657ce51795124eab3cb86c4a2668cbcb60529c505109e139aba577449189b2bd

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
Size

188KB
MD5

7dd592ebe4f3611ab93c1899b4c843aa
SHA1

936bf145545be8fe5f771b2fc725e5da0300f23c
SHA256

657ce51795124eab3cb86c4a2668cbcb60529c505109e139aba577449189b2bd
SHA512

3a76bc98ccbda115241723a43425cd68d05cd405636981a35dd028dd2edb4671f4d6b7d224daa7807fcb8aa73319075864d41490132ec4d5e105ec7268e4f696
SSDEEP

3072:b/MwLW/+k9e5kmQqtyBqNeaAo0gkG5g0l9txamlIazQsXIHuw:b/FrOji04ng0e4JzQsVw

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	yaYgoQcA.exe

Executes dropped EXE 2 IoCs

pid	Process
1828	hcgsUIkw.exe
1776	yaYgoQcA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hcgsUIkw.exe = "C:\\Users\\Admin\\HaEgUIoo\\hcgsUIkw.exe"	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yaYgoQcA.exe = "C:\\ProgramData\\pWoAIEkU\\yaYgoQcA.exe"	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yaYgoQcA.exe = "C:\\ProgramData\\pWoAIEkU\\yaYgoQcA.exe"	yaYgoQcA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hcgsUIkw.exe = "C:\\Users\\Admin\\HaEgUIoo\\hcgsUIkw.exe"	hcgsUIkw.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	yaYgoQcA.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	yaYgoQcA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
448	reg.exe
3076	reg.exe
3032	reg.exe
3032	reg.exe
4152	reg.exe
4364	reg.exe
5044	reg.exe
684	reg.exe
2424	reg.exe
2036	Process not Found
808	reg.exe
1644	reg.exe
392	reg.exe
4840	reg.exe
3276	reg.exe
1780	reg.exe
3232	reg.exe
4820	reg.exe
852	reg.exe
1756	reg.exe
2172	Process not Found
1600	reg.exe
3516	reg.exe
3228	reg.exe
628	reg.exe
232	reg.exe
2580	reg.exe
1452	Process not Found
4440	reg.exe
3940	reg.exe
4688	reg.exe
1492	reg.exe
5068	reg.exe
2888	reg.exe
3816	reg.exe
1008	reg.exe
1252	reg.exe
368	Process not Found
2412	reg.exe
1844	Process not Found
1712	reg.exe
2828	reg.exe
5096	reg.exe
3724	reg.exe
1332	reg.exe
2336	reg.exe
4360	reg.exe
2044	reg.exe
4828	reg.exe
3692	reg.exe
864	reg.exe
3816	reg.exe
880	reg.exe
4248	reg.exe
232	reg.exe
4788	reg.exe
4472	reg.exe
4540	reg.exe
1936	Process not Found
3956	reg.exe
1680	reg.exe
4924	reg.exe
4576	Process not Found
3332	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
1624	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
1624	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
1624	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
1624	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
2032	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
2032	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
2032	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
2032	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
3060	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
3060	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
3060	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
3060	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4412	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4412	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4412	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4412	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
1008	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
1008	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
1008	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
1008	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
444	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
444	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
444	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
444	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
5076	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
5076	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
5076	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
5076	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4944	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4944	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4944	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4944	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
3584	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
3584	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
3584	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
3584	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4968	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4968	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4968	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4968	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4568	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4568	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4568	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
4568	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
808	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
808	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
808	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
808	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
2908	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
2908	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
2908	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
2908	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1776	yaYgoQcA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe
1776	yaYgoQcA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 1828	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	82
PID 1000 wrote to memory of 1828	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	82
PID 1000 wrote to memory of 1828	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	82
PID 1000 wrote to memory of 1776	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	83
PID 1000 wrote to memory of 1776	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	83
PID 1000 wrote to memory of 1776	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	83
PID 1000 wrote to memory of 3596	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	84
PID 1000 wrote to memory of 3596	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	84
PID 1000 wrote to memory of 3596	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	84
PID 1000 wrote to memory of 4492	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	85
PID 1000 wrote to memory of 4492	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	85
PID 1000 wrote to memory of 4492	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	85
PID 1000 wrote to memory of 3656	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	87
PID 1000 wrote to memory of 3656	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	87
PID 1000 wrote to memory of 3656	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	87
PID 1000 wrote to memory of 3296	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	88
PID 1000 wrote to memory of 3296	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	88
PID 1000 wrote to memory of 3296	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	88
PID 1000 wrote to memory of 2196	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	89
PID 1000 wrote to memory of 2196	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	89
PID 1000 wrote to memory of 2196	1000	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	89
PID 3596 wrote to memory of 3964	3596	cmd.exe	94
PID 3596 wrote to memory of 3964	3596	cmd.exe	94
PID 3596 wrote to memory of 3964	3596	cmd.exe	94
PID 2196 wrote to memory of 4864	2196	cmd.exe	95
PID 2196 wrote to memory of 4864	2196	cmd.exe	95
PID 2196 wrote to memory of 4864	2196	cmd.exe	95
PID 3964 wrote to memory of 4060	3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	96
PID 3964 wrote to memory of 4060	3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	96
PID 3964 wrote to memory of 4060	3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	96
PID 4060 wrote to memory of 1592	4060	cmd.exe	98
PID 4060 wrote to memory of 1592	4060	cmd.exe	98
PID 4060 wrote to memory of 1592	4060	cmd.exe	98
PID 3964 wrote to memory of 4828	3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	99
PID 3964 wrote to memory of 4828	3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	99
PID 3964 wrote to memory of 4828	3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	99
PID 3964 wrote to memory of 1124	3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	100
PID 3964 wrote to memory of 1124	3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	100
PID 3964 wrote to memory of 1124	3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	100
PID 3964 wrote to memory of 1668	3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	101
PID 3964 wrote to memory of 1668	3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	101
PID 3964 wrote to memory of 1668	3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	101
PID 3964 wrote to memory of 4936	3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	102
PID 3964 wrote to memory of 4936	3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	102
PID 3964 wrote to memory of 4936	3964	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	102
PID 4936 wrote to memory of 2072	4936	cmd.exe	107
PID 4936 wrote to memory of 2072	4936	cmd.exe	107
PID 4936 wrote to memory of 2072	4936	cmd.exe	107
PID 1592 wrote to memory of 5064	1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	108
PID 1592 wrote to memory of 5064	1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	108
PID 1592 wrote to memory of 5064	1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	108
PID 1592 wrote to memory of 4596	1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	110
PID 1592 wrote to memory of 4596	1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	110
PID 1592 wrote to memory of 4596	1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	110
PID 1592 wrote to memory of 4524	1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	111
PID 1592 wrote to memory of 4524	1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	111
PID 1592 wrote to memory of 4524	1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	111
PID 1592 wrote to memory of 512	1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	112
PID 1592 wrote to memory of 512	1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	112
PID 1592 wrote to memory of 512	1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	112
PID 1592 wrote to memory of 1272	1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	113
PID 1592 wrote to memory of 1272	1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	113
PID 1592 wrote to memory of 1272	1592	202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe	113
PID 5064 wrote to memory of 1624	5064	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
"C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\HaEgUIoo\hcgsUIkw.exe
  "C:\Users\Admin\HaEgUIoo\hcgsUIkw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1828
- C:\ProgramData\pWoAIEkU\yaYgoQcA.exe
  "C:\ProgramData\pWoAIEkU\yaYgoQcA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
    C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        10⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        12⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        14⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        16⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        18⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        20⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        22⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        23⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        24⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        26⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        28⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        30⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        32⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        33⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        34⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        35⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        36⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        37⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        38⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        39⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        40⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        41⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        42⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        43⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        44⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        45⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        47⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        48⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        49⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        50⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        51⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        52⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        53⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        54⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        55⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        56⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        57⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        58⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        59⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        60⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        61⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        62⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        63⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        64⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        65⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        66⤵
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        67⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        68⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        69⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        70⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        71⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        72⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        73⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        76⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        78⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        79⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        80⤵
        
        PID:1596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        81⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        82⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        83⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        84⤵
        
        PID:876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        85⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        86⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        87⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        88⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        89⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        90⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        91⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        92⤵
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        93⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        94⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        95⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        96⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        97⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        99⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        100⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        101⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        102⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        103⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        104⤵
        
        PID:4080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        105⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        106⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        107⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        108⤵
        
        PID:4640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        109⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        110⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        111⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        112⤵
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        113⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        114⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        116⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        117⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        118⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        119⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        120⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        121⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        123⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        124⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        125⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        126⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        127⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        128⤵
        
        PID:1248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        129⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        131⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        132⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        133⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        134⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        135⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        136⤵
        
        PID:1136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        137⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        138⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        139⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        140⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        141⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        142⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        143⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        144⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        145⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        146⤵
        
        PID:2252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        147⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        148⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        150⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        151⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        152⤵
        
        PID:2172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        153⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        154⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        156⤵
        
        PID:1104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        157⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        159⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        160⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        161⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        162⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        163⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        164⤵
        
        PID:1564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        165⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        166⤵
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        167⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        168⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        169⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        170⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        171⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        172⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        173⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        174⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        176⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        177⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        178⤵
        
        PID:3080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        179⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        180⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        181⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        182⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        183⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        184⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        185⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        186⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        187⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        188⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        189⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        190⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        191⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        192⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        193⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        194⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        195⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        197⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        198⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        199⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        200⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        201⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        202⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        203⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        204⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        205⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        206⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        207⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        208⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        209⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        210⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        211⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        212⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        214⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        215⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        216⤵
        
        PID:2860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        217⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        218⤵
        
        PID:4552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        219⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        220⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        221⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        222⤵
        
        PID:1328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        223⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        224⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        225⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        226⤵
        
