cb25d79bd562a8a942a428064ad99df4e1bd0b760a3ee3aa094f54ce13cf688a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2023 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
Size

245KB
MD5

2b8df627c8569cc1b1d3254598fde007
SHA1

071ca7c5c043a99c4d14470b9e2a9b60432dd1d6
SHA256

cb25d79bd562a8a942a428064ad99df4e1bd0b760a3ee3aa094f54ce13cf688a
SHA512

392689f50448cc5a8478bfa2fc276a162def723180127cde6ca7071b3edf1b6c0b1ce67141d35b26c9d1e3dadb6fbd4b8ce1c0d93de2b772bf00f1ce56fe0009
SSDEEP

6144:dmB7pzJBKxGwvRlZcIebNZGNZ8oxFB11:dsF6Rfc9QNS

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TrustedInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3324	yWIkQYgM.exe
2336	lKccIQQk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yWIkQYgM.exe = "C:\\Users\\Admin\\gWgogwMw\\yWIkQYgM.exe"	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lKccIQQk.exe = "C:\\ProgramData\\WWEMgggU\\lKccIQQk.exe"	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yWIkQYgM.exe = "C:\\Users\\Admin\\gWgogwMw\\yWIkQYgM.exe"	yWIkQYgM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lKccIQQk.exe = "C:\\ProgramData\\WWEMgggU\\lKccIQQk.exe"	lKccIQQk.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	yWIkQYgM.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	yWIkQYgM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2720	reg.exe
4896	reg.exe
3520	reg.exe
5032	Process not Found
100	reg.exe
1040	reg.exe
1608	reg.exe
3044	reg.exe
1356	reg.exe
4636	Process not Found
3216	Process not Found
1860	reg.exe
4868	reg.exe
2016	reg.exe
2220	reg.exe
2164	reg.exe
456	reg.exe
2868	Process not Found
2644	Process not Found
4408	reg.exe
2468	Process not Found
3416	Process not Found
3544	reg.exe
1184	reg.exe
4500	reg.exe
2192	reg.exe
4492	reg.exe
4272	reg.exe
1040	Process not Found
5100	Process not Found
4144	reg.exe
4532	reg.exe
1384	reg.exe
3344	reg.exe
3036	reg.exe
4956	reg.exe
2384	reg.exe
3416	reg.exe
3284	reg.exe
3424	reg.exe
1644	reg.exe
3616	Process not Found
1480	reg.exe
4304	reg.exe
3344	reg.exe
4280	reg.exe
1472	reg.exe
3096	reg.exe
2900	reg.exe
1196	reg.exe
4300	reg.exe
3848	reg.exe
2940	reg.exe
100	reg.exe
1200	reg.exe
756	Process not Found
3732	reg.exe
4956	reg.exe
3976	reg.exe
440	reg.exe
2312	reg.exe
5100	reg.exe
3772	reg.exe
844	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
3784	Process not Found
3784	Process not Found
3784	Process not Found
3784	Process not Found
1372	cmd.exe
1372	cmd.exe
1372	cmd.exe
1372	cmd.exe
1008	Process not Found
1008	Process not Found
1008	Process not Found
1008	Process not Found
4156	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
4156	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
4156	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
4156	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
4476	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
4476	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
4476	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
4476	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
4616	cmd.exe
4616	cmd.exe
4616	cmd.exe
4616	cmd.exe
2296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
2296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
2296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
2296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
5060	reg.exe
5060	reg.exe
5060	reg.exe
5060	reg.exe
3036	Conhost.exe
3036	Conhost.exe
3036	Conhost.exe
3036	Conhost.exe
2240	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
2240	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
2240	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
2240	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
3544	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
3544	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
3544	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
3544	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
1544	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
1544	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
1544	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
1544	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
4620	Conhost.exe
4620	Conhost.exe
4620	Conhost.exe
4620	Conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3324	yWIkQYgM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe
3324	yWIkQYgM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3324	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	89
PID 2388 wrote to memory of 3324	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	89
PID 2388 wrote to memory of 3324	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	89
PID 2388 wrote to memory of 2336	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	86
PID 2388 wrote to memory of 2336	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	86
PID 2388 wrote to memory of 2336	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	86
PID 2388 wrote to memory of 3632	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	87
PID 2388 wrote to memory of 3632	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	87
PID 2388 wrote to memory of 3632	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	87
PID 2388 wrote to memory of 3228	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	90
PID 2388 wrote to memory of 3228	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	90
PID 2388 wrote to memory of 3228	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	90
PID 2388 wrote to memory of 2152	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	93
PID 2388 wrote to memory of 2152	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	93
PID 2388 wrote to memory of 2152	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	93
PID 2388 wrote to memory of 3732	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	92
PID 2388 wrote to memory of 3732	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	92
PID 2388 wrote to memory of 3732	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	92
PID 2388 wrote to memory of 3508	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	91
PID 2388 wrote to memory of 3508	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	91
PID 2388 wrote to memory of 3508	2388	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	91
PID 3632 wrote to memory of 4296	3632	cmd.exe	98
PID 3632 wrote to memory of 4296	3632	cmd.exe	98
PID 3632 wrote to memory of 4296	3632	cmd.exe	98
PID 3508 wrote to memory of 1332	3508	cmd.exe	99
PID 3508 wrote to memory of 1332	3508	cmd.exe	99
PID 3508 wrote to memory of 1332	3508	cmd.exe	99
PID 4296 wrote to memory of 3640	4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	100
PID 4296 wrote to memory of 3640	4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	100
PID 4296 wrote to memory of 3640	4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	100
PID 4296 wrote to memory of 5032	4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	103
PID 4296 wrote to memory of 5032	4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	103
PID 4296 wrote to memory of 5032	4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	103
PID 4296 wrote to memory of 2384	4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	152
PID 4296 wrote to memory of 2384	4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	152
PID 4296 wrote to memory of 2384	4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	152
PID 4296 wrote to memory of 2872	4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	149
PID 4296 wrote to memory of 2872	4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	149
PID 4296 wrote to memory of 2872	4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	149
PID 4296 wrote to memory of 4620	4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	105
PID 4296 wrote to memory of 4620	4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	105
PID 4296 wrote to memory of 4620	4296	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	105
PID 3640 wrote to memory of 2604	3640	cmd.exe	106
PID 3640 wrote to memory of 2604	3640	cmd.exe	106
PID 3640 wrote to memory of 2604	3640	cmd.exe	106
PID 4620 wrote to memory of 3852	4620	cmd.exe	111
PID 4620 wrote to memory of 3852	4620	cmd.exe	111
PID 4620 wrote to memory of 3852	4620	cmd.exe	111
PID 2604 wrote to memory of 4376	2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	113
PID 2604 wrote to memory of 4376	2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	113
PID 2604 wrote to memory of 4376	2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	113
PID 2604 wrote to memory of 440	2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	162
PID 2604 wrote to memory of 440	2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	162
PID 2604 wrote to memory of 440	2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	162
PID 2604 wrote to memory of 2476	2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	160
PID 2604 wrote to memory of 2476	2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	160
PID 2604 wrote to memory of 2476	2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	160
PID 2604 wrote to memory of 4280	2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	121
PID 2604 wrote to memory of 4280	2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	121
PID 2604 wrote to memory of 4280	2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	121
PID 2604 wrote to memory of 1624	2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	180
PID 2604 wrote to memory of 1624	2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	180
PID 2604 wrote to memory of 1624	2604	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe	180
PID 4376 wrote to memory of 3784	4376	cmd.exe	119

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found

C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388
- C:\ProgramData\WWEMgggU\lKccIQQk.exe
  "C:\ProgramData\WWEMgggU\lKccIQQk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
    C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3640
    - - C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        7⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        8⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        9⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        10⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        11⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        12⤵
        
        PID:1324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        14⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        16⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        17⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        18⤵
        
        PID:2272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        20⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        21⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        22⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        23⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        24⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        26⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        28⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        30⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        31⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        32⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        33⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        34⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        35⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        36⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        37⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        38⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        39⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        40⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        41⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        42⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        43⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        44⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        45⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        46⤵
        
        PID:3128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        47⤵
        System policy modification
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        48⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        49⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        50⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        51⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        52⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        53⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        54⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        55⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        56⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        57⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        58⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        59⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        60⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        61⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        62⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        63⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        64⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        65⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        66⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        67⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        68⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        69⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        70⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        71⤵
        System policy modification
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        72⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        73⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        74⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        75⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        76⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        77⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        78⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        79⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        80⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        81⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        82⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        83⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        84⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        85⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        86⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        UAC bypass
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        87⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        88⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        89⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        90⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        91⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        92⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        93⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        94⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        95⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        96⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        97⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        98⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        99⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        100⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        101⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        102⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        103⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        104⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        105⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        106⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        107⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        108⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        109⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        110⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        111⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        112⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        113⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        114⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        115⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        116⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        117⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        118⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        119⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        120⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        121⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        122⤵
        
        PID:416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        123⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        124⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        125⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        126⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        127⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        128⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        129⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        130⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        131⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        132⤵
        
        PID:4216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        133⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        134⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        135⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        136⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        137⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        138⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        139⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        140⤵
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        UAC bypass
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        141⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        142⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        143⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        144⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        145⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        146⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        147⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        148⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        149⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        150⤵
        
        PID:2580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        151⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        152⤵
        
        PID:3256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        153⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        154⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        155⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        156⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        157⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        158⤵
        
        PID:3852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        159⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        160⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        161⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        162⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        163⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        164⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        165⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        166⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        167⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        168⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        169⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        170⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        171⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        172⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        173⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        174⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        175⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        176⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        177⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        178⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        179⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        180⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        181⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        182⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        183⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        184⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        185⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        186⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        187⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        188⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        189⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        190⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        191⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        192⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        193⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        194⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        195⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        196⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        197⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        198⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        199⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        200⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        201⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        202⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        203⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        204⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        205⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        206⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        207⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        208⤵
        
