ef4798b

SHA1
6984a55f03f1a5b64ed954231feeba92eecd95cf

SHA256
9385015fa9207ed3221cf5f238afc57eb7a81835945fd59f062186745ca1c767

SHA512
c1014ba69faeb53853a986a7f66951b5471151003b755cc32a82f24a6f55c9f55193dd4f8b058b86321782c389ceba65dd06f1581191e331bf0b5bfde5450686

Download Submit
C:\Users\Admin\Downloads\RemoveSwitch.bmp.exe

Filesize
996KB

MD5
fbf4d88386341f4330b9b879cf1290f5

SHA1
28b3ebfe6b81d8f7964d9fcaafa0e3069964ab45

SHA256
184f8be4a9127c5550a7fab016e306f0abc593d1c01593688e8344e0d00c0da1

SHA512
a74be414dce58255af9af5aef970f20be370a10fe3ad42d9879e3dd3ff540a72f932d998e68643831304dc2056fc1fbeab1383e5836f30d9c76c1c0bb62bbebc

Download Submit
C:\Users\Admin\Pictures\ApproveProtect.gif.exe

Filesize
674KB

MD5
84b54a7f7983330e42bf51c9de1d09a1

SHA1
51bcc1dcf7607940004cb079463e269c595bde6d

SHA256
a4aa05d40311bd5bb3cada15950208f695043ddfa10f83d2704ae784e8c7e187

SHA512
7dc29ee902ad216068b4bdb4543f2857bc8ba07fc5905c65185ffe213148e3e9f314d6c612665e0e7314d14b82dc929533679829899b0a2c57d901e38e67b352

Download Submit
C:\Users\Admin\ZsQcYkws\MQUEEMUw.exe

Filesize
189KB

MD5
e2222d55940a48c38161f43f1bd9fd0d

SHA1
4840a89bf1773cb81a6bb22cda4682413719e4cf

SHA256
b4c9a74f07e87779357fc19bec92217a74e3b018135d99f4f9ee1623a239b938

SHA512
e913a81e088c33681b42849f075498c6e5b66fee7bf03a2ab9faee3573a64dc70b83d527a74769f851446bb33f4755cccf8f869772f58e77e43d35951c053b12

Download Submit
C:\Users\Admin\ZsQcYkws\MQUEEMUw.inf

Filesize
4B

MD5
8b8dbe5571809e9156eccc24030d6957

SHA1
2b81477fbd1325aa68e42861672858ad56291934

SHA256
f63e0f3d0c3e0b0be0fd7e63ba7a39e9bcc5479dc90293d209efa2ca8ed1aa37

SHA512
46aa554fb53d2e27b306146ec785aeca6ada0b2440c6eced645cef5ad6b1dc6982b83c1d871017ce9344a17ffbbaca5d596a67ff5ccc80d548f7728440cf7011

Download Submit
memory/424-586-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/448-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/812-264-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1020-344-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1020-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1116-570-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1168-139-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1220-370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1220-379-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1244-933-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1244-1015-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1276-508-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1292-490-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1440-360-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1572-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1592-256-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1632-1046-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1632-8-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1740-527-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1752-67-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1760-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1832-543-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2076-612-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2112-1041-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2120-456-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-500-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2196-1031-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2196-1040-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-234-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2276-186-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2288-448-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2396-403-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2508-596-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2532-544-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2532-552-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2836-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-103-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3076-664-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3084-422-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3152-886-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3208-937-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3208-440-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3236-102-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3236-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3256-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3300-535-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3384-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3384-414-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3396-474-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3400-482-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3444-517-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3444-509-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3496-197-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3536-630-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3564-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3596-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3596-333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3612-671-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3612-684-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3616-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3616-430-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3640-836-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3640-638-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3640-799-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3748-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3748-604-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3768-272-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3788-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3788-325-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3828-282-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4120-387-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4320-578-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4324-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4348-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4348-674-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4348-665-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4372-150-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4372-138-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4380-246-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4428-722-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4556-395-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4576-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4588-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4588-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4592-646-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4664-784-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4736-622-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4764-562-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4776-656-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4780-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4788-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4788-158-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4820-162-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4836-343-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5064-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download