        PID:3576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        227⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        228⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        229⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        230⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        231⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        232⤵
        
        PID:2940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        233⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        234⤵
        
        PID:732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        235⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        236⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        237⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        238⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        239⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        240⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        241⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        242⤵
        
        PID:3336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        243⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        244⤵
        
        PID:3544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        245⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        246⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        247⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        248⤵
        
        PID:2448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        249⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        250⤵
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        251⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        252⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        253⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        254⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        255⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        256⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        257⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        258⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        259⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        260⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        261⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        262⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        263⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock"
        264⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock
        265⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        UAC bypass
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsIoIksY.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        264⤵
        
        PID:4776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        Modifies registry key
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        UAC bypass
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKkwwscc.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        262⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:4996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsYwMMsE.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        260⤵
        
        PID:1712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:1748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:1244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEUwwgkY.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        258⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcAckUoA.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        256⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEMEMwYM.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        254⤵
        
        PID:2072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:1248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eswQgIwU.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        252⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUUkEYkk.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        250⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:1236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCQUgUQE.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        248⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        Modifies registry key
        
        PID:2044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmgYQYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        Modifies registry key
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUEoEgwc.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        244⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        Modifies registry key
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUksMswI.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        242⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:1316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WassUsgs.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        240⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:3740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIMoEQkY.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        238⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies registry key
        
        PID:4688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aacMkYQg.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        236⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:4048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEIQsoIY.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        234⤵
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:3848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pasgcscg.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        232⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:1844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VysYskAM.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        230⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYsMUIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        228⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swwkcYsE.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        226⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQgIkEEM.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        224⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWIEUsAw.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        222⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NioMggQs.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        220⤵
        
        PID:1756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwkoEgog.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        218⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:4872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEMAQEwo.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        216⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        Modifies registry key
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCwMMcYM.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        214⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:1956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:1488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        Modifies registry key
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEQogccw.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        212⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:3708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQgQosgE.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        210⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fegMcAAc.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        208⤵
        
        PID:3576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:1952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REgkMscI.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        206⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUswwQkA.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        204⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygIUUYsg.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        202⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEYwAUkA.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        200⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies registry key
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCskcIkE.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        198⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:4948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUwkMAYI.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        196⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEkwgIUI.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        194⤵
        
        PID:732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmsQMoMI.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        192⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:3584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UysQYkII.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        190⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaAYIUQg.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        188⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        Modifies registry key
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCwoQoUI.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        186⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqQIgwok.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        184⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAoEQcgE.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        182⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        Modifies registry key
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOckYQYI.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        180⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsAAgsow.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        178⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies registry key
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqYYUEIU.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        176⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:2296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugsssoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        174⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoQUwkIQ.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYEcEooM.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        170⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        Modifies registry key
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoQMIoEc.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        168⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAwgIswo.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        166⤵
        
        PID:428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        Modifies registry key
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiwQYQYg.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        164⤵
        
        PID:2308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:4976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEMQgskM.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        162⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        Modifies registry key
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWkQEYMo.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        160⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciUYMIMM.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        158⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HggYMQkU.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        156⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:2096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYgsUIUA.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        154⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuEckEcM.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        152⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGkcoUAw.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        150⤵
        
        PID:3964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSsUIYQw.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        148⤵
        
        PID:3524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:3080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYoIEYQI.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        146⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWkEYAcc.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        144⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:3524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies registry key
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uukoAMQk.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        142⤵
        
        PID:2852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUEEockA.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        140⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIYkwgMw.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        138⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RssYkgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        136⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies registry key
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYsgUEks.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        134⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acIQAwsc.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        132⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmMMcwgM.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        130⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKIcMoAA.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        128⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuAMUksA.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        126⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies registry key
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngoQwEME.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        124⤵
        
        PID:1284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwcYsAcc.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        122⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:2208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwQsYYws.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        120⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:2516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikQUwYEo.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        118⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQYQYEQY.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        116⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies registry key
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQkEMwQE.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        114⤵
        
        PID:4672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYgssQcY.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        112⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkQUwkko.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        110⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKEgYwkU.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        108⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYcIkMUU.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        106⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGkUoMwc.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        104⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgAMUwIk.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        102⤵
        
        PID:4536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGEgsEcs.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        100⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies registry key
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWIsUYkE.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        98⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwIQkIgk.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        96⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies registry key
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIIcUIgs.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        94⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IocccUEk.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        92⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSUskYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        90⤵
        
        PID:2208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcMYwMgw.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        88⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqgoIQMs.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        86⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwMwwMME.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        84⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqkMIcsk.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        82⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwQgckAg.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        80⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqMUgAAU.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        78⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        Modifies registry key
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OosUkkMM.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        76⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOIwMkIo.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        74⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwsQwgcA.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        72⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsoAQQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        70⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsgYYgYA.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        68⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HksgssUE.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        66⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSEoYoAo.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUMYMcwM.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        62⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMIkAsIo.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        60⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyIssMQU.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        58⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\racEscEo.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        56⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWYsAQMs.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        54⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsYAUEUM.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        52⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAAgwcoc.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        50⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YewscAYg.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        48⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAkEgcgk.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        46⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmAoIUsk.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        44⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAUAQUUM.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        42⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCUkUAQU.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        40⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmEIwgMk.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        38⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emAsogoo.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        36⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies registry key
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMcckgYU.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        34⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwcEAUEs.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        32⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCYcgooQ.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        30⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyogQMAc.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        28⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgMMcUgk.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsgkEQIo.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        24⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUQMEsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        22⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmgQIYMo.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        20⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMsMAgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuEUEsgI.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        16⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lukQIMYc.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        14⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWUEAAMI.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        12⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggQMcUkw.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESwgEAIM.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        8⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4244
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4596
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4524
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:512
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsoUUksw.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
        6⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4488
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4828
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1124
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMIsAkYU.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2072
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4492
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3656
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwoMkUYA.bat" "C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pWoAIEkU\yaYgoQcA.exe

Filesize
194KB

MD5
c6cf33aef6e61dc2c65c6e569d9e89d6

SHA1
af7ec796a1d961b7252ec4c5af7b9123f2fb23f8

SHA256
94c3d9e85615f7c966e04d1d05213e05113fe95766612d963ab70678c6c5aa54

SHA512
e6092342914662e2016896bd9247c9cd751a3e8e65fb0853b89c8aad013f0634fa5912672674fc67d8ef98dcc6f31635227540246642635680943bb8d46f69ac

Download Submit
C:\ProgramData\pWoAIEkU\yaYgoQcA.inf

Filesize
4B

MD5
6edb1a1ae8b22b7b4a32f36daeeda1d7

SHA1
e705c690684c7f16c9f3c8276454b12b44a21bd6

SHA256
c15193dbb8d753bdb6fcc0952942163f9ebed871f5c6726def4b135894e74374

SHA512
613d61126a16ae41372569dc9c2ebc3f038a5f3ea360c9abaa93d02b78103ff1239198da0a28e6e94f3f57a0a6cf1305f5c56069f4ffc926bece77af94bcc274

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

Filesize
212KB

MD5
f0dfb2ab492f762459ba5bd89cfbe348

SHA1
c8f3f5bc995bd14ff1e02d8301bc81f80d4295c6

SHA256
0ab6da76d9b5f8d0a4f0137c9b0bc9e543c25dbed61bff18727f3ec8635066bd

SHA512
f58224ca2f61cb49562e6271b678c17896f2a59a5d10a044303f216ec6dc0166f5a533a97293f319786657411ce5a77d6a805ac776ff7933f1f418b3be6d54dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

Filesize
201KB

MD5
b03ef39445fb9f196e7d2ebc8aa6bad4

SHA1
b0ac099a5ca3643d7dcc4d88459484423469420d

SHA256
7830d0c3aa2860b40fda861d04a45cf49e6bdac16a0d452eaba0d5edc540b8a8

SHA512
461989f375947b4598314d6f55e9259562032a1c4cd9c98d65015cb5d080179dca37f8a7f8a20395b1d30363f9e53420357e00d2b6b021f561c6dd67e65c4879

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

Filesize
199KB

MD5
333c1fdee1e2be036a5f9ccacf8ccfd1

SHA1
e6facb25fccfc3301b894e77ede095439ae0b945

SHA256
45c14bb2e104afdac09f56c29c2daa090722b0b9aef11906c100858e8ff1839a

SHA512
79923fd5b87184543231a3009f81b49077b1fd42360835748e2a09cf7b9799185f6a1dbbe24207b88d7c5ae0ec0947a285bd9bfe6cfbd65f70c018b54547c082

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

Filesize
197KB

MD5
d160811ea7dd692d5271d4e17a4060ab

SHA1
a4bf5a11bda8769db8c057e069950334ffa07c17

SHA256
6c32e562b7c7c6358faf15cf76e5c761c50cb9dd3100e61749528cf7f131dbb8

SHA512
6226aadc9a46d9a7607d6c329f2a13b631727a2463ac2b8d730b46b2d7e0b53c7fae4ff36c9e4b48734ca344bcbeea9d0f67a530795980894daa75370ef3e01d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

Filesize
205KB

MD5
aecaf5f1fc93b57557dcc8b801a1ad12

SHA1
ec80185c8ff155f56d65699edcc78ddbc6579d70

SHA256
e7a0f9d4309e0a8fbafa8a61088eecfb6590e862a23d1d9c05ceded9d5f2ef75

SHA512
bcaaf0fba2d8fd2cb56ea6c750c6cbeadb29e7776bfbdc34107638206ef8ed892e300ce95aae3a02e6f679a9d72f77d2cec37be033062d5c295a88917748d829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
193KB