        PID:4688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        209⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        210⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        211⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        212⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        213⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        214⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        215⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        216⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        217⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        218⤵
        
        PID:4196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        219⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        220⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        221⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        222⤵
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        223⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        224⤵
        
        PID:1184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        225⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        226⤵
        
        PID:1540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        227⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        228⤵
        System policy modification
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        229⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        230⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        231⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        232⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        233⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        234⤵
        
        PID:1860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        235⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        236⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        237⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        238⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        239⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        240⤵
        
        PID:1040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        241⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        242⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        243⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        244⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        245⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        246⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        247⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        248⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        249⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        250⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        251⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        253⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        254⤵
        
        PID:3972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        255⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        256⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        257⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        258⤵
        UAC bypass
        System policy modification
        
        PID:2936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        259⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        260⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        261⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        262⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC
        263⤵
        System policy modification
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC"
        264⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        UAC bypass
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeYsMQwc.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        264⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:2636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMQEooQU.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        262⤵
        System policy modification
        
        PID:3544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        
        PID:2468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEcEEcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        260⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        UAC bypass
        System policy modification
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIIAQssY.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        258⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        Modifies registry key
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKAEwYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        256⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuskAUMg.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        254⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:2636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        Modifies registry key
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies registry key
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwYAEQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        252⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        Modifies registry key
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgQoogss.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        250⤵
        
        PID:3244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AesoEoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        248⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iycEsMUE.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        246⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqQsEoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        244⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecgcYEsY.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        242⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        Modifies registry key
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leAYAMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        240⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAUAUMso.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        238⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        System policy modification
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:4872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        UAC bypass
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myQAUQAI.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        236⤵
        UAC bypass
        System policy modification
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        UAC bypass
        System policy modification
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEgIIEoY.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        234⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        UAC bypass
        System policy modification
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:2164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcQwIUsk.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        232⤵
        System policy modification
        
        PID:1784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UoQAssMA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        230⤵
        
        PID:1812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies registry key
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        UAC bypass
        
        PID:5072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuMYUsQA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        228⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIQoQEQs.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        226⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:2476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUEckAgo.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        224⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biMUgUYg.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        222⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dsgYsswo.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        220⤵
        
        PID:1432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyckgAMs.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        218⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGEoMQgo.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        216⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        System policy modification
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies registry key
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:3356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HykkkEAo.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        214⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKkMgEYA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        212⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies registry key
        
        PID:4896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        Modifies registry key
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgogQksA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        210⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUAAIYQM.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        208⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies registry key
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KewoEwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        206⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsscUogg.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        204⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:2256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TiIQAUkU.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        202⤵
        System policy modification
        
        PID:3424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        System policy modification
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUQcwUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        200⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMEcoMII.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        198⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYMsUIQo.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        196⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:3052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOUgcgsk.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        194⤵
        
        PID:2020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:1184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWUkokoo.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        192⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkgAQgEE.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        190⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:5048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:4344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        190⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoEkwcIc.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        188⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        Modifies registry key
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MocIMYEA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        186⤵
        
        PID:3860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwEwoEME.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        184⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUUEoIwI.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        182⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqYMsQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        180⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        Modifies registry key
        
        PID:1184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQwYcYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        178⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        Modifies registry key
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:1364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeoYkgYw.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        176⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:3296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        UAC bypass
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:4928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWsowIsw.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        174⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwMMsgYg.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        172⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:3284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEMwkgQE.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        170⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKEoYcMc.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        168⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:2960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWEkoIAg.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        166⤵
        
        PID:1312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        Modifies registry key
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FywoAMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        164⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugYUoQIk.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        162⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies registry key
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYwkgsUg.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        160⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:4480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWQosEsw.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        158⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuQEwYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        156⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEwwsgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        154⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkwMIgkA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        152⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcQYwgEE.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        150⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuQcYQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        148⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQIwsskg.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        146⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUQskMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        144⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwAwwUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        142⤵
        System policy modification
        
        PID:4728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmUoAwoI.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        140⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGQosEYU.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        138⤵
        
        PID:704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pekQwwII.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        136⤵
        
        PID:4988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cUgkEIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        134⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ResEUIYo.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        132⤵
        
        PID:100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIsUMsIk.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        130⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKcQIYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        128⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keEQMIwg.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        126⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKIgIsUI.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        124⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies registry key
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYsYcksI.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        122⤵
        
        PID:4232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWYkEoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        120⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWMIkwAI.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        118⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgkgkQQw.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        116⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQwgYMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        114⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsAEAQQs.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        112⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQQIYcYA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        110⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies registry key
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies registry key
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foIgowQY.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        108⤵
        
        PID:4608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dsIIskYo.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        106⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQgwAowc.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        104⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:3052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IiQoAwwk.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        102⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSwgYgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        100⤵
        
        PID:4140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:1860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMggYwIw.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        98⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSYMssEI.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        96⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laEYkwUk.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        94⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmUcQAQo.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        92⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zowkokws.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        90⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOMsIkkA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        88⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAYUYgss.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        86⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        Modifies registry key
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        Modifies registry key
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcAEsYkA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        84⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcMEUooo.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        82⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSMkwgME.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        80⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        Modifies registry key
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqUIIwQo.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        78⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeEQYwow.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        76⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laowUcow.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        74⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heEckwos.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        72⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWkoccYA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        70⤵
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TigkcIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        68⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwUsUUIM.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        66⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        Modifies registry key
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuUEkIsI.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        64⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueIMEsss.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        62⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAUsokgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        60⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NawgIogw.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        58⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQIwwMUs.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        56⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyogIkQc.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        54⤵
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foYgcIEo.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        52⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsYYwUYc.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        50⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmYYsQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        48⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGwYsEEc.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        46⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        UAC bypass
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIIswEsM.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        44⤵
        
        PID:1200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mysUQswk.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        42⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQAIAQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        40⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies registry key
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyscgYUY.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        38⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tikMkoco.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        36⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcwAsYcw.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        34⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYsQMwIc.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        32⤵
        
        PID:2724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        UAC bypass
        
        PID:4140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcEUMQcw.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        30⤵
        
        PID:4504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqoAUksw.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        28⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGAYgwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        26⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSYAwcMA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        24⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGoAEkQU.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        22⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIccMEcw.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        20⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIUwAkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        18⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsoMckUc.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        16⤵
        UAC bypass
        System policy modification
        
        PID:3344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qacgIcgM.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        14⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcMcIAkY.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        12⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSMUAoMg.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        10⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSIogYoo.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        8⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4004
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmwIQUsI.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
        6⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2784
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:4280
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:440
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2384
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:5032
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcMUgMgA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4620
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3852
- C:\Users\Admin\gWgogwMw\yWIkQYgM.exe
  "C:\Users\Admin\gWgogwMw\yWIkQYgM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3324
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IswwEQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1332
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:3732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2152

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 987f506f9a08eafe364855499ece0a18 azeZlb2Cj0CoZPZ+6cr8Mg.0.1.0.0.0
1⤵
- Modifies visibility of file extensions in Explorer
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:644

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3828

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- UAC bypass
PID:4028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:488

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe

Filesize
520KB

MD5
ce330285d619612c80fa7008f4486cf3

SHA1
53c4b040372c3eb51d15fa2a7589df0e2c1d5ddc

SHA256
be92842b809473d9003ebb85d35e756e2a9d7f36cd3dd2bcf51dec20aa918800

SHA512
4308eec016f28d293d09b1a70001fe63d738778a4527d61077360744f3a90f20eec2ee9b824db7d399b9866634ced25921e858517a2b420831c11379d816601e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
319KB

MD5
20d1427c202b089231383fd1907c062a

SHA1
7d0fe210815f09a265318b52e2daebeef3988fca

SHA256
8c568c66db8287db7396c03f681754e1856adc950674cfb488a66bad9ecd335d

SHA512
474325483b34f4bbbcb46dcd045c11cc5f856e96b99397135d084c12493c607ec497d850194d6d545a7e549f76d83698e25c62b1d0e88480ac6778c0c7e41413

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
212KB

MD5
2e1fe6f313d498b66f753de332b9202e

SHA1
2c3c73e244db250151e5bca534f98c5ccb0bcbd1

SHA256
f3a5c667917412701226a197db30d93c7cdbedab33370358c4c166ae2ae4f7ab

SHA512
b53c7a80dc74de78ae58ec01c5aa1bfaddbec2d5224a90fab59912c47ebc71b24696484e9c5edaba9927e407485a34dbb509c6ce0d4f1bdab01b592dfb60dcbe

Download Submit
C:\ProgramData\WWEMgggU\lKccIQQk.exe

Filesize
188KB

MD5
59b387ed669850a3a13c7b59c0aa5b22

SHA1
b760f5566a20ad3469427549fd39b36ef1f7b8a2

SHA256
a51d86609706e40f5a63a4cef6d23126e7fdc88d938641b9f6c821ae86ffbd14

SHA512
4aa09f7403260e88fbf7407e2547239226496cb33034e0bffdfa200aee7cee2e23fc4db60bec87fba6faace9e08f5be39dc75c2d3baf944c308ffbca9ff06f60

Download Submit
C:\ProgramData\WWEMgggU\lKccIQQk.exe

Filesize
188KB

MD5
59b387ed669850a3a13c7b59c0aa5b22

SHA1
b760f5566a20ad3469427549fd39b36ef1f7b8a2

SHA256
a51d86609706e40f5a63a4cef6d23126e7fdc88d938641b9f6c821ae86ffbd14

SHA512
4aa09f7403260e88fbf7407e2547239226496cb33034e0bffdfa200aee7cee2e23fc4db60bec87fba6faace9e08f5be39dc75c2d3baf944c308ffbca9ff06f60