MD5
fff2fabb93d7f8edc1cd46069e7bd24e

SHA1
88e992cd95c0342875255e6567f88f81f3ccbb0d

SHA256
8400399a2defe66f9dd8d24a559b44db95594529d0fe596ef9c39b94f3a9c05c

SHA512
675ba4edb38b76ccedde37b18d882a82cf1f229e2488fa0ab33b709947e5701388e047ff0f5da2cd9eadd36d3ea40579050fbd872461869363632517d810c8c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
190KB

MD5
94c68976e7cb7ab43969acdac3cfbb8b

SHA1
97748886c3faff20d35c669f8774a7216657143b

SHA256
dc852c11ab83c352e30c6ad4f7bdff72339f89318f883d47d93bc9f720c74968

SHA512
6c9c6fdd15ea0fc4e6eb047f70690ab18173647b99906719afd49f275f8de4943a7a9fc8f09f52e131a32410def2a1f4725732a8561055c5f34c89984e8131f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
213KB

MD5
81c16e1459abb44bfbcadcb90c79be52

SHA1
b5a70614f90b2b7f88f270e5fac247178c5ee4dc

SHA256
ccb4a54cc50d479048bf4bc2fa336c92211f9b37746e0f5377ccfde57d783957

SHA512
2a04be73464060d25402ee64cd889eb964adb0d631fb17d3405c63fb1189cdc40bd671f83d9cef632e9717147200c96b29433b945b28d931af4ea57a75540a40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

Filesize
210KB

MD5
cdba395c57083ad037ceee28116e9499

SHA1
0cf52e3cf64c4219c393877582664dd3d8625895

SHA256
d39b5f5f60b37d6ee94d508ecd553385cf0adc35d45bbdb1ba8faa10b47ce197

SHA512
e2e8a8848e8076fb49cf50b88dd890abfa035d0f8ee651a64c23c7733d384a77d3a281c173b4d98192c61615a21c6c09d52912c786dcf8f2630eb182ee209f65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

Filesize
195KB

MD5
e796ed6eccf5e0aa8ecf20fe962c0286

SHA1
af95cb429fbc5472d0afece91006553211c4c1b3

SHA256
d21d359d3356d31a40d5355861333318613fa7def68cad5ca0290010d335d2ca

SHA512
73a601172da98ad9dff7825f17429748e4be31ffd74f6b91aab2482a90ef699aad0429438b0530f3a107554b7009a935079269f956cf9c203626bfa1f13f0515

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409207dd592ebe4f3611ab93c1899b4c843aavirlock

Filesize
3KB

MD5
f914e6e58fabc9e45dce8645ff188bde

SHA1
e16ba069be4ac338fbfb731d5dca60685300ffdb

SHA256
51d110882b29e686326a7f942b829e9d1df5c0deb804b59f4e62bab84cdac26b

SHA512
2f3924f255c453ee32bdbced2ca690ef6ed2ef1b09dfb4922bc8db48071c174d7217916109c63ff1a38b09714b5d5f3557dd6aae8edc99e775bf3fefa7d046b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAgM.exe

Filesize
360KB

MD5
21a62a063143bb06c89938b9f89780ed

SHA1
b44ba5377e39006b80edf6efee271e6fddd782dd

SHA256
92f1994663908c269822e8ec69c06e2da4619ee5510e73de120ad94d5e7023de

SHA512
473518d6d1a2bfa3e60df8999b791d9de5a2c98148d844c4d1b50912897133b2b213318e08d6d9936e54e77ebcd614c605cb99f0c4d4d976d4689e20c9b1beb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQQs.exe

Filesize
199KB

MD5
851eb9f9cb60ff7d06a424a439e2085f

SHA1
05e4ede65fc1d9110750e16f06f0a7bc179ad826

SHA256
fc21b3b0de8224e849c76d6c70da7e1b2400a8286fac48f266758fa48e948698

SHA512
4a4c4433deb86051bddf094100f59283a44787f603b73d23c18c1c26cd7cbf6006e31ff1e54a573cc5e3382c7d994388d46862de34eda8eec11307289a5a1bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcMC.exe

Filesize
770KB

MD5
e6d021923fa0dd6eb039612cc5ab6022

SHA1
0717f48fe70462d4584f98861ebeb4545fd27774

SHA256
c1c33c3c3632b8b7b7830030513c03625bf8f65f82f8512fca761afc62e35755

SHA512
3d78ad9074999749f694290fe294bf21beec6a599053173b28e3cb49f75262ebe723ffcc54eb874f12223690dd59ef7ea380838076a5ea1b00df10a3497a934e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Agom.exe

Filesize
191KB

MD5
7d608850ebc34b9dc035029bee34407e

SHA1
e4e410dce37e885173ccd55f4880fc113a77c16d

SHA256
b129e6cb9cd5ea67dfd639d76c2564d5c7c04d98ff1b60245c87dc9912cf8148

SHA512
2d87bad7efca78344fd5ae42adc8e5ce8ed0fb8351c27218f012d6ee196a94b6a8b28d7b0530bfa02776acc06927daf83d116742d2ab327af9e247ad86356e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwoMkUYA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIEc.exe

Filesize
207KB

MD5
fcb4c6604487fd17e2e53424deb5c77d

SHA1
86345a9ad79f334eb93a358b78d6ed4d002bfa12

SHA256
eb21ab09b1b8eb6977e84b4efe5178fbbc2e2f22d1d89f4c3f7ffff89412d127

SHA512
e5a11a29a172d0d586495fdd8711194ecd91d2c31e69b5e68e1aa6be892cd18dcb583d4b8af13b97ba840a117c339f35d6e7b02c47717c973c4edefca808ecb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUEw.exe

Filesize
198KB

MD5
a8893c3989965d4af7f3d9198adbc877

SHA1
014a726662b0fb0f93aa02e842b8b9abf17d4752

SHA256
1821e06650ae6ef7fc87d93cdf8b38e63e88392bbd2910cd6f0e03568dba4e64

SHA512
18ea39995bfdca280c0f1b367e46d3168c98da23a92f63825f5975b9699567831c2e2f59dcc05da329ad1f3868b42befc327605005c88014821b8a90c9867333

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYYe.exe

Filesize
240KB

MD5
71a44f0a574d417832acdfff9ad40a88

SHA1
db939b9047ad489655c344059af585e2818854e9

SHA256
dd53bdcf3eb66c906e3cdb92ba7cbad187f13bbb274c4c0173fc2e17dcf91105

SHA512
01e9538b9098ee2412d4cbab83b03d8c89ae331f34c16dde10e82d49542341350e0fc510922f2eb4da558a5cd96460f3e3371e2e6c2e0b02387e376cede87a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYoU.exe

Filesize
204KB

MD5
aca3948c33d19ee010794ae1b883da57

SHA1
28b89eba0d4ce4f3f5a70c460150ad6b19e9ada9

SHA256
413a86bfd14f336be2e020ec9a8c710a354d0d4f8c551b2ef1641b61e0a8dd94

SHA512
9fef41b2dd3c0078ec04eb59971541fae5bb2dcd6a6aaafe24e7984f30532ea37af42f861828fc4b8ffaea02ccbb0bac3d390cd44a3010e23f5d2e6486861a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cgce.exe

Filesize
189KB

MD5
65cd18826cc10b08398eb5da9a92467e

SHA1
13d705cb19900042c7c7cdb1901265c7f5e8d260

SHA256
9532ae475e638f843f0a24fce5bd675ceb8bc64453f5035d3a3da849711d6a6b

SHA512
caf0d5630561f504a8e2b426b67b6b82e2e410df124a48c13b41c9967c419e69d358174d32449232d4aae46f7bd929aeff3efa215b57de0757cd36e071f75b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAok.exe

Filesize
801KB

MD5
8f6cbb5ece3489f2c55ef60c0d4a2abe

SHA1
1732bb18fb9d1c8b6f87ada599cfca3bedcf4783

SHA256
e717986961d152cd19801ad39a98f0da7a35ba0fa986ed0e299ff8b548fa0670

SHA512
6f2082470d448c388608a5a517a1b1566e446efc2f0d02be6e3a2fc1311ef3919457ce794b538b8532565b1a0d8d4c2bd567fa7e15dcb54ea17193c29c080d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEYs.exe

Filesize
215KB

MD5
83a370ae214b8dcbd3049da1581764f2

SHA1
e08912d8b842708a10c88a427d23125e1167027f

SHA256
2fb56486b430f7b9b370791951e65cfc035a4af4991fe4198b805bf385bde6f2

SHA512
e3657f3b2b08e0c44b0ef69bd025ce1a57bd19ea87f4bc6c3817e1f63f6c8d6c2e5bfa3268fe7e910637a50ba1ad7d24c5ca22f6582fbacc3b66fedfd4d7c8c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIgm.exe

Filesize
191KB

MD5
9bdf607fa85092623af2d0528021182b

SHA1
5ec6db019a18b577aa8f41c5faffd605b4150996

SHA256
1acc613ccf2ba5476f51f2969586aec874c832bf6dec8ba0c406ad64046a96c2

SHA512
d4d657d43520bab0a99faf9d67346d509d22cf9c12f28dd478cec17b31b325b875652f26ff2faa65d2aee5e95c5f68db03881b919bf4f9a5ef10c883f5ddc87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoUI.exe

Filesize
186KB

MD5
e501ed9b4b2b96e2fa5fd9631148a948

SHA1
0c199d093d68f46bbd917d348326943a807fe65d

SHA256
7e7bd1d41a0fe24d801be990ffc726d09c9e670c7b6a2fd100057238dcc0fd1a

SHA512
2d9ae3a91d1421a54da0b0e5bbd4ab6e9ad036272ee801cc0165baaa6d79325f6ed39cac122c50e845320bb9c2527b67228ee71d537d9a3d5509dfc95194c46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsEQ.exe

Filesize
190KB

MD5
172e2ab3526a20edf37d4354f4a77177

SHA1
9258a7d93dee247d8e3e48b627e00d95c63de6f8

SHA256
cd42dc230c1dfe428e7013936baa461a5a8c8e6a17c377895d6263368910f87d

SHA512
9a4ef1fe1a79040d1c78a05e60ecf8a43b0850d7134ce30d0047bcb907017643c92eead579c58f5202305c510039445e0921b4d9a1c21935c2cb0ccfdf8a752a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ewkm.exe

Filesize
199KB

MD5
f181bf3d6318b80ae3908f64b996ca8a

SHA1
fbd33484ab4cca9cb0f84977eb9119a26f92be77

SHA256
c2bd26a9e629051d29742226d9dd040bdaa0fe3672c9792eeb41f5893a45dc62

SHA512
0616200974e4d0bfb769948bbc6109a9388ad32c03a21b80f702ebf80deb3a116ad4b1174bfb4966bcec657566a2baa173e4b905af3ae9d838a854021dd694b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcgA.exe

Filesize
651KB

MD5
cd942b49eb7c35bb738168ae99302ef3

SHA1
00573d8e73e05049b058de97b19b6d31ce95c79f

SHA256
74afd13fae0dbb393a559578aa9babe05a298d5c52e21b548d0f762629bd74df

SHA512
58135ae5ba65e0de4dd0bd55796845449cd94bdb75a58f0a84d3a5684c74137ae3346a1d0a94fdf10fb28375bf616eb46f5aaf1596efcf13f5eadceae9a56dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gcou.exe

Filesize
197KB

MD5
7fe2016475988397f22faac6fdf2ea38

SHA1
2a082ac801a89d0009d21cf4ae5da74fe4a7feed

SHA256
c537f9af9d1f5afd8d4cc99e069c33bebddaa2e59c01d6e4d473779417121572

SHA512
d552f1d34f77327e3ca73e527683ccbaea1082177a4fec7dfd9ab917d0cb13b28ab66e478dee96aa9e914a88d3ab15dc83a0369bd9ad718e7dc33413a0554e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgAc.exe

Filesize
829KB

MD5
6d567f1c528c1da63d50cef6837a9508

SHA1
bdcf40b1aa9c7fba7bf40407277bc709e4d9b890

SHA256
ab2f14e34c89c3fee8476a264183090be8fb9cf8a281973227e5dcddc0c62ea0

SHA512
2775a3f61f2e139ad318b83e13027c8221231bb4d2439ff1e19854e862050a19917b0db4425f61f5a37dd45a8d97401b0d141d43cc2d8c3f41cccabb6cfd2ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAoQ.exe

Filesize
226KB

MD5
1ea8e748215b058a96463375bf3a5348

SHA1
93d48e07416d6b2d02534b03c4300c0d6d726d6f

SHA256
7b0e80791efefb47393811b5fa0da68ae155f9ab6c7afb7c416c134382b9fb1e

SHA512
6b5eabd8b6d1ab22baaed5772139de4e38348e91daa1d2d391f2310faeb13261d95865eb668387e6676e23bae2770072e3940c97e445c0866ac0e0b34a73d203

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkUI.exe

Filesize
195KB

MD5
6203b00e5d24bb45c1c892ef7dec79c2

SHA1
70d13e079a372dbb5b2b760d490ba6172080f47e

SHA256
b060d23887d0f386028e32a495b466b4558c4ea169bba35097d0f3cd352c6828

SHA512
d7406f8fa7d6993e6d7c724c4fa288b635f491312582c586bb7d5cd7b4978f79962d663b39c4e281d31b7e0861bbe5af24a1e1d2e8b0e2924d79bb86fba6e7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwcs.exe

Filesize
248KB

MD5
54bd3394b2f3b7db6dd7175b517098a8

SHA1
aea483e15fa437056f984a9e53518b4befa15190

SHA256
4e2c31c30f95f74ae1d2c1978bb07518dfd15912dab67f40d3121598bce0edd7

SHA512
a819cda077f1d120d19cdf06c774cb8576f46ec00ee588bb0b24813b4ab4dbcf7ba7d16bc7ed510571df52a4ba90db0998a1e6464bce3d5e5add3eea2485fc6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEIg.exe

Filesize
197KB

MD5
25d6cb9ac953d64636d1dfd5cadb7753

SHA1
33c9c6b245e5e269f0b41b5499a24ab679913046

SHA256
1cfee0194c4b6bd9e950da1a942b63bc61476b1bede721f1d5019d2e4dbb2efc

SHA512
8af6ab73bea9f29fcd353f777bb587213fba6a82456089f1d6887a3ca78ef53916ada4af86e746cc577dde5fc509f2c3088a8d3aa195b8dc30919add0a2c334d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQQC.exe

Filesize
227KB

MD5
3408988971798f696bff224e01ea0e38

SHA1
de2a2a3f2efce9a1065222a26d33220ddc75899d

SHA256
e06229b06f50cb0c9319266a124384386493233b3d4118a092bb0d9b59d8fc60

SHA512
4e3807524bc1174ef1fcac7770a1509554b381dc99132941d5ba2fa6be22625b4dfdd255c2e5557dd722bb025276320394e9470438da616a2ef3fc619a35d219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcwu.exe

Filesize
210KB

MD5
3c2acf42e28afb9dc6d2651919088ff3

SHA1
79929306b9e5b027bafb431dcf9e1f65938e3be9

SHA256
50f3a8e15a01294804e3e87ae161ff061873d0d949ace6d893fde4eb1792ea22

SHA512
22ace8f7446c5914f2db9daca4fe9cc20e31dbb5a6e2766b62666ce10f01f20065aff6f391faa9cca03b78cfc2081ee47b988f8aff6e587c9cc0e651814842a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgUU.exe

Filesize
199KB

MD5
c22a9a42c3a0cf1af4b578c005155b16

SHA1
bead7aab33258e78463c9012c92531d449d0fdb6

SHA256
f5e38c3044a7a8b52536a504d317a968373c8057117c9c302fc9d314d18e0c30

SHA512
32e2e457c65c015a8f522a4fc3b0ef238898b6ce35aa69ae3196340f3de7cb88eea0b0f1f97de4c63d69f5ea8c338d561f6236e0e07b1ce530928df889e7f110

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEQA.exe

Filesize
189KB

MD5
ae6a0198eac4eba273f7ddbfc8bc0f08

SHA1
614ac06ed6757bd9aac52f56d1b3a3a018ea89ca

SHA256
7ca920f4ae8ba2e5b08194dcbf463c71c710263b13cb368d151cd73cd9625cd5

SHA512
7e06ca116c867c102ea0baece702111ade9557d055f797115add59fd2a78751c7eb9fcb7ad9f6fdc1aadb8f93410a1f08cfccbb232c39295d936f66a7900ce4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEkk.exe

Filesize
5.9MB

MD5
7fe6bac44a20d391727d95cbc4c0240d

SHA1
6fae8abf0056ad240da53796d52de97c7f68e3e8

SHA256
08b12097b93e14713b99edc24f6f1902d4b0a1e3db714933bb8a50613d165695

SHA512
d3bd66c61c16a014765ece53d14ce8590485b6dbdb7b026259c8bbb02754a241bd3473ec1e6569b71ea9d6221bff14a890549e369e5fefdf5381acbbec71dcc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoYm.exe

Filesize
192KB

MD5
dbb449098768e84f6eac9914bf3bb9df

SHA1
09043077045612be715e4bf2898989d97eacd7a6

SHA256
76f2a50c5df5f2fdf5004067c774ea5419073ad9b77b5e7ba787bf65180ed779

SHA512
e99f66cefb14fd6ab00de78bfe8af8dc3c845f4c642ffd55310bf94843179db785a899be17306cf5ec14cfe5f15a864570ae0c0355755ddc1aa94cf4003d4185

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIYO.exe

Filesize
215KB

MD5
36c122fd565d239a7c7caeed2ec1ab07

SHA1
050a114762fb5350b52707a96cc7143adcf6e917

SHA256
7b52879ba0dcf40c3345fd9c07998ffe210e678fe9d5452a6daec3eb0eaf538e

SHA512
f8d18f549b08c1606e71e07c88affc89cdc442e2a94385668535fec8bae333c9cacf177f21bdaf457424f0b002213eb9731d1920504e09d9cc96f5eea39ed2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIoC.exe

Filesize
1.0MB

MD5
0e7bb328b15cc3804c0fcd18034eb1cf

SHA1
145700bb138142560f203a64b1a891b797fc3aa9

SHA256
aa1f1467d869af24c92ff4bc1756e384a58b49b514107f17519905e2d6889596

SHA512
8b43d64ad2934d7143acbaa0e63f15d545eefc2966e9aa2330f5c467b018ba9828f4c36d4a8606abffee7cfa595d4dcff4d9228d38394388f49e4293e36879a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QscM.exe

Filesize
197KB

MD5
57e09f213fe596e94c8f6049f25f9ade

SHA1
50071e17fc1657676becaa6c0dcb805130970508

SHA256
bc6231c851411cef08ac7167507a4bee18e369c0505c0543fe85eeea1598dd8f

SHA512
5117f7323d8fdbe1a843055c23fb23c4920042a703e618fa62168ec02fc2217037a0f9dadd234d0599ef60bc1857e281f23b0cc606a12c064f79689d8a58563d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsgy.exe

Filesize
224KB

MD5
83c966214048ebe23ba44a14e8ce6887

SHA1
f1453122b8e014222fb4cdd3d6e1621f7bbff75f

SHA256
048237b5cdb2517c5025df445073ae65564fdafb77bbc9b0d04476b5595b8c8e

SHA512
ce9398c29203e087024cbbad3ebf8ae93fd29a7b3bde53dbfbb8d5fc8e0c85f24aab46524e521489cde6fc7215c9545ac400a81e9fd5e643abb000a4c3a80d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgsk.exe