Download Submit
C:\ProgramData\WWEMgggU\lKccIQQk.inf

Filesize
4B

MD5
68e0dc732dd8bb7f0a6e1463e0ea3779

SHA1
cd43cd272d31f901d6d5501935eb8f6ed1ce74e8

SHA256
e65c5e8d9423fcbf3a932af34eb2d32ac3ad1559a9793a578b330bd1f0a38525

SHA512
00911a0dbefc7fa8ee099b468ed26d115613875e259a1b17823f76eb5d1dd2acc0cf5004050fb4a0037a75891c580b64debdec2d5747e200e5051fb4081b9555

Download Submit
C:\ProgramData\WWEMgggU\lKccIQQk.inf

Filesize
4B

MD5
d7c5e81c5865685f41b24fc520d4e910

SHA1
2c8ea847351a3f3dc50eda62ab4a46ff6b1ca0a4

SHA256
4e984f42cb64cedb2169d3fc0d7b81102cea1fc80ba4b3fd319c2c4a7afc2ad9

SHA512
3b9ff74de85515808af6e8efc62c9dbc372e276599f6a48740b1cebad5005ede79792835a5079b4813960706a21fbc6adbe51f8f55100fdb57686c3ab674421f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\128.png.exe

Filesize
192KB

MD5
f4fcc70ced289d69400fb8ef0a1abd8d

SHA1
64a42bbe17e0ddf9dfd6cc0fad0c8a3159b9c45d

SHA256
06739be4f0a0cb4520bc52ca9aab40eabcdca2b99221d6605a272fb95dee2e23

SHA512
ba5850a5d0fb40367e112dfb18f9646ec49b18c67cef29ab6f148fd750a217c72471b532abaa88a2b9cfdce449ee6ba56c5f850f2d9f9fcfc635b5c17d7e1b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b8df627c8569cc1b1d3254598fde007_virlock_JC

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUci.exe

Filesize
199KB

MD5
78a4be16200500833ee0fe95cf1262ac

SHA1
a660abf5e0d36c4d79f50e040740dddc0b4e26de

SHA256
1b41c5dab1fb49adefaf73af14371ae47956c7a968368dcafce9deda5a1dea88

SHA512
f01f189a03aa65f096d4425843bb8496a9eb0aadfc2a75cdd8136eb9d454858b409b7f3d721f027ad0e624e488283dd2cae29e1d5c6ceba2b9ee41fa693d5c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Agoy.exe

Filesize
195KB

MD5
9f9231374c9bde260a28917bef75e4ac

SHA1
77f2086dc3b9b398cd3feb665e5a122f5a61e509

SHA256
7fb0657b8b7528f95559bba35b459e1b4032549a52997f1e0c32ca11a4c04b4d

SHA512
03d64086f91d530241d36bc643bad6916dde67d62bf920b0dab5408b12fc1b1c9530311452d45e8fa27f44d26a65ece40c0df6a1938a4677526e227d9b6f2106

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoYQ.exe

Filesize
230KB

MD5
17b628e3e86aaf6ddf125421f88eda4d

SHA1
84a34d81f40a2556cafe5d9fb41f236a3a1f1ca5

SHA256
ec79d2f13e96334788abcc14b74be693d6d393a873945b4ef0cc4ef4b2a0a4b5

SHA512
321cbceeb07112e3215ce34dc4ad74d10a45750d9369a9f02e031c456746d9eeb241eb0b1e75cb49e8edfc1c810aa1a353c344366380cc1510654289c9f51af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUcQ.exe

Filesize
203KB

MD5
af301076f008422e40512e65bccac803

SHA1
413b1e5cfc4ca3c85c6d483fe5a53fb518fa415c

SHA256
e94a9b194c3e806a241ecb4bbdca9f55fbbf884641013874628ffdf69d2335f6

SHA512
716329a73391a75e3d1dc6f827bbbb2a59def12d754312b9ecfbd81e11fda421ef71ea368367f24547ccdeaff0794c1ca6cbdf1b95356cdf8c5bbed65473e42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bwgo.exe

Filesize
188KB

MD5
41aaf1b16bbebd9758c928eb845393a2

SHA1
88801e0878bdd57f994eb2170533154c57cf353b

SHA256
fb1b523b827d2e1cb98fa899fe9a06c27789082a1d521d01c40300e6c9a0492b

SHA512
890d0809251057424e903aa03df450bac46913066e4657dbcc5b23af198c3cdbbdc6f2319ce9eaf8527d81361849ae788be6872877b5b937c877947fed04b81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAgS.exe

Filesize
212KB

MD5
35d0f13a8d8335f987370700bb200a91

SHA1
0548eed975ffe0f7d17aade54202b8bb1a1fc1eb

SHA256
de75717287e626130ca5bbdc70cb8ff6f2ff98462945be2d774efd03089d0fa6

SHA512
9bfe59d5a5aaae0e452bca928a9cf3178bbc8d98d3a78e7a817c6a38fefa570148ec5fa08f183e61ae578b04413a6015041dd8332e4d9592055d9b868a3265c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQMI.exe

Filesize
192KB

MD5
2d5c3e0349942e9646c10757051b4208

SHA1
2564059323a67ec417311544d7e54d26c349358c

SHA256
5db0003097bc8eccd6bed55a637b7c03926d606626cb208ca94dbfb108cb8a42

SHA512
9d49251e77f1a2a89071f332bd0b91838c741db36f8e1af209bce4c2932e9c5312c7aaea6e4ca035e4e210b2b4a98e8e5480aa2e1d88669d91c267898016db67

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQcE.exe

Filesize
1.7MB

MD5
210610ff1285228b3380f62264095fdc

SHA1
bff6e8275493db2beae9047105033413e42a9a2d

SHA256
d586ec7db664c1d9e5cb74ffaac0b1f41c2648dea16d7fbdf60bbc3ffa5b79eb

SHA512
5cf36f69002db0521967e912bea9e4acbf7f3498a34429007c18dd9520efa6a5e1125fda11e75d6d7f93dea0cb7509edfa73c5daed443adfac62e06dd3ec86d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkEw.exe

Filesize
654KB

MD5
e92954a63aeac5ffac219a2c0ac3a6ac

SHA1
a5371f89484d90b226ad6e5909fd7325e7678c70

SHA256
98435fff0529583d5a9740c177bb149e798ab1055f27f9fc235bf54b628c4daf

SHA512
027ab45fdb6a2052e07623f3479d90d3f53b4b4541b2659acb0f1d0224e63ca0612a40d5fc4cc559ad194b7893527bc737741d39f92c3c2e8c463abe59d42c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkkS.exe

Filesize
194KB

MD5
179578f8fad2baa4da48bc9ec216e6aa

SHA1
8e11302f3f3283f89ae1a46c5078308728ae586d

SHA256
30e8419e8b2ae944c4b4978fc7b557876898a15ef58f7c87e7ab940ea6c2d32d

SHA512
f3a464921a633dd62a088527c8994a0b8760df335e75ee7637c5879565ff16e10eb45e05807770e9f52f333361eb99792cc4db519fe90b8630bd63b08a4dd6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUoc.exe

Filesize
194KB

MD5
0a38d5067fef690d00f9e4245d571b8e

SHA1
de3364f58f9d02db6a385e441a7e86b8c9fa99d2

SHA256
0e016f6051ddaa911af325f66d08dea607a598969af38688eb3c42efcbc7679e

SHA512
a8ac2104e18d3738b3554fda88bd5f36832baf38622a0cdcb156599c7d1d86f093ef547edbe0e6b10ace1f8a8cad39563c03f5a24ff46c4ccca49d5a2f9c9aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DccC.exe

Filesize
257KB

MD5
b732ed5b13a4a4a352d54501d9f435bd

SHA1
03df1dc91445f656cde45d5c60530eea6e7cb798

SHA256
a1bda6c9562e5630a75df6227a08dda19bb8256a07966e76a298bad3777a445e

SHA512
b8355d9663e1d62375b254fcd460461cc83095b064b981aeb2ca1f5e58d7d34f7feda3bbf9de423a0197322a2ae381579daf46d8e574c48a659df094c36605ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQkU.exe

Filesize
623KB

MD5
fbd17abf3a8dfbf41e66b74e7727f7ad

SHA1
a98b38cad45ad12e4983977802d6c14b766cafed

SHA256
a576cbe39d0446ad68b6dbb928e98af5f51b816a3e2bbba1f49fd7ae9e246e98

SHA512
aa94c71d24a7b6481d9a62e9bcc4fdf5930cd5076d68609d36d2d46f540bb5dc495122626eebe2ba17c48e37c80f9dae2699e8ac94652fccce17ff1789a2eff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eosg.exe

Filesize
557KB

MD5
b619b91a12fc8669b83635634c5e599c

SHA1
209e98e5fc260d8bdb8796d7cd796ef2ff64ebd5

SHA256
6ba251d7e5d13cf4b3fcebb03729553a67c245dfe35cc0a4134f668d5f15d607

SHA512
464833ad9f295f03bbdac749576d247bb6812db1cf81047834024a89503825443ddffd3629a63fc47fd120f38616864d56462c9a794e347e35150202ffcd55ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\EyscgYUY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAoI.exe

Filesize
647KB

MD5
709d3af5129a92548b7d5c701e493dd9

SHA1
acbf1aad06fb801438401856b627ac1259a37dec

SHA256
242df02e6e1cfad3c24bb17df9639562fef07fdc3090c857aadb1603ff541ed8

SHA512
861a7693fdd632d8c0c70c03901456c1baa7859c4c1310bdc162f33c0befe3a91f6a94ea273cd9c57e865200352f28c978c0dc1f178e883693bf6ebaff0c0da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcwAsYcw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIcu.exe

Filesize
190KB

MD5
74bbd1bbe58ee82df85937f43c538f54

SHA1
34be551b3a69fbb025d9bf5de38e4b715f6ef6a0

SHA256
0e90deb80e2a312322e9c7f98a4126e053b1ea020c78dc2ffdb93afcbf52e373

SHA512
03ff9a903be90fbd57bbf4e9265ffa75752e8b2c88b355a588526e542de1589f9f0808338b7c992cd3bba11dd7c6598d77f118fc9e1c24acd4971eb317f7cbf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMgy.exe

Filesize
824KB

MD5
2b66d597dce700300cb8119b2316d424

SHA1
41d00b492a18592fa9aaa8265ce614da2713d6cc

SHA256
725e05ca06a6f7e03aec51a3e83ed08dbaa508a8e53ef0df6d5f2af9d3ab1d69

SHA512
1205967473dc6a669eee62b1ba74e01209237aced5acb63c416a222bb1fb61a1dc323f4aa415eba51b963f811e52c68fc518920026dc49f0f9feca43ec030341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUse.exe

Filesize
649KB

MD5
3ad98f03c074ee57e380aea215bd3b6f

SHA1
8194f50487d65bdc4d3df294eb72065b505af9ac

SHA256
d0afcf091d5fa93579c52a085886ae0f048e76e0b8b9e509b0213f27b48381c7

SHA512
0649e4e38704395a272c38814e78cbff8769de2e43529e930f8a3fc6e3a79fe767eb02b5d813fd5f015ad2f34115ce65eac4979101a77edfae68ce25558f5c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoQa.exe

Filesize
386KB

MD5
2f1b5248076adec9642c31a214f44dc2

SHA1
a1be51f86451864e7e09a6264e94c0eb09c09646

SHA256
2582b19ac912606fba47e666b14e12efbc906088585ab58ba64f5487a4abf102

SHA512
1a9d1cbf69a6ed5315768ab9535a98a4a5e3d77c6951a0dba3fe300851e15e1ca159ee1613fcdb99db57af8bf868569cd931a385649aec1d50a763155a4aa1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IswwEQsA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JcMUgMgA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JcMcIAkY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkEA.exe

Filesize
200KB

MD5
5cb032d01ef87d88952fc416a670f16f

SHA1
a6b8df3c40773567405597fef47070790542bb75

SHA256
ae390061a9f44ae738634b3df7623cc29c9472677eff8cfd38c53ad7f2e4707e

SHA512
b708c9d37a14b257bbdcc243e75d094a045e9c66f612009fa4f8f119760b7ba41664c18bd67895fea3dcf3ed118405be3869cfd6baf5fecd0a2f986a92c54dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAsS.exe

Filesize
200KB

MD5
0a2ce82720d62b8ed71e6f1fa4798199

SHA1
b45b0af07e29226970abef77013e3f04dd685579

SHA256
2f236af7dc18e1ca8ecfcede57853b5ee92440345afbc53622c879149c095b6e

SHA512
251a2b76852c43af307688cefb3da4f2d1bfb358bc65fefb867598de0fe72573fb0f800c9a6a44ea12f641909fa0927674325e3d3fdf50d876977aa50e76014a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIAQ.exe

Filesize
207KB

MD5
0f6f1eb34c8ca903f451b2dbcfe77619

SHA1
f59bff77a6aefc0f5c89bde08147cd67e6febd03

SHA256
0db2523d24a7465fec4a6d8a2a8a4e2a480ccbd9b505ddef5c94562c5f776a48

SHA512
9d31cf4d701e80b5248610ebe4facd82878fdd873d72dcab3023755ca071c7ea53ac7a8479719000ac3f037854b701899c22530f431e970bea0a46b8897b4a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYsQMwIc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgUU.exe

Filesize
770KB

MD5
97e08be7d6dbbb45d1bd95d3a8a3c6d6

SHA1
8b2ea0a3d9c0a0e164dffa03108e6dc82b5cb24f

SHA256
e874247d713517cb1c0eeaf7c4aa62982fd5d9bf7f841bf8eda5cc2f69778e24

SHA512
0ab75a10234affeb969bb9f58d0ff639ad9b6d06d90a140cb32d49fffe1e0e09eb70a949bf86d7aeac7da7a3c50b1f352102ffec555a51ea66fa6cbbedf05fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEgE.exe

Filesize
204KB

MD5
2de31a42c00ffb33ef266a7c9ce2a749

SHA1
986ca0de9eb76c0ccc04217ef7c6c864af6021fb

SHA256
29ef05fa590e0db024b5338bc6de30802e0016b97497ce7169baf4f69ec5a193

SHA512
d45423e9450b0ae8aa7526a50fdf220bab225e6dd481ae974bcb10b5ba8a87f047d56270bb2dec5afcf8c660e53bfe8578349b74110083ad2999a36ee6d2ca40

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIkI.exe

Filesize
200KB

MD5
ae2924ac9de23affc905ce613a39f875

SHA1
1d98ec8f2dd0efe4d14f8ef5e22a9c79e1ae7dec

SHA256
831d95e9345c0ec85e10361540affba9d884c46ea38fd31d2d25ce93322d9306

SHA512
51282233d6bfc730a5f68e110349c1f136ada71740d3a7f6f94e8ff8019c2fa733ae7000736b7b37914e48591ff4f7deb2ed7c16ca1807992f8ac2724f445ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LUEy.exe

Filesize
198KB

MD5
6c541375c29ca16253d87ff10392b4ce

SHA1
c42187fe68498fb943d7dc224f78dd926b1dc841

SHA256
67932beaacca6f2f509e00b6bf965c735d421c46688164345e0b45f91eda2c32

SHA512
59b33ba3ddfb8a4e903b042c43189cde9be49d6f9c994f5bf25f228d9c941be6735c5bef1f67e58ea1b430eb0b819265b0a7f29d01103937228e460a1138e189

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYoc.exe

Filesize
197KB

MD5
a00eeb93a8eb39432f99c51397be349c

SHA1
64ec35bbc14c7526b101a0adf7e736e977b8ce2d

SHA256
5fd6672eb57cbcb205b81478341800c4b39d2181600c81aa7ad9c08b54aa31f6

SHA512
dcb7444cdf287f49e9db032d8410d610768488fedef13819b6d12f6007bef84f3878b729a8d894e68ad2230045bb75bfde25fa50a2f40bd880ce20e58729a735

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgIg.exe

Filesize
647KB

MD5
1bdad4b60821da96669f0b47240aa820

SHA1
e486a5bb11775dab17330af445235b5b943e46df

SHA256
d0e13c2da643019a5b5595dadf844e97200c7adf7bbb65014ca4ff86e3926dc5

SHA512
84112a3b233e73e7630f88c600cd15ee9578caa5d6145e84e3dd8346fa80d88ec24bf0e7f88883fae3375a4def09f2ddde9f698a7b5ac3142fee1b479c07fdcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEII.exe

Filesize
218KB

MD5
734e64732e9ea8f51b718a64efe5c6e3

SHA1
5e75648ab336cf17a116ff5fa2408914ffcfa498

SHA256
bc85e85495f3ff7d3e06c3660f1e2d7593dfc79e371b3d80bb838c786a31951c

SHA512
d905febc8368a09d215152cc21de9065b1fb848e8312532249b7de3e825968c9f3e13c6a510f40700fb2bf6cee1fc93843f9b91b95323ebc4c7ae3839d65a499

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwwQ.exe

Filesize
187KB

MD5
76e1ace1c2b1ef8d1d9d56e13ec68101

SHA1
13128defa3ba0fa7df8fa580c15f1d45660f1f84

SHA256
03395d7af5ed4a70be2f2b0e9324ad42fb3eb6b15bfacedefe53bb5d88159efb

SHA512
acf135f8d9aa5d06689e03c246d7eeb5cd5c1f357129bfc0c8f948b4b062edaf4effbd5bd24e042cdb38a3072a0a81616ffa5e536286c843f69ff2a9db165859

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoMQ.exe

Filesize
437KB

MD5
895691c777136f87de51188bfb88097f

SHA1
b7841803049169233df3cce4746df45923b142b6

SHA256
f954bf9e0b991c40235c7a579d20342b9793f3a8dc7fc06531c3687f06b848d7

SHA512
aa60c46d87447b85bbcb8d8029eb92d172def4ed276418b2a2bfe8d899f68b3e7ac57dd3809c66ee316a649a7a7a170e33eae987a06fa1d8d202b0526c4ae039

Download Submit
C:\Users\Admin\AppData\Local\Temp\OogI.exe

Filesize
238KB

MD5
b419ce8a4646711015e6ee7ed6bd47f1

SHA1
24eaf73e5472f26af55c4db3809bc3cbf6e3a4d3

SHA256
6d1de22858f0c9f24f5799862b48b0b42c637a293765819d47cbeb5afed5de42

SHA512
fd46f9996e21c48b0e48aa6942f11e6664caaf6832b0b6c14f6456371be48bd4d9dc5160d110a007b4e46eaa949a58defb6180cfa1bbc88e8b45a2d912bce9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oogu.exe

Filesize
200KB

MD5
57799503c494c99cdb119d8e97cb937a

SHA1
90a17d874346252c3ed26415aeecace1db01d8da

SHA256
2bb15b1d3701fd5973fcd143129597379c18231bb097c7022a783df24b9f4003

SHA512
8609fe222930d95ad26364812939d06447a533c833b029f477d93cc03ab2cdedb28b02e9653f103bf16137a0a742d855a795e9f3a815ba68bec53b66208817f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsAM.exe

Filesize
197KB

MD5
c4f9c93abe95d69bbc6673390252b89f

SHA1
1fdcfbfb492981adc25b2a9e3751cfe04f4354bb

SHA256
995e798159272b887ec12ad838467d5b419b66e44205a11ddc63d3b42a8eb855

SHA512
25abecef7febc67819197b49c082ba702f08c45e84eb09d2555d013b74f12648e8530c9bffdfbc602f3e573c6a3c31df88115e7cad566b4673b4a988b4424e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUsE.exe

Filesize
1.2MB

MD5
ad152e69bf0a0239c394a78083f59ad6

SHA1
2c2de3cb4197657da9f7ebba47fcdd8eb5a78784

SHA256
b121203a3e8ead87c4fa1f839d239b67c9e0a86f04910c4c66d1dbdc37e1fbd5

SHA512
424bc98c8dcfabadf97c367a054b5e55d077cd7c35d8e3f063437c52abb206f9646d8ed82066c4ee35f7cc57f54a45db1bf17de1d97f8d2d4682e9f9e6d72897