Filesize
232KB

MD5
169268ab1e0cd72543c80b61bdabec17

SHA1
c8105dcdd75f1ba3315b67c9e2e7e53a63715a3f

SHA256
4e7fd12c369dd6b1a39cf89a3708eb2859c9052350092c37ab20a3efc53c1d48

SHA512
e9bcc66ebe8843a46b53bb9e804c6ed5730759208abe0ce01f122ea88e2f3551e7f62920b30dc62574884efd06b1ef40bf472fc4d35be065cd7962f24ecf64c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoYa.exe

Filesize
191KB

MD5
36cbde33ca8ad4a7451ae2f5cf3dd196

SHA1
3ef71bbf622026fd9d5aa3dd49965e9d58fc48cb

SHA256
4e5016600e7ce7f646f6a3c8923ce64928a440b1c5bdd043fc066ed337a5b204

SHA512
abf5d203059f5e4af2ab558b1ebc9531f64242263f6535174056113b0f3d5b3a282dce09c958f7102b8d090c5ba512e784fae3f28b122e6f6a9533b04a2291a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAQa.exe

Filesize
202KB

MD5
d379e58241f4adc6851b78dbd0a12f51

SHA1
ad2ce8914eba386c7b98603ae4a684b85efe4687

SHA256
3f3e440893e5192da5280e632a19a02b02b431b3ffaa1ba409c89d4f48d16901

SHA512
917d5a53827ae48757e8e48600ee28dada6ea9d50b914a4a2e5efd9dd950c16bfb261b893979c6214a23b59365ce5f39ba2cfb6d6782259ce67d37ced454ce52

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIga.exe

Filesize
454KB

MD5
bc78130c53dbab9cc7e0f5f592e8d6df

SHA1
c71634638fec6b29f4863b20a780466e44f801f2

SHA256
2b2aa94653cbb9bd47f423dc7fe5d6ab8da9cf7242a5fc2ba98cc06b7ca63ba5

SHA512
d9afd285596db8c0a708eea34a3910273a170ff45481b61f83783d4f0d8b3f7bc11e02a9e7ff3137e2b9680e8f2d472134c5a981264049bccb7bb507e6dac15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUUm.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYsu.exe

Filesize
190KB

MD5
db61410cb8d307f7623267a57ef833a2

SHA1
078b5d3e8ed5cdcde1e722b159cff7d4cc74daac

SHA256
c50172b743798fdcff9dcb74d015d95da5bb5b17b305de68bfc5bc9f7aa1e876

SHA512
70a9d2509e7e95f9cf850b2104865f42812d98c7d248c6b9060c8434199a19b0c07e4b3c45bb05d1e48e8ebbfa9a6dff93b286e2dedaf376cdfa2acccfa5fc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIoI.exe

Filesize
201KB

MD5
4cfd38d1edde11e10739624dd04e3995

SHA1
4d082536fe349f6bbaeafe3f25b4cad955350f09

SHA256
1f283b0d29ecc8fe311e1cda24080b2bae7dc481af66180055ee711b42c9f22b

SHA512
c2460d3add5197620bf7dc9bcdcc6f0521d10a2d2e2443d5fe4271af64089d522428f3b37dad7e86d0ff5d955d5951f19da2d806df9e6fd2d14bf9dd58232755

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoMk.exe

Filesize
205KB

MD5
967c83241bb6d9afe53a6c6df294ab14

SHA1
a643c69649dc9f76730a133622c22ceb6a4d330a

SHA256
4fdad71622f901d86e03b8d0a5b2e0f297e053bfe5f8309def028717342f9fa1

SHA512
b8f54bc3be210b4117865854386ff9d184b0f01dbae78a22a9b1bc6a6415b9226c53e100523add6d601d7f9d6eeb7070ab4c96668c2c06eea40100b6314dc7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wogu.exe

Filesize
196KB

MD5
31012b3202f86f999c20ce9b71437af0

SHA1
3594964a43c4a528d188a6ac41bf57cec8b9e3f2

SHA256
8841d6664007109a6643ab5a2d309befbcb13c7fdcb80bc397ff52a731b82028

SHA512
4271b931ea4b2d6748dbac4f1cceeb2b5c39ccae80f70e498d49ce82d9518469911c53ebf63aa314dbd3b20d98d58403ee70b244ae53823b300cd38d8aa16549

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wsoi.exe

Filesize
778KB

MD5
cc2ef7c8b3d65b8a5bd8d14c48b27a64

SHA1
264e3037b1476ae084dd6ec5e446c6278a41b8a8

SHA256
bde5781cd22dbf0e012321260f6e34390106ad1185c91e753f59504c0ef352c5

SHA512
bd1399490c1c8abbb52516eff8d87d2035a7b5245f4438dcc03d1102c946a998d12470581ec42a3d5b361e0ba63d664711d41c8f6e4e112d2ebc3dfbdadc2898

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIEC.exe

Filesize
185KB

MD5
7edb767c0967c015f1305ac5305c0c3b

SHA1
54df341364a513faff9e98aa7bfdc828f3d10372

SHA256
ca90cabea5c55f524e33a0a92362c9290cdf610ada506b098c515d52be505cfa

SHA512
c6e58a2d65d28076907ad2f81bb1df2404b31b69d6db0dd112b04f89c0a606ee2f1d2462234acd4740d17a0e03669fecd84e999aa0ee0c3adf48cf80f7705b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQYM.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcsK.exe

Filesize
826KB

MD5
fcf159774c10b5e2766522ec3a140e1c

SHA1
f3eb1cc8d21b4713ef7d78f282c59ff3b494bbb2

SHA256
a23671b9d790de352f02d32f6ea9439d146fbf82f1e1b64043d1521dd75e3b40

SHA512
9aab8423d9c6b5b829db8148438b6ad8e7155368cd5efce4ad5bd5029c3ac13e01cd2659e168eb382144662806a9cd7f83cb63bdddbdaf1ffd31c695738cead8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgoG.exe

Filesize
185KB

MD5
9320c595e4c2aa6d51de50bb5ee9b499

SHA1
ed45d0999e3e3ceedee7c7629f408fd930d972db

SHA256
69078fc2798b07da6cae9558717b1009962fdc9601131ef89c5659118bdc04ff

SHA512
fd2cf0f12cf82ca4827fdcf1caff57dd2696219720f3c7a59c3921a8b545bfb2823f1ce607fd3f78e3530a40886b4b710d17dcc3a235b63eb5e5d40c3ff520e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoMw.exe

Filesize
197KB

MD5
8de6a86fcc125cb40c338f05469a6127

SHA1
ccd2e277da68d44b59256b7ab90a54e282603874

SHA256
a2fbae79acda101ea6baea54effae3f830015aaeeb29ea354201134d18e971ac

SHA512
53e5088f5ac14b33af2b95fb4881a396ef78303748e2a04221b363e8ab3dd62b5a839157f9e6c8ce6b32a29ab7329ef24c691bfe6f163ab83254d3f43cd2e2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEcg.exe

Filesize
433KB

MD5
fbf456aa26f9a9279260fc45f4011784

SHA1
bee0d6e89ebb0904780a36c31d02ac742b65ae22

SHA256
f7eacf4360bfb13483d94d5e5afc97766e812b44966f181e6c75954d7f35485b

SHA512
bb23e5521ae2a4650430348067a2d7dad2ca96391473b0ef83c4581635b97069ddd0c19fd6ce2c6fd08c2ef5de2c732126b2aee2185696d55670b6d2490d95e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEcw.exe

Filesize
631KB

MD5
9349d15ed0896dfbb00a12e8477df2f5

SHA1
98b00c7a33e0980b1ecdf86124fac643fabaca20

SHA256
cb8e3149f7e226aa37ff27a497b57e7b8a4c5ce10a74154b744cc856f866d656

SHA512
bd7767c42e323e7dae9ee7f3dddd2a3cf11e2700e453e4fd5a8cb410f9782d93faa714a6682236519019089959334c6d9bd2039b1aa516e455b832dbbe2bb220

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMYc.exe

Filesize
191KB

MD5
5f97ddae72ee1bfccd2f9d9b83467d5d

SHA1
292230279b90c237a259cbd917bc98142871cda2

SHA256
108c398b048b731b0a2470e9140b62b5b9139088a0568a7ea935dc5fdeed60b8

SHA512
c56d2f67ac5247eff3a8ef7a03800a7ac4d406cc299945781a4d789a80981c0cb74d51de8ef4b45f99097ae1240ccd38cd46839cf865e99e502805ea278fa176

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQYw.exe

Filesize
1.1MB

MD5
ea99301bbdaa841c6c2008fadba011d0

SHA1
c70e6835fa6f2e00bb2662a2ad2c31fae0b92064

SHA256
0ef8ad4a6d51fe6f3521ce35038ee22286c3f0a078e8c32ac541d575a5e748a9

SHA512
0d3745bff24922aafea27047b43171ffce61f2d9386f9feaa34f8de321a681898e221c617551c927cab1c8456a16f1a98bae5abf768dc70c7ee903343cbbce36

Download Submit
C:\Users\Admin\AppData\Local\Temp\accA.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\agYa.exe

Filesize
326KB

MD5
ef5c0f88e57721d650fcdef9688f3358

SHA1
448938b5292e7db0739b305fe50b81ff174f4ed4

SHA256
55a2828751198a5d6ba98b8a369561bc6ca46306d5a85673beb53504d7eb202a

SHA512
d17ca3cfd39f119c3274c70fef76112b4b7e03640fd1535754fc15eb23b859573e436e49479d0f7163123b91431423a7fcd3237074dee18b4361f5e8ecc17026