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEgM.exe

Filesize
218KB

MD5
d2880771b1e573eeba95845b17bd1db8

SHA1
9004cd69dd2993d61c37b56f2a2ff17ab9c3c322

SHA256
6550450ca2000d96adc860806973cd9bc694c612d55a41db64c17b9e4235e1f2

SHA512
9869eb74c5213ffea03bead48e4fcbfbc2c4bd6799ffa93922729a83e4ba2d7f98fa56868bd27d277b96d8c4923d873829923ed836275d31f6e475bac97375b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUIO.exe

Filesize
229KB

MD5
f6ef0278ace4ac6868fd34d82a16aa02

SHA1
2a74a73031ccabaef25eab24c7ad8d72adbab5a3

SHA256
630cda0d873f70970d8dfd4f43727810b52babfad0e1c0537e570b5b075821d8

SHA512
d5dc25e66df439b8cc4413923f488955c171ba4d142f33ea8f24826060b8ea9fe8060fcd6d06c0a8567302508192ecc10e5295ffa430302efb05de8053bb8d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMkO.exe

Filesize
5.9MB

MD5
e18619c30697de7f8a20042ad8c81bc1

SHA1
4eafbe1e8b63fb6bd08d1e0f733271b85564c3b9

SHA256
a5dadc1a417f38a33414e0d5dd78a2a3c8780749d4287d1e2e948a15b2ea8d98

SHA512
20d0c8df22ed1f20099ce1d3da9604fa50b6afbd4acc1250f4a61ee5ee34cc6d6946c573003763687868d36f6af59893c42d36ba3bc9426377e24fe26d1423f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scko.exe

Filesize
183KB

MD5
d9ccc136e329bd61cd5fe92f5f41e459

SHA1
bb19b70044423ab9d446a79ffb96c568983e2c93

SHA256
714564f43aec1cf7a1e262c263752191f107824a706975e79b3d7a6815ed4e1a

SHA512
46c2557fa7d22aa632c3e8b89f80f420e765da01ef0ff2e5034596fb01e85f0475d19e378906f52f86441875a7d7067ccd13c29559ed2836d34692621208ef11

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIUwAkoU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSYAwcMA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQgy.exe

Filesize
205KB

MD5
6bbe3fb731aedc8cf0d4c4b1adb7dfe9

SHA1
ce477e9dde68d6106a04b21c0c503f0f26dfb24e

SHA256
691ecf270705d218fd724cbb32487552043c70afbc3358ea41428cec38e46a76

SHA512
29e1804fb0897afe07adc1f8703e1b86a72578ce920baa258504c6a529c6189bcde97ea626ebb9c77b2ffc5bf311ba6d4724419526f0387b50e92597c6db0418

Download Submit
C:\Users\Admin\AppData\Local\Temp\UmwIQUsI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UmwIQUsI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoMQ.exe

Filesize
636KB

MD5
ba1dfdd1fc3fbeae14822a7dcf78235c

SHA1
1e3309401268caab41614efdd43a8c2830df554c

SHA256
cb3a91f8ccd20f3adc4547a72d6b045c73f0c2787963b3c133923f4feba3c467

SHA512
e848f29ce120f5cd93d2961b3942e02e8b5f4d77227bd8d56e04291a32a701d582d5041df95cbe385ad30a714eede4a2861c2be53de8895f98eee747294d05d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwQM.exe

Filesize
215KB

MD5
03b8d73b69e52d6b3de7d992f523c1d4

SHA1
d5a3afaaf1c39b9ea78950b95b9b8055af1c8f4f

SHA256
93d3adabf2affc082e48f3583dae77429a19c2e767b07ff031d8f5f769b94a7c

SHA512
fe386464019a328713590cf70b4b48f393075d0b0cce2e549b84f119344f2e77c9740ae5f7838a3a30b6d5a5d7894d91600366b3dd2d4882a657a96beb34a92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VEce.exe

Filesize
647KB

MD5
f402f75caa1931514854dc84c463baaf

SHA1
920e66210ea9dac1f33da6dd53eeb4ee0e692b93

SHA256
d54207eee6ab25ded23c4a8e8ee4abb29185dfa1d0e03e59657654b36aad2488

SHA512
fb724438330ec9c796c26eb73b8b5ea6b2655c1facceb45455f25cedb54774f254d626aaea00dbf6b1d061e55e5ddf7686c610a78a5348b0bd5bafb57020c51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQAO.exe

Filesize
198KB

MD5
6bcb55f5422c4a6bd619beee2a5e51c7

SHA1
bad4dc35bddaedf70d27019827b0bb1d16b30913

SHA256
94f421902a7ca76d946d64820a567118e8759342fbf570720306e6b224987be9

SHA512
deda1197f25d8b954459cfe181973f5b475ebcf7ba49abbc86abb966a46b06f7fbc0ac7d51261de41accf9fb50757a2542175d93b35b9af96bd29c677aafc1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEwM.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMwg.exe

Filesize
634KB

MD5
011156a25d95c231eea079365032e38f

SHA1
725f879cb45e1f3612433974a19f78708954550d

SHA256
4704e6d27d75249ce174390968bce41cd911a3050985e4eab372cc07243c5224

SHA512
f53909f281970fe5ca2efa23265dd49253de25a01d961cc6d1557d142b561685cedc23ee057269963afc4678fbc11ae66b4bd4c691ccda1f57c5838bddd522b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsEw.ico

Filesize
4KB

MD5
2d56d721c93caea6bd3552e7e6269d16

SHA1
a7f0d3d95a19f61d30b9e68b0dcee7c569249727

SHA256
f8e8be11d1062a945187b65fc5e5b1500bce03cbdbf6f4af9404b649aacc2aa3

SHA512
c01d86c43876fb8eeab79b72380a00f095d95c3047f530b777ca89d309e7bd797bf83857beab29527eddbbc491da3edd95ba343f6a0725cc565015f095cf0919

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcEK.exe

Filesize
192KB

MD5
9b921ed0738b7af50dafbdc0b4e4b007

SHA1
195c56393b0494008ab710ae28df2f5ae4e1848a

SHA256
ff0e24db0853059f212941e559442e05d2006c4f2347be4eb4d7b9957d80cfd9

SHA512
1356a24b53004386c03d52e53cdc4257c5bd857899bf3e5e6c2faea21fe77474a412e659b9f95f8af5a70b1753fd30cd2808d17d1ff3ab88ca942c210ab9a929

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xccu.exe

Filesize
5.9MB

MD5
7fc1762c927ba4dcadeac827c41968be

SHA1
ba763b0bc8061e6d9eca363b00e28243857169ec

SHA256
471177dac8c9201ecbefffd9f17e604095ca90abd6a5578757fd385f39f4d663

SHA512
5a440e0497761bc09f96dee4f2530049c8cc608f68fd44c7d233eeabb941e4b7c2d610f9954843f25e6328590580269d058ee9accd07dcc6bb2e102de9d3eda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xscq.exe

Filesize
191KB

MD5
67bd4c81b4a18cfa485075a9fa79bc5b

SHA1
0b92b0234497d16d746ede7ecb79bfc69811dad5

SHA256
ed7f27300698deeb9f7c91eb81a626c89c908d2d001cce6d6630e5c5139d8ce8

SHA512
6607f9e82fc74442dc21458d972917248ee77c8888aeb7a14e8bf7d1962cf8679a08c43caa99aa0b39f9c2894360405cdb5e5fd4760fcd451e4fb489fd820ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMUW.exe

Filesize
645KB

MD5
860945a0b3f9e366b60ab673de312b92

SHA1
c754ed1a03944a073f538758eeb1e5ae7ac7d4fa

SHA256
aa4895bba7f2cc607e7d558aff57f4ffba44c45a99a9d65c4d190c2a2ff5f046

SHA512
62fd6275d48111f71716b5349f85b16e95f174ec946ece5dd3e31b1e5eded16e579576ed79f8d890f422585ef75be208e5b8d0dcd1cefcecef43bca215296ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMoc.exe

Filesize
202KB

MD5
5fa3d5f1e0259032aa9be0945c589488

SHA1
6f3539bfd6051cabf0c315e1fadabca23c3be2bf

SHA256
9aa24808806a9008dfcd68d205a0aaacaa4fd94f51efb522b3818ecee29b80b0

SHA512
3226ef7e98eef892bf544a5405916f8892739d2463080270e35b941f80161a680512a6f41b9b9a38b2a443d115dd9edc2421b9d7a779b85acbb7ff81760d882f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQEc.exe

Filesize
206KB

MD5
fe5d4e64f07fd68f833fedbee60a9402

SHA1
274d83f60d1dfc44de4ca97e7aec3f4edbbde865

SHA256
96dff25c27ed841fcca97d35fed69bedfb0d4c5204c467458e18badb14582cda

SHA512
1b740086b4d358626b021370e4cea7bfe501a9c314b099cd8ab97bec76e313423a3cbb10e0a0ca2f10017dd18f9b8f58ef9db4e198e09a68da4e46d6a7126cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQow.exe

Filesize
1.1MB

MD5
d683ce4a662ca843d87d38e7d6d32b90

SHA1
99d7e46060b48de3d7f84ae31deefaef26767243

SHA256
d8369bc343f434c7d1301ebac9f3050a454817350fe7e2d2d5061438d31bd71a

SHA512
225d5943507636b2136eaeae780a49e8b70c2b95eb8e7476043fc4adddb7532878a8931c21ce5e4667e1261af09c00c013114b1821ffbcd8b6dc5d74d38af9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\YSMUAoMg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsMa.exe

Filesize
5.9MB

MD5
9479605e988df37e966dfdf305e360e3

SHA1
9f79cc550c3a49217aec27fca7990ea145449564

SHA256
25e4793c5c8b0b16cba9303af439331f3f3fbf8778b50f8e5a124827bfdb9cf3

SHA512
dd65a4d7ba433ab68d79c301ef54f7704fb35008862451df3a50756665a025d42f4007632d5b2fe7085a4b26a3b670d6f4248216f9c039e36a5394d9a2180e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywgk.exe

Filesize
185KB

MD5
4773ed493a887c341ea770f49f4ea191

SHA1
f9c294f020979f992dda21edc44b8b3138b07460

SHA256
145ce554cedc9db7153dce3294d46270ce6731c58d7b3fb4e111f1620476e29a

SHA512
4f4fb5078cc238aeeb7ccab397c69f603f76f3d8ed86d3f5352e86def08a7a4b542bfb96ce8925e4afa8eb93066da5da137da75d94fc7ac0417a77473ec24f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIccMEcw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQAc.exe

Filesize
200KB

MD5
68f9bb33760b5169c386c3d55a38736d

SHA1
9cd6f4270e07952de7bd65bc9bd12325b4c19820

SHA256
38c306603679708585e04706da5aa7b460da35b1d1eb096c8565728979944b98

SHA512
f3417ee61abbb2a77c9ea29c55e509917e58664912c0a494c227ea20567435daabe93c85548b5f503af422e39cac61bf763fbea4881b9e1d31fc207a247c6eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAQU.exe

Filesize
5.9MB

MD5
19e97ee13f9d68beb5e9d387db95d7f5

SHA1
bf833c224cf4886c087ef6053155dcf2fb2807cc

SHA256
7f019e0ab0be0a1bf61814f895f9782805de43f457283da1baaec2ad80bf8698

SHA512
eecaf654361780c93e4636c19d65e02945e3983410d57bed8d35c10be810ad9a139e100ed67dd76f73b7208d47a87e925ae5e787feaf222b41a9514b07d4a8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMcm.exe

Filesize
182KB

MD5
55d5cba2255a24a6dcc591e126b71533

SHA1
5d940b596e546bc901d8f2afe8b9ec1cdcbaae3e

SHA256
1b3b520e192fbcdd77a1ff69da51076c4b426f13c1761b74efed3cf70c939607

SHA512
5bb464851189debb23a769625c16d4002b81a6c036a03fee41d68f939a97d9877d3df7839b2811420ad5b17ea7c03706228f19fd0ea2f1bdd61c26ab3cbedf87

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMww.exe

Filesize
485KB

MD5
30608ddf10cb4bc1fb8060a74ff40a4f

SHA1
45630b1bb1c901270980829ebfe58d80d30e468f

SHA256
8fe95ae0d981c7337b49eb74a1fdda9c27363dd58ac542b4211d6abca27c0dd9

SHA512
995c7ab84d117b51c92f8f1f1542582f8d5080140c677939a4c28c259941d15b16de9f160841bdf7f12f9ec5b0c40007bf9fc80e63e1b93421acaf07a077ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQMi.exe

Filesize
184KB

MD5
8d5ec9fac532bce3d40e20aad799f2c8

SHA1
f17cd1bc24aa9bb630493450c4b864f60ca0d366

SHA256
9ec284bce723cbf37a6567f504b64f103394e722a7d335a2503eb0f9ffcd66d3

SHA512
85eb4c9e0b15e316d4e04aef5716dce672dae326feabef8891648a8fb5c61acee9172b3fa0d415d1aadbe7e6a31d5b922a795a601ee1d6e8b7c53009c9e5d2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYwS.exe

Filesize
324KB

MD5
dada52fc3affd7e9fa51edfd6a53358d

SHA1
bdfc878bf7b69f659ba1cc5008fa1cbfb1842c9c

SHA256
889f7f2796ca41c18efcc82c017d5ac52beb2e00ac43b26d2ef1ffe185d9116e

SHA512
95ec5361b40803df82797293353a5aa8edaee9eb0ac5b9f03d17bc70ad94e382601004ba581b7ac2036a0eac34de6523a0ac5c64bf27cc359eca4995906bc48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIcI.exe

Filesize
202KB

MD5
7446ec618ace76a22a1d4f6555269855

SHA1
b3c7b01e785d77d1b2db8dadd1e9f9b18b4f907b

SHA256
3134aae1a99f151b8fea76989d6c4e0c58c2eb4947ef83f721e4ac38be4e2848

SHA512
8480862f53c9470bd0d0be63c2bb648646d16dfb739a0fc4a6a6e08397a57cdaeddbb3c889822fc80dc43423a6de49bd31e165ffc324f8f43eebfab5e8c7acd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccQa.exe

Filesize
201KB

MD5
227e1c689d7540f7d1ae269b3bee8c56

SHA1
d13cf2ba4a41ef1da1782d8be52a2695bce926f6

SHA256
b83274c069b53d470e3e7226d6535ae34edff25dd5102a4ac35b7ddb76c2c6c2

SHA512
ac042ba95e85bbf646f712ca25af0a3258fff6b267684d12150beb173af87510c6ea5fdce76e069443e058a9e33403aa3b67ff585aa9f53d311aeb6e47c2a9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkEs.exe

Filesize
187KB

MD5
695c9a5072301c393ca16a6db779984c

SHA1
743f70f181ea2bfbb72430b1a3a7f9a8e137bf85

SHA256
a6fc2d0dacf912d719c7fa99486901b8a3fbecc20ca4548fe3a5c80fc76961b6

SHA512
ad0df86ee02c685ff1cb4ad1be7e962d1dca4389397e9b4079a351ec9fa9927b8ccc3ac24643b4acd402bee702af864b9adb0e9390e9498218f69b2afa7e0506

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEwu.exe

Filesize
199KB

MD5
e6ece10ec1ecf5819ff45df8db885e68

SHA1
de6bd8b9e151876f45dbd95ffb58b77e5f512ba5

SHA256
89be4b404ed749aaa2cedb18e4e20807003d3387d65fd0b5f83b9bd406b110fb

SHA512
3699275119bf29ffd674b6e8157d3237aa30e961aa8894ac4478a6dd87ab66c866c6621fdc486042ace2750d742d474eedffe4ea735db4a5b9a071cd0794fb2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eGoAEkQU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\egEc.exe

Filesize
190KB

MD5
79adcf39cd852b3c0f7d9229514cd9b3

SHA1
0c20ac3368424ea547f34d8500bd859feb59005c

SHA256
a4bd6e836326375638fbee13c27068c7481e5d2ef13ae9439d8e5997abd7c604

SHA512
9ed8764fa7ad10ab28440b7587ca06eeb76effedcadd64b14010221e02f26c28291454fab5e8cfe577e4bd2cc977e3f927946ba46b2a4d62c61dbad46e89b19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewII.exe

Filesize
189KB

MD5
4dbdbaee0ea258b1c0682e6033508698

SHA1
edacd03295b18dc05e4d51a85df7638335badde8

SHA256
bfb55e4167b8753b0d399669b2d2c1a84e2ddd91cc5ce9d737edd35e3543ec86

SHA512
f9e89ee18f1611a46f388c8aafacae64d469706ec0f5f3b6f0fedf98b11e65cadaa8f2f1c43872a9c524ba0021d40503cd3c0449392f5b387a887c8e5e19a13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAMK.exe

Filesize
486KB

MD5
7e368bc0798bf50e15ced572dcdb954c

SHA1
3f30633e0f62a737499a95d00d889af225b3266e

SHA256
e222cc10173222ca3ac541652ad999e9525443a60efcb666dee34c230dd95ccd

SHA512
19c9261caf3dfeda7641c2a493a730e8d60fdbe13658a87aeb8445804e236d40408ff43b33f49d7f659474f3cabc8ff6b154d1e8bf0be90ad1b865be226b7819

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQwY.exe

Filesize
220KB

MD5
5677a51b0622a9154e2e9f5837ca676c

SHA1
5c38c8adca67acbfe25b5ef5c9ea03dfe8db4d79

SHA256
2c6dab063fca3e7a5e8f7289753cfbf3432288c27f198f2698f4e8da0834991f

SHA512
c82e4b209dc9cdb5837e776c53321b609a46e2dda62239c1922ada3e7bd5948e39941694cdd4563b3118d50fada688d69fd4772a6c2908e68c3fecb00c64fe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\foYO.exe

Filesize
198KB

MD5
4490e72c31a2bbc2fe9864060538e013

SHA1
3d55fd711945d134faf88df0c7c00b0bd1d98253

SHA256
22d37b1073669ef8c0414d4b9fd9c97b592e35cdfe918ce0094d517321c8636c

SHA512
884eb1fecdd95658de72ab8916aca0049488184b09febd2151b34168778e93f42aebc511acffc2c6212c7ce7858bfdf7080181cccaaddf30ad504c20b98f336d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQQu.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcMQ.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggIo.exe

Filesize
305KB

MD5
9bdea13376823e506d24374ae6141cef

SHA1
ad195887d7590c32cf75bf2eda5d90092e7cafd4

SHA256
9c672ea71a9918bcfc650d6730fa1091b9b055ed7b887bb77c31d489bea08c74

SHA512
fa6dc76b3e463a0940748937d1ec51e6b7e8fa6953c8eab7fc3c800d6eda9bd6290be7910417faeab865c0162d1988d9959fce92c8257cfccf3a88362e70c7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkIK.exe

Filesize
190KB

MD5
afcdcd95e16e5396c1fd83bc86890687

SHA1
c25febc82046bea5db9cd7b40f6e12841a2e3b0a

SHA256
fdb5b92a8f7fd534ee9a91affb11610f95de58ccdc3449cfa74d5fc7041c7376

SHA512
0b544dd5cc9afb62a971d43563df5d7b3f09f8994934eeb69f286feec4165c23db96403f2db0760d32dad4300fd21ce0cd4cddb54016617715d5502884138335

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwMy.exe

Filesize
204KB

MD5
582db75bc1033181cc814b6ae6978e77

SHA1
531a0d715f47571e22d95c5616b331a09516830f

SHA256
f015498709bc3e230eb1b5e435ac3e7b63cb238173f6ce514c195e14228708b0

SHA512
fa76978aef047af4d758ba7a1c431406a7c7269658e31a1798b9c498a1e898324f0db64dec5b6422e65bd07b6f45415f96933c1da1fb37c7bd97359a9d494610