Download Submit
C:\Users\Admin\AppData\Local\Temp\aook.exe

Filesize
194KB

MD5
d6b6772f2afee78bbbdbe8fe48d572a1

SHA1
54ae87f3e970a7b3e33e37c26d4ede85efa90afd

SHA256
c5451df3a49bf1c7f7bdb31faf4628769c09135f8cdad49a05799b3bb5c00607

SHA512
bf7ae906d523773969a1c4df563a6d9be5d2c5ad1d899fac1ea647028acbfeb0f4f8ef61f6e8de51c87b9111791eb687ad67e86dc1072abd7244099e92b901d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMMU.exe

Filesize
313KB

MD5
83a8f97581ea19c71181411fc54af9ce

SHA1
b005609a34a1d1a4f9d3a175b8181a2a26f49fee

SHA256
568c3e2616fb9c92581437225212379bd5f307597009921ebe0f8568a79e491b

SHA512
f288db4ff0ce1175086fab89b2e353a44581cfd1424b05229ea8adf9d22bd39e51d80e4527d4b1f778974a15fb040a27581c83dc540b1229dfe06401cba99868

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUcI.exe

Filesize
559KB

MD5
11cdcfb74d12875f71423f5aa7c1b78f

SHA1
45f291adc13506b187bbaee309fbf5530de671cf

SHA256
d5628bd5ff611f35abc10f4c50102636286f9bfdeaebc75cfdcbf369ebea9e75

SHA512
7d162dae9f8935f59798859dc37a6d4941490ad7961e517647f2739f57c12071380f1d03ede38ea43d5a0fe10b1ea56a3dd3a0da4b8727245194a105137fb5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYEq.exe

Filesize
213KB

MD5
2553aabd610125954b5443f09b3c57cf

SHA1
1e70dcd4620219c3978d7fc28d29f4eab74e8853

SHA256
4f24bad297a6de92a9dbbf79786d203fcf4b5b38e2d69076dbea66f054ff9f62

SHA512
15aa03d52d4d948508f42ef69a193e992f5c898f111212ac766804b9af57af84725cf4fe56bc0cd19b24c0f7103bcd280753d72c8061eec722344a2219f16169

Download Submit
C:\Users\Admin\AppData\Local\Temp\csge.ico

Filesize
4KB

MD5
2d56d721c93caea6bd3552e7e6269d16

SHA1
a7f0d3d95a19f61d30b9e68b0dcee7c569249727

SHA256
f8e8be11d1062a945187b65fc5e5b1500bce03cbdbf6f4af9404b649aacc2aa3

SHA512
c01d86c43876fb8eeab79b72380a00f095d95c3047f530b777ca89d309e7bd797bf83857beab29527eddbbc491da3edd95ba343f6a0725cc565015f095cf0919

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAcs.exe

Filesize
191KB

MD5
c439f48fe26271e1a00194d03cffded4

SHA1
451c657b8977970d97fe0c861423c504c1567ff0

SHA256
1c6d3f3de826444157ef651afe1a1d8c4f9af1c99c04d82f58e14d1d21380d82

SHA512
02d5d2766078344157bc8671c888c522673d91fd079f48aa8adb7dac308aec0ab49855e58694f1afa2070da4fbabf8698cf535c976410c2166e7363dc089e574

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQoG.exe

Filesize
1.8MB

MD5
b9d0a59d6787f063eaacb8dcdb8e5a65

SHA1
a3d76f5831a2dca59b4a35cda33001461244d907

SHA256
00498b31b8f4480d003df1c042edd21862aca07876e1c84acb0710b405d10ee6

SHA512
a8a84e09dac3ed53e602f9681a3511515b5b8f4a533ebdaaf3ab4fda4c5fe6d8b5738d8a386f69a11e6cfc86445e2b6dcc27ebc892493a89b78ef0975b37bb2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUQa.exe

Filesize
208KB

MD5
86205359b8cca44a418fbd6930995559

SHA1
deaec6857c1f528b2dd64b93d611899338355c7f

SHA256
cc38a0caf04fea956b15528d409e61ff10fdff1a2903c35f4e5cb4ef458f59f0

SHA512
3e4a65e575e17e343ed76f6c4e8059b5ebf0ac6bc6697738984519a2b90b0ceec4de6f9a12e2e27826c0585074dcdadef9ca1c3ac6da076b95547aae0ca9f6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecAM.exe

Filesize
316KB

MD5
b8c348324ed2e1ce152bbd959598e0d4

SHA1
5e0ea40452c0c44711797707fe95948d33e1874a

SHA256
cfa321982d823508c932985575875a496ce1aea1ba18cbfd2d2500338aa27fea

SHA512
122a11524aa59b0b812fee9087663b3846325eab2aed1369e0a37b3779818bcdd73cc4f423bb3b7f43d7fd1f724db9aa6dab335b673777bc83b020a16543bb23

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEEE.exe

Filesize
203KB

MD5
c07f0393e73ddac062d80b63c8895735

SHA1
4d31827a63ba1d4457882c8b78e218f8a3b9e2cd

SHA256
149fff4944ff554df43ccfa15577b95d2a44205fcf32df096d2e76e08901be24

SHA512
a6987e9b159e432b8e2fe4782056f69af5c13fe2fc1216f0bd5018c72c99569ae0230df0fe9da5c7de59526e9a9ea5b0b5eafaecf383936b1ae2755f0510b1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIkU.exe

Filesize
5.9MB

MD5
ba4cdf459874d6bc7a27f5d6e3db8092

SHA1
091c19da349606f3269508394a8ee8db54fc73bb

SHA256
127ef8a11c05a5e7695f8c72591c22a880d6bdf6b9c1ef4967da796e2bfae580

SHA512
930d2c28599a2107f2df76d481db1182c55a5c4aab6935de6c1627104b7a92268d65cbf3bf129366d89d1325fd943ea32034dd9e8b482e756971c89dc9c1d4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\goUU.exe

Filesize
189KB

MD5
cbf469bb4b3cb8b8e5fbb3f2ec78590b

SHA1
5bc2c4bd34d5dda10766d2bda5d5f6195553d0a9

SHA256
ac8f8f898becd8b11a2ede8883604a78db50da5d949c54195f763571b50a9e2f

SHA512
edd739416262fbb4c50d70b51a1914aa06016cba0258cd15a3a20443bafe19f5ef1092bbb1a62f4197dcbcbc84f0fcbfbce5a9d5e963a22d2b0e2336ccd117eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIoE.exe

Filesize
190KB

MD5
3eb761143d5150e938cc5071445df99a

SHA1
d4e15840a8e34de9640e08cb16fa141a4d50c938

SHA256
3897798e39e84c2ab8dc7d060429acc3311df8f3b0f5cd385f5c10a435f3a410

SHA512
b50a3892708a7ab5fbf60e223e197a3eb89b1c2b7a7b874bf91cf9d3bb39b30574b9534f05de32e8a713efe939a4bc021b3f17630bc48deeec8a6d6140026a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMYI.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQkG.exe

Filesize
194KB

MD5
2b85133684a9f9564226c40fb814ab78

SHA1
b8ccea2a33c5ec7261af5e7dd8358df5b1e0031e

SHA256
6006e758c26cc9177c1b7a84bb9841634db0e80a59b75ede4b40650cc9d0820a

SHA512
ec6ffe50a4b879cb6e7e85830cc0f9d0194ccd27dd12eca9f4d24d97e3d1a8fec018da905e31d8b1f4ae9845c544f2f17b8afa4888d156293446cc35f51fcf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUMs.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEkI.exe

Filesize
188KB

MD5
4043736782eb119128f396c759a27dc2

SHA1
710c3743cfa50d96146413a514acec13756bc34c

SHA256
554c1a29abd8747c18a118b9a6eff868f8ec31dd0c0be62625239164d55db896

SHA512
0e8a3768c9a38456fb5256a88838cc306076ba3637c5a030940e1c706ac4ac23419b7506f04dfcaeb55e2514a020ee5e1506020878da152b8197cbd12f4e048e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQUy.exe

Filesize
213KB

MD5
a886a96431575ffdc707a326be752408

SHA1
bd90f0e65779ef174f19eb9494615c88b7aa292e

SHA256
148db510d015be5deb63fab93db1ec9b0840a729501da73bc1bcaef0933f504f

SHA512
2169c4e788e52f314be00722687eba11a439d1b0a922e2880af85d79509714febe0ccbbe22815f85e49ef84eb9cf5d8b4ccb0146805a0a0c0c1985e1d2beeb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQgw.exe

Filesize
463KB

MD5
ea195f684729a39a612f63faa20d1f49

SHA1
3ba039c91ed9785c181785c3b193c33496dca138

SHA256
775227c03215b994ba169c5dc5d59eab2f0698a17e93b9bd7b53f41481586375

SHA512
cb278182dde12246010b63070c1f914a1d7392d20401831fbfac2d6934e43fa00fcaaf9816bad30756c27296b23d15305119a4c01204f1fa709df8473455d4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcso.exe

Filesize
392KB

MD5
cf8ed15fb97826217f0fb2ef2ef44494

SHA1
d3810532f9e8dfed348c6759c679d887d546b4d9

SHA256
9b4dc73a9b84e1122691a5bb930ceb3274a6747144008857cbae68fc49e23c76

SHA512
806bdae48e9770ad7e0e8b7b6255d0acbd5691cf58c469bb9dd860451d9d5a6181a840a5a5f5a7e0852a86111dd5edf9a02a250c7a61b0f92977a7d17a603555

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwAe.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwge.exe