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUoU.exe

Filesize
207KB

MD5
a642fa8572e730ae30232140b9406a30

SHA1
3445a6954c20324fd712f43d22457816881182aa

SHA256
e58391eed110774befc48ee8f629ee82675da8e0445f420ef8f0aed06f7f5d91

SHA512
3cb1b8d42c28778ec61ab036837439870f2eab15fce72cc04cc6ea4eb674292881f368c8bb511acf2ffc08682d34e23f563202e7a72aa553df09f775a41b3702

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgEk.exe

Filesize
191KB

MD5
a8439d2c6acbf24e5deb2ffed44a3127

SHA1
1afaeb4120b35f44c6c200bf23b4519636040987

SHA256
25e2ea9742de2bbf5cf1bf9c9d33c100db32f05f92dd8526d3e349e281179fe6

SHA512
055a7b6d83c9a55a8d52732d1b2ff0beff1da0d0ce66ba8b7d3172e7fe2c081eef5ed1b2d814d47edad8ede64167d24229898b046251721d22142f758f66f352

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwEU.exe

Filesize
200KB

MD5
f1373d68b310874b562ddd314afffc13

SHA1
2f686b7a6ae143f80c2b2f27a44714741375700c

SHA256
f03a19a06efa25bc98f81ad568f89be164174da37f978df6c65336f85c76a573

SHA512
647789898d3b1e597ee8e71a9a4435ddb7a81ad048c265cbb3eca609c61c1b6724eb9c883b82846674aa5e1598a2662aaa7bbb9dfa90193f23e9215bbedf9835

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIMU.exe

Filesize
210KB

MD5
8ea41119b7ace63e98d0eefd1a7a95dc

SHA1
f10bb7aacacc11f30f393ac4e295fbf56606d3aa

SHA256
787c1601f848511e750f3769af7880615c572f8028945bf54e93c7e094347658

SHA512
1f27252fc997d3f265a414d860cd40acc6cd33cb4f43eaf32159048a360dbcec4b3dca49325c32c80168bf3b73c8b6cbb5d9f7f160e930991d95e820bac2e4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\isgQ.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwIK.exe

Filesize
5.9MB

MD5
d5f0a12a1bb5944c28e93a8d9f5d175d

SHA1
480ccb61a9e2818d64919b4fb0f1f925ccb966d5

SHA256
328413c566611d179ba3e9c88408d67c2e75b1a7f623e8e514fffd3851d50ad5

SHA512
383c634cef4bd93ab16ee27e995f5e8d218594ff78274403650706a62e996dd467452cbd09558767e7b2433e987eac5916dc824a2ed28e25413160661501e6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsck.exe

Filesize
192KB

MD5
54f174b4406e2913e1f26fb7169b8d0a

SHA1
56692009724eda7593c7728e1afc02638b5f1812

SHA256
567f9ec357fa775c2025c72561442dc73a4d6cb09d6b928c809ea4a4c407400b

SHA512
66aa32fc853837af125f341d200b33f10b13204e2bda4396f7901c708346cf40f0de14c2b787abd2e3b478ab971ddba3411d1bf7c22ce33b0e18a41adadbe5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAwo.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIYA.exe

Filesize
380KB

MD5
c660fcbd1ba10f6da4edaa64161f0e0a

SHA1
12d191242d588b3a9e60835f3340561095e020e0

SHA256
3dbad32dcb8d4800dce7c2a3105ac12ab0ab7062f05e99814ec7ac16f73f25ce

SHA512
a5b26838127b328d8e41e11fa5ce72f51dc182ed8b6bb4667e833c8fd9c0a9103a636f256b8f50105dc0eaaaf034f238af74056d7cbd43f4ee5517247a6d0aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcco.exe

Filesize
196KB

MD5
0c1461bf12501e1ad13cb2909cfcdab6

SHA1
ac12698bb20fad5a7be43dce245b0b8fd5604ce5

SHA256
56485b37811310cdf46a48f50d4282be802f685e2c7c3dd90ddaebdcb210863d

SHA512
3e1ab50d52a72cf8497f4e845337c5378b2d26d8d8adc74c05c2f0980cfdc198c256885a39440a763f91781f3bc7fc1609aac4bce6c5418d380922310bcb1ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mckq.exe

Filesize
5.2MB

MD5
2368eaec69ed66f5ac383f6247d7b780

SHA1
c074d272906c057db6a969d85c0eed86871ac229

SHA256
fc68ec9ca9d90b34f51ff3d996f93841b6367bfabaefb08e70d5d1645bac464a

SHA512
b99359f4814847ca360775a6803cccc909dafdc9cfaf7a1ae900945b05978d0e191619b4787f531212436041069bbef8df7c2ffea67af86b363f376979358173

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqoAUksw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\msoo.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAYU.exe

Filesize
204KB

MD5
c063ba1e75500134f3d46b41fe89eca7

SHA1
dba95794058986964ae7aed451131f9a4cde730e

SHA256
455077e71cbf3007f9291de9bda1e36416e88a93da3161bb45e0ea92f3d12a25

SHA512
9c9f808ad3e5d84978234e0f345c54d97ad322461c00095d9f1c29cd626061a7dbcc1bbd3c71046bf1ae6fdba5b08ca0f228005fddc512b895c74635909826a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEcQ.exe

Filesize
193KB

MD5
adfaa25adf682a8266a2ab42e53bdefe

SHA1
173f05c1a207f513a99d89bb54befe7ada7047ca

SHA256
c826a414d81711d315e16429b5f21c7abd1c3d4cd04caeae94ae9e84ca960dcc

SHA512
f83e8153c6caed6694b08fb53ff1ed62e10b148af02c7bac2bdc9f171ab16e65463f8a170c612c2ae2c9128c3d063b19f022f9dbc125645a2b693b06074dc70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEky.exe

Filesize
199KB

MD5
2b5d6c57cbab6008a2a37ac2b8fe3b23

SHA1
7ca15e2992da39f88f59df6f0e55a9d673e199b7

SHA256
738ac00cbbdf76a74c02613246d512b984b80050051951f98c4effb988058b14

SHA512
5ee751fb469ef5d14b880b7bb72d33fd730706c15a8290c3ee3c9d0ae9de63fec49f53b85869d8fd6317d2fdf8cdd6ac11c6e3805b782504d12e987feac0b3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIsc.exe

Filesize
309KB

MD5
22d8a7a935959e4f8cb6e6c7c492ca01

SHA1
d8c98ba2d50c88695e8d36f6912c90972ac07b17

SHA256
d6dd2f4af1b8866c5c2b347ec26af7a37ef228dcd1f454cc0057d6e534055887

SHA512
b5f25656e7d56889ffabb7cedef364295ba33e91caa344fc9cd9d92750a1444ee076119740a3e2b9b4d5128f591c4d2989c07039a07bcf9fe851aa2a06b18b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEIC.exe

Filesize
190KB

MD5
32f469d83dc031ba6fcec2c4d16830c6

SHA1
bdacee645860462cbac4ee9a8b8c5544ce9f9f6f

SHA256
fcaa6520a02c8d1a7257c70c4cb909281bb3a44bd05ae79e9fdc0ac669261899

SHA512
53bf77e4c7fe93ff76944e7fb4e70397e0bdd2eb00bec3420afb5ebc07f8c65ccecdd078424807fc80e152e1422e425d71fe0bee62ccd7b38b1fca4dfc3ccc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qacgIcgM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIEK.exe

Filesize
212KB

MD5
d053a62b6a960ecaab22556c09d30122

SHA1
212821d071fc4e723af3a5a59f8c483fd624e5c5

SHA256
e4edeab08a1a7ed0c6744234392ef7562825a2e9d2d3ae29c05ad6f960465ffb

SHA512
32a9b6003954d3180fe465a4fbf9cd1fd85f89fb2b4c6eed8669096b6faad1efb0315a96b72d05a3f310af2f5e074122abc8b8241902754ea4bf496abcd24724

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsoMckUc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQsO.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUMg.exe

Filesize
188KB

MD5
dd60af19b68d9a23f2d747b2d0bf9295

SHA1
faaad73754b23a9884ade26620a4e1d133903cc7

SHA256
538e87272b56a14cc126b78a3a37d74f71026727fd301f2737bebf3b26e2843c

SHA512
c4aef467aa675e9dc99a875f6f30efbcccd71c65e2d49fe53b665689bc6977c0b72d1f31493600e21bde19e3dcf95f6dd75e0340ea7824f348df15a348fe928f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tikMkoco.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\towC.exe

Filesize
780KB

MD5
6126a47e00cf128b1bd106b40742818a

SHA1
8829343162a70ab6ca9dd56cc1fc84101768cbdf

SHA256
5ec52664b2778b4e9aa0f7c4ef72593e831d541e9191b79c7d3854f93b13620d

SHA512
54cd41336f33b62406522f2de2179199e3f044ed1119621b0610be1c14d259494775c71197b33b07fdfbbd5d41533107f515fb6a6831238cf42e7ae8ffbc5da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEke.exe

Filesize
189KB

MD5
b198b26c68d08c59b813412cb7a5c631

SHA1
40294605e4018226698d3e5d8be2d70e1454bd6c

SHA256
21f0cbf619ce676bb69fd8dd78601d86cfa533cab667796897eeb826d558f3d5

SHA512
7d67ede2180857c4c4e1a5d11eb9ebf9f2d5cbad3ce97cf26bbf0c00e0fc542babb1989afb2bd9d61ce730b7e119a716ce9063359c9654d8b5cc9059d7851970

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUcq.exe

Filesize
201KB

MD5
bba9c59103109205d713576670e3484e

SHA1
a5feb9e65ba3ff793f6aa6d7dc355c764b7de549

SHA256
0577b7d5e711e2a7438b08e2e457aa79a49330b794ba37245c9ccefcdc3d93bd

SHA512
bb8b1b01285f2bf1e2d49f417c7d790278a0e9edcd48a9239911319136352492dcee494361c97c4f232925796671cf80d883eb17474c6d558bf759469b20e838