Filesize
418KB

MD5
2cb9a642d2b66ffd986ccae7bceba09e

SHA1
6d252736ebcabbd1538bcf3252db4bfb7a455cbe

SHA256
667834e3a30b657ffb465434832dd8a12f6774158b524a00026bcd54c2a35eee

SHA512
12ee98b56e1b1829b68bf90cee6151bf3e0aac57730297d4e9d69323912349ced7434d2001f34009b22b4fbda3fe70c08dbd16d3aa4ab78abe91dfa50a25bbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQcg.exe

Filesize
647KB

MD5
e99bf2cd29a5d526c31600d2054ee3d4

SHA1
6f29f9278f225e89b09d8787d82afa146697bd73

SHA256
3724c83c055bd85298d3f472ac83fd3d803b09ea95db041c58bf2bc7c9f318ba

SHA512
1128a7ccf420e82d7e59afee3c39afe3b6046715d31d5869f0b0ed44e2d106c32ed2be95d633a7a6a1b3ab1180403c2a7a53563943bea36546be394c11c7eb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQsc.exe

Filesize
308KB

MD5
38375f3ee0e9ad5b2a49ae854ae01a1c

SHA1
20a18f05ed7546613babb934825061ed82b3e9e4

SHA256
63179ba8aff4755603dfdf5903dc43296d399b7471b710e3e99a5a04ff5402f8

SHA512
d21b79392e409a3e94d3e2b8c25ec9b1e7b55748b6945639cbab3ab25f049c56d697d2f7a86c134e725e01b59932761adb3656deeb76c6a638b0d98ad061cf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgYc.exe

Filesize
367KB

MD5
a855a261708e3b4171fc57b1f6bd485f

SHA1
30372e3b8e957eb48201ddcee59ef9d9d36dda78

SHA256
b13d49fe257ce840dd5b39bfd9447d03f5b1ffdafd2cbabf35d312cfbebff018

SHA512
93968b7b836ad85dd7d55589ace3a8e5cc94334e8df260a707c7df4543e787f68382b08aa97d769bee2830866be2eb027881bfd40ecef33656512c7d1c3fa89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkMO.exe

Filesize
203KB

MD5
84eaa171c829b8659403ac908e0cf122

SHA1
21309cf36737a7217ed20d44a7ca05e4d9d52ff4

SHA256
d06e6a25b97c1ff0c85af1b13aa0f46a653c75fa6007b2ef0bc1463135322f14

SHA512
feba7e04baa50041168c9a16d970c3c855f312d4ad8b2490eab7f82a30d351408c10720176851a65ef5ca90de00a66399ca1d465066a89f77dec0763dd6882c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwYu.exe

Filesize
411KB

MD5
55703da457a8bc81714cf17fb63b5226

SHA1
9c5c77536db8097648ffd61abf8ad79a598def65

SHA256
a3f749b112b8c9693925f4a33658c992923fa75a3a63df5c60f1546311a2977b

SHA512
ec982c3f0debaa2800d1f3268d948dbdbd170860492d23dfad414fdb66868fce264a725b32270ca03842079e770934128a8a38f8ad6f3c964cff1c41d6d03cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAsU.exe

Filesize
420KB

MD5
6122f9eb71f93fb6ad1c825ceab4f0bf

SHA1
29fbb5bfbf5e8a44357d71b921e035c7b0636685

SHA256
7ebb1c5c44324e13318ba50c61661935e77cf39ffa938c75b78702bf303112d9

SHA512
44917f355c581384f69fdfecd0afdae8f6ba8eb70591a586436ae906c5f09340acb6681e95c30656b6d225b325e907da0a9c13d4d6acdf198b1c0b7f901f769f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYES.exe

Filesize
209KB

MD5
28e9032842501c902fe15c706b59e11b

SHA1
128d4c5db05b5158ba59fe1c5e7de600af9c84a3

SHA256
375774a49c9f56614bb47ca2f13321652c1f143da752aebd2a6cd5b30190474f

SHA512
d437cea15d632f25f46e507738194d48ae87426a3eda8855f4d30a79e4c3e0273728e298744ccabb053b5aad9b2445a5694888f3d8ccd046d254842ae6d15bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\osAS.exe

Filesize
309KB

MD5
92dced003f839dbfea6737578cba12aa

SHA1
1ed8caf7a92eeedf0c1a978a58f233795eef4521

SHA256
de285013208d702e54cd32d2b434c88e24f9373bdd82fc33af2ba24a044e7480

SHA512
dca00be00114ac9b41c0a94e47308f29bca3af7b6cd2c4f11c3abb3783df18defaed43f03873ea983e962c461f763e473fa2c840e1f0b26de442a5d56b7689be

Download Submit
C:\Users\Admin\AppData\Local\Temp\owsa.exe

Filesize
633KB

MD5
4f9cc96921b7487af7e06db8c2c6908e

SHA1
7a2f7bffbe45273fe3b2a737c4208be6dff2816c

SHA256
25d87b6a49c1939f21d67e473f2e8ae11719f351bee8d44bf9afd081bfee1b98

SHA512
80dacbff1529617defdb17d453267e989f361da8b3f77ab9aa33eb48d4fdf9458d691d328245334a29f1bc6674accd4bd4158d2fb0c0369debc32c7dbdf710e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcoy.exe

Filesize
186KB

MD5
8a5edd483fd94d4f946c3fc448dd5ee0

SHA1
a24216d0de6db9cb86b689bcf150b2dc3b5c43f0

SHA256
bc7d9032ba6f37dec76f0b5d7b504651ec0052e55f9ce41c98b45f349722c45b

SHA512
29acce646c916ff35ce2f31f668a1437349957f5493cbe684f180e084befa2cca6723734c2cd5e5f1054f0c63a12102be044d6c6efabbb441f038b72f867dfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIMK.exe

Filesize
813KB

MD5
83565390a33ad07ba497e7a255a24729

SHA1
5618b2e8bf1642bc0b1ec80af78817c847e7e64e

SHA256
0b61d4ba8c5df1ff13eece18ff5fa7089264cbf6d6a8c815f4476fcdbdb4d580

SHA512
55cab18a16d5e051d296f10967c41b0378bd5edd0a414a5a549b57067df18288842fc1769151d5fc979145ee0cb09c65a1e1bf753e5396785e9bf73099bea2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scAY.exe

Filesize
191KB

MD5
a7d8b97cd5a381ba815ebf2b763cac39

SHA1
49114faaa8ec1c20dc82da5b355f13d1d65379e8

SHA256
54a2ed5a2aecc585456aa6c6b041df994db6d4cdeee02f462d1f4d424fe79e68

SHA512
b02426379ab89a6c37077c7d4f967dd5d907340a2b96002e5608fb9a83aa3b3a6458b9a67e8f221f954c4f5b002e629642afa8908afd302a85c4d9cc9bbe0e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\skUE.exe

Filesize
200KB

MD5
fa882d3f77ac59faa9efd568954cf3cd

SHA1
7de683352d5135a79285e2e703720e416b231925

SHA256
fd504949323db17d0b85cfcc8d5df0976bddeb8ac831477df19cec03207e5f09

SHA512
2c9b61ada41c0165cbe2d3604ad6d92e6636372a914185ad4b23133c2f6f4a563cdb1a9b2483bbd2b2caab84efab589839e51965e97728467861d1a612ffb6d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\swIi.exe

Filesize
198KB

MD5
c181c95c6e848663720b3cbf309f27a2

SHA1
bc90cd5f168cda83877d32baffe8864a9e38ec3a

SHA256
cd1bc2e6b25ffaca47041e9e5967ca3a154e93524a81b35201a738b23219677b

SHA512
918e470b7130c89bce3c04c3fdada20237b3c583435290be3d70d7b726ac76ea188aefe70e6b86e923a3410cf7620f222b221796fbcd02ff470113991519cc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQUu.exe

Filesize
770KB

MD5
7ae6a27249b7aac82adcea663962be88

SHA1
abf3c79c8e0e03384fa7b26fcc591bab95dae61e

SHA256
5269bd3eed71177ecbc8f89f2fec49cb747808f85e10090a72e662639216d4a2

SHA512
eed717df0441ce44c688dced360b57a050203eb823fad385c18e1d56bdfedad0043b76f9a0e87e120cbc483d8c505ad66a4b241c27a305097393e4d645ec722f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUwS.exe

Filesize
5.9MB

MD5
c095f2498bad0b147f59b90cc904b4f6

SHA1
ef82321761bb5932abd9635d8e6f11a3aa52dd54

SHA256
1ec41ecb8577791a86557c20b0a2d436ca72e255433e5d8410f1bda6a8ed9f8a

SHA512
81da32b581e1206e5d9d29adc4f51cfa2bd3d4c2c2fdad707f0dd1801898f1fd2f8325e768ea015be8a0a50ee8fbb86f77a8efc529d6e25e81b143eb7f6a958d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukAg.exe

Filesize
205KB

MD5
8cc406669b0ca45e2989667adf3d20f4

SHA1
76027e12b8926bebd298150ad3e096e1e3cb37e7

SHA256
2814bb4efcc757265dd5541c87be2c16c2718109985187697735606bd8be032c

SHA512
c0a941f1530e82f59d9531d0064bb95a0813dee26f6b338216139ba78bdf55d7a79b5a092f1263e051f4f359a58a2aa0d55c63b2743740f52217cea0ed94c577

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukgk.exe

Filesize
719KB

MD5
a286ff8d4a68a5e73b3e10081df02b8b

SHA1
a13e3ef7f491ed42606f93ba8992ca4ba5d241e4

SHA256
10146cb03ea0ce119d985b6a5f65a66f3b9168befc1785a903ab93aa4dfd2b01

SHA512
fb2987d4fbcd274caa67f74e9db82afab40643daeffdc10187e995a153f41fcb29df77246d5375f5ad437a4536722656e1de764c51f7e0e412148b9b7584931a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAoQ.exe