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUkq.exe

Filesize
213KB

MD5
3b77da23a12b7889e77194c667f04cfa

SHA1
db0bd8c2b3e247a0e6fa6028e503e6eb3d5c513b

SHA256
b1dd713655bd68d01a0f07a044b4c25d3ff8e3d7ff31053c1fc3f5163e015493

SHA512
f8851f2d9d69eddbd389999170c77753f13f118380c69466011e8dc57c45d558001e8300fa1833819d9685de3bbf6c9f005a1bb2768e511ed80f3979727db7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwsM.exe

Filesize
197KB

MD5
48905d92e9fe747c880da47a4a283081

SHA1
2803cee558724e5767bd1523ea7b15f4de39f68d

SHA256
34a9dfbdd75fcf9d3d3e3f48d5f8e1a4576ea5f0365a367285ac601a3790b53e

SHA512
f9e2d9419eb8c006ea7d551bc497d78ecdabf5de5929ad118eac892106219acc7b5a7e39c5be3b912f395752b1dff6801ecc9bd148c1b509231cb3a604ef478e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIIu.exe

Filesize
568KB

MD5
12ef4a54d632cfc2d3829758a5a185a4

SHA1
20001313e63670127ffdd2b3972961c71b082d06

SHA256
5bdb0f21e09ed6e0a9cb916fd1de242d8012f5ec04d1eef1de3718766875352f

SHA512
76256d297f96a3ca3728a0ac5896b4322c3c050626ad6ac08aea133a56d77fd35f35eeafae7f6f2f7c233259a97ccea4ff95b59ad8d592d4eccb15cfe7d9446e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMME.exe

Filesize
199KB

MD5
1fe21faf081598ad3c2817ef1b91074e

SHA1
3077a2cd2088f6b89badf556fdcf8de0c8788ad4

SHA256
7158cb9d225b676bdf891b3aaff3ae84de09d9f0515c0816b8d72460196de53b

SHA512
da5985f054bc9ce2164f77fc7cf2af4e26791f9aa88b52d3f062af8d5641bfc4a6cc7ac27dc6cec5a9bbc127f55b99c8dc78ecf30d33f8463aa1db0c6d3ab931

Download Submit
C:\Users\Admin\AppData\Local\Temp\wSIogYoo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsEq.exe

Filesize
201KB

MD5
fdd4070d85049da1f6de13c39e6c0540

SHA1
dbad56708acc8ff5ecd2c6ce89a6757342afc97d

SHA256
ba7d18aac8f8aef0ad991964aa0b665db326a6b337792aa88614a44e6bac1248

SHA512
b396af1bb654bcde6d692af53955cb8a7de3643bb9ff6641342c7dd0b241652db0bf5d325625add65da6a8adb673e6143f46f823930af8c6917e3f9a89e7f3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUss.exe

Filesize
829KB

MD5
f2cfeb91b2fa47dcff3dc9641af601d4

SHA1
a546d43013eb18c7c8e9e7ca7486c121996950ea

SHA256
2567d15a731a0cff77b8f6e8ef5cdebc054e6a860c42d3c753f1cb55efcafdee

SHA512
292890b294f5eeead7ab59b6e12398154a2b3a45c2dd6cf7557bc0e17045369a41f80b48814b7b19ad5ef4f6ae32adefe348af5b69f5c6b4fd28df7fd5b1d512

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcEUMQcw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwcU.exe

Filesize
686KB

MD5
71f972a7c172d5fa21508985d0699ad0

SHA1
e65f7013b9de42f54bca3d65285df09a33cbc8e4

SHA256
e7e1c7c0f505ca3c272d9c3e611fd89a49fbaf55f70539cf586b1a9cc4316603

SHA512
9ed657c5a48c56500789c05163c4d7ec1a57c3aa0388d89504b002a64edd9cbdccc6de74fe9f75d2cb22cb39dd548e10f19614c0a7ef9e17794c13b5b1362330

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygky.exe

Filesize
388KB

MD5
b5a57945a246d08b09784576f5c69e5d

SHA1
092ee6f04b03d241a983c8c7525140ad931c2689

SHA256
f86e63d4fb8b46a0485135cca72c82f3bedf27aa429c76edc3c7bc13a150f14d

SHA512
39f9934232613789bda61b26905d164aaff9a4661ebdf0a340e8d155ed6b9b970978ea0edeb5e272148b0f60a9e0b165a6841c48b5ed4805368de4d3f63be407

Download Submit
C:\Users\Admin\AppData\Local\Temp\zGAYgwgU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIQu.exe

Filesize
197KB

MD5
573c5b003a8777ccdbfe2d9ea0030ddb

SHA1
3d69777cbe62e485efc361337104d6b18bc004a5

SHA256
4c10f30e04cbbe5b2a0de871aa7aff5d30c6709e2329bcd523c6b816c93bb3de

SHA512
af4c2c734978d1d89503dcd716fd1b0f4d86c98e0931f76a32726b234357344b973b1e5d6182034e1cae71957d1a316971ec51d7b13aea7b828c3b82c92bd024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMgW.exe

Filesize
192KB

MD5
4c776c5fc15b18d4b459f874f3ae8c12

SHA1
f4d226044197944f102bebbcc98da2b55c204bf1

SHA256
bddc472224bbac9696e9e3af3755af67639dd91cf26a4587d78424fe29c35849

SHA512
68b5365f6df6daa82b3506bce84d0a4f98eb76214c369c90cf61649d7e2a3605b5f9a542d1ca6e3d081ff6132bd50f6f1ff78d47ddd5d43dc41adc72889d92b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsEm.exe

Filesize
557KB

MD5
26ed44515c4f739d37853c034889817d

SHA1
6862421b086f967856ea287cdbe3d7e677f414db

SHA256
218ef47b298b680c1ad2acd2e3e0dcf6833803e36000704bc1c971aa4a943bd8

SHA512
98175d0a0d7f2388837047e28e0e3e4b1bc1ef375ebc92812d5f59855ebde83cf416d3849597b06c61c86e604f55ae7c5344dfec0d2a04f431e720c6507362b9

Download Submit
C:\Users\Admin\Music\AddBackup.jpg.exe

Filesize
775KB

MD5
833d7d9f00be19f470e12f3e3612f9c5

SHA1
0ff68292b4c7c4da5884b61282704cd6364133d2

SHA256
32b625188ac73ff45c1fab2f02edd9a5422724ea0c880377c7e3822e49714147

SHA512
0808b9447a4ed39b48c91adaddf370387c915eebd9d5d79449e37a407693c86c95edf4d9a45f4b62bcdb14383507934862eed702e724077b653a22b010bee7e9

Download Submit
C:\Users\Admin\gWgogwMw\yWIkQYgM.exe

Filesize
203KB

MD5
61cb502b0db81dbb9ad9943fa7709610

SHA1
51bc967dacbff1ddab44c7deb70612f36ba0dd3f

SHA256
be4fd3c8fe64042fca5edfea4e08d266aba95c48f9b4720c2d2a9782ff726c49

SHA512
75fed9a1e7dfad0cc46bbc775e93f0c800cc02e88df9daffc604d424c1b7f49e6a914aad0afec94aec59fbd35be34930a4560b1eabd0712f378929ccbf6b63c7

Download Submit
C:\Users\Admin\gWgogwMw\yWIkQYgM.exe

Filesize
203KB

MD5
61cb502b0db81dbb9ad9943fa7709610

SHA1
51bc967dacbff1ddab44c7deb70612f36ba0dd3f

SHA256
be4fd3c8fe64042fca5edfea4e08d266aba95c48f9b4720c2d2a9782ff726c49

SHA512
75fed9a1e7dfad0cc46bbc775e93f0c800cc02e88df9daffc604d424c1b7f49e6a914aad0afec94aec59fbd35be34930a4560b1eabd0712f378929ccbf6b63c7

Download Submit
C:\Users\Admin\gWgogwMw\yWIkQYgM.inf

Filesize
4B

MD5
68e0dc732dd8bb7f0a6e1463e0ea3779

SHA1
cd43cd272d31f901d6d5501935eb8f6ed1ce74e8

SHA256
e65c5e8d9423fcbf3a932af34eb2d32ac3ad1559a9793a578b330bd1f0a38525

SHA512
00911a0dbefc7fa8ee099b468ed26d115613875e259a1b17823f76eb5d1dd2acc0cf5004050fb4a0037a75891c580b64debdec2d5747e200e5051fb4081b9555

Download Submit
C:\Users\Admin\gWgogwMw\yWIkQYgM.inf

Filesize
4B

MD5
d7c5e81c5865685f41b24fc520d4e910

SHA1
2c8ea847351a3f3dc50eda62ab4a46ff6b1ca0a4

SHA256
4e984f42cb64cedb2169d3fc0d7b81102cea1fc80ba4b3fd319c2c4a7afc2ad9

SHA512
3b9ff74de85515808af6e8efc62c9dbc372e276599f6a48740b1cebad5005ede79792835a5079b4813960706a21fbc6adbe51f8f55100fdb57686c3ab674421f

Download Submit
memory/912-554-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/912-564-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1008-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1008-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1184-580-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1280-629-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1372-203-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1372-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1544-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1544-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1688-409-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1868-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1868-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2240-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2296-263-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-146-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2388-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2476-607-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2476-599-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2496-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-533-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-373-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-166-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-177-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2636-391-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2720-452-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2724-479-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2724-471-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2868-435-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-427-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3036-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3080-617-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3120-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3176-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3324-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-633-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3536-598-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3544-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3560-361-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3588-459-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3588-470-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3784-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3848-537-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3868-486-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3868-498-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4136-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4156-227-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4268-524-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4296-165-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4352-624-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4476-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4596-506-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4616-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4616-238-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4620-336-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4628-401-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4840-417-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4872-590-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4928-443-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4928-553-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5060-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download