Filesize
5.9MB

MD5
35ecc2d71b96da651b9e8b14e91fb91c

SHA1
793c22dd6c7c8dbfb6fc3b34c67d425bfd8dafef

SHA256
5bbea383ecd1c1ce3ee7745e71c0890cd468b9e40558bc33847a5adccbc3e85a

SHA512
700ff3bdd92a127899e768d5ff7ce198a6dc6a89778c6e3f74e0650da280cca0721070a1181fc9a985986e939cdda81d597aa36fc9caf40672d21cc9b42280b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEIK.exe

Filesize
188KB

MD5
c1ec1868b677f3dc9bf129a17f831d5d

SHA1
2c391f8759e7ca5e4889a372d35abb687c145751

SHA256
5496c5e355c18cd08e274d6125cc1bd4b76a9e0e0eb447ab3d353eeb0e4d581c

SHA512
c5ce3932aa179bc0cad0da1420b14e1dcd45ea6484a99b17d026ef38371726fd7f078f87f68ae5d2b77dbb4e33d8bc74c6ea52d684a3faf4d4c4c8ed7be285ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIgQ.exe

Filesize
259KB

MD5
342e2a2aebf6c4f1be59eadd86caefc4

SHA1
5f6bdecb8068a3b26d26a121a3a72271d5495302

SHA256
18beed552a2e25a18e680d39efb4448088d618c2ad8cdb5d82c3d19a1b5951cc

SHA512
65cf29e38cbb0688187a572d01fbfb80ea26275bec513f3be8bdd2e5b01f983126bb2d91654475bd41398dd0ca56f8ea11ab3754a767246b369a8e5d19200fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgAE.exe

Filesize
656KB

MD5
68dff89111cf2b5ebd95e4d05630ef84

SHA1
2104a1f228acc5f2b1cb633a3d8ecaebbd8e9094

SHA256
7d8fa80c60e71a4823cfb3ded54a4ebb7fb1a8e6c58e5f500999d579f2c13404

SHA512
12366f3f06dbbac28a82775c1d169fb545737641cffdb9e724ad1990748add8f052c86f2f5bad4f8d7f9ec813b816d037041e52f03c007cb917c07b358d36130

Download Submit
C:\Users\Admin\AppData\Local\Temp\wssu.exe

Filesize
198KB

MD5
cfe3c8aacd17b16b54069198a13359de

SHA1
40b483ed3290b933b0dc38f3a85d128adbc19884

SHA256
a12343ddd7a49c86973da77cf83fa1dc95165d6bc0d1f5fed3f5b239557355c8

SHA512
917530d269c94588419d130521b4ef208a69ecc77f26d6aab8de96edd7c612cd2ebae28d780a0e03c8c4b06130a2aa35d6ffa7823f14f07954e43fef38b6efd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAom.exe

Filesize
194KB

MD5
a8bb9d1a60afeac199d1633c7e5ad0e2

SHA1
102bdc4b6e443eaa62ca631005d6dd0f5265945c

SHA256
4101d0426d0192cd43127cb381ccfe8caf894a88a82f8563c4eb78c1005b5e48

SHA512
52faf31077b2becaf7ddbfff860e8c1a79ec1aa61e63cad0b3a727d8e4f00738101df9c3b0347f63c018c53bc841d9570ee673170708656a807478b7c3a3f985

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYcU.exe

Filesize
190KB

MD5
c005ab62c970f6fdd8c7a51ebefce44f

SHA1
1ff8caab5cbb655559652e1958da7d417a06eb19

SHA256
8883452a5fd6b4fd0cb185b17a180c67c0fa7519f1a2600b2e672828153276f0

SHA512
dbe77387815915d37c0c2e04bad6fc6e73e9d990f7180eec1e3f4565fc5193b14d48461cbd21c4d3a9db71d4b4b9018bb6c14f62686625e3559d00132de86a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykYA.exe

Filesize
800KB

MD5
01cba9a9f69089ee04910d022ae089cf

SHA1
7b69bded2198c9863f6888e8e62f737ece916197

SHA256
59804cc11e3ae3c6f609ccb352941ede66f75194c258615375e47110fb1fcb55

SHA512
38548ca2b4e411f55097c6d908b711e7e5f57321e3659cdc386c54ab937a05ea34677c945a40b7f1bb16e1d5c8e67c69591832fb56ecb9212fa62cbdd70f2e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\yowo.exe

Filesize
181KB

MD5
e361d2af5a796af8ec50305d14276d81

SHA1
0bdb06a3673cd00c67797024faf7e8365cacbb9c

SHA256
c5204615fa394a2ab073fb7ece70776ab3ba0001739e8977fd9782b44a44acad

SHA512
24c21e2975c13be5b1ed721f739c07fd0a972f7411a35cbd118157d0c1ab7d43d902b1422b1b7a81b1bff6175bd68d595e59e7c0fd9a3f32c79755745b61d5c1

Download Submit
C:\Users\Admin\HaEgUIoo\hcgsUIkw.exe

Filesize
181KB

MD5
7d37a5d69ce9231d918ea559371246ab

SHA1
f7cd005773a75a1aaf2e03413bad4d747f3f5098

SHA256
2b1e0bd4fb44b53b4535cb8ece7861efee2f19b947b1bd5bf100373bef734fa5

SHA512
b860cd6f7a4b61d51aba4866ef86e154c53bc49ed832309e59832716c844cdfb01e29d7674d4f07c82c97f7909a96ed12043420ade8dd71829c90c4bb974fb20

Download Submit
C:\Users\Admin\HaEgUIoo\hcgsUIkw.inf

Filesize
4B

MD5
c440c2bc9dda0ff15e32f9796233bbfe

SHA1
7a80def83085f6b89e67cee6cce2a58684ec7b5d

SHA256
dd4395dd6a819019b682d87441395d2f703363d3dfcbea8f2d62df6927b3ae59

SHA512
a99be080e3e14777c1045040e06926800343936671d54880c40d7cdd539a4183cba8fb85c0d3b217bff50e7c786138cabbcfbf8238cafb8e964c5da14efad647

Download Submit
C:\Users\Admin\HaEgUIoo\hcgsUIkw.inf

Filesize
4B

MD5
c7db13defa9e8237044b0cf9fdd26f90

SHA1
f5dbc99ae93cd170c4aaf7c7968a0d0c8ec5b15f

SHA256
3d01be538783c9a0e5ec2d5b8048e22a77a13ce3835e6dab9a6342e5b8c0f422

SHA512
3182903c78e92f951efa76de2c401b89ef1008fb0c37267df943cd67a62a6926e0817b16384450055442aa1af00d105d0b548057f581903a7702ecaa56088146

Download Submit
C:\Users\Admin\Pictures\ConfirmEnable.gif.exe

Filesize
336KB

MD5
0cb6e9a853d393d5634e38dbcbf197db

SHA1
f8541726ea8b1821608663b3cde53b44217c719a

SHA256
71b6e1aea0996e7ea099b52e929c64324f1d6c62b2e85d8acb180117d05565ef

SHA512
921b3ecdfd5faec0d7d08ad1164684b352c4ecc6a47d979ec5f436198ad1e621187f5ecbbaefc25d3eeec9a3d776ad4ec902a077d4d0ed4c1a29e11eea5c58c4

Download Submit
C:\Users\Admin\Pictures\DisableStart.bmp.exe

Filesize
365KB

MD5
d9e9e7f94bb5047b906857b02d9c8d5b

SHA1
ad0794f519c23f46ec74e01389f07c575779ab8a

SHA256
0876a54247e3abd5f0f046cb68c96ca6a7231acd0db1c95b323adf041a33559a

SHA512
45ee6478cd425156f06e37c33581351f38c35fea88d40614619382c0de73804f191e039c1a163150a1927c49ee70cb78e2f5e7d078c3636ca76f52a7dc573148

Download Submit
C:\Users\Admin\Pictures\MergeAssert.gif.exe

Filesize
386KB

MD5
0a2b87fed9e026a7ce4e7322659b5a00

SHA1
147c882cdb8fd15fb4d453d8ba6c1265e311f6ac

SHA256
718fb169cf605142b6516d77253df0a6c4594336a978a685aed3170774e42ff3

SHA512
b24c303cf3128d010e1b67d2c3a61d4c0bb6e7571de1a0704fea228270c6b6c90cfda779f4add6343bc22efeed8391944f9ac7b004670166f52dc04e6b121791

Download Submit
memory/232-572-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/384-554-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/444-116-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/808-188-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/912-226-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1000-19-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1000-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1008-105-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1096-703-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1116-276-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1240-328-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1244-411-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1316-447-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1492-491-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1492-483-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1592-43-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1624-44-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1624-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1636-626-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1664-294-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1776-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1780-678-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1828-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-68-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2036-260-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2108-482-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2172-599-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2172-607-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2180-503-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2180-511-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2196-512-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2196-520-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2248-546-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2296-393-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2296-401-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2424-580-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2680-353-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2680-365-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2908-199-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3060-80-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3060-69-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3108-249-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3108-240-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3236-200-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3236-214-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3320-320-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3344-472-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3364-456-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3364-597-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3364-464-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3396-634-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3420-410-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3420-420-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3456-609-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3456-651-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3456-661-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3456-616-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3552-348-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3552-357-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3584-153-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3708-286-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3740-437-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3740-429-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3816-338-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3816-347-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3820-739-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3896-268-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3964-32-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4092-336-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4104-302-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4228-455-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4292-642-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4296-528-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4320-392-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4412-92-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4412-83-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4452-310-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4528-650-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4556-384-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4568-177-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4576-501-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4576-492-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4596-562-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-374-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-366-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4688-538-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4780-428-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4872-662-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4872-670-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4900-588-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4944-142-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4944-129-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4968-164-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5064-237-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5076-128-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5076-117-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download