0c13d0a680ca5ffa8c135872cc0366156e49eeb9fcbc5441fd4d7bc1ab4a527a

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2023, 11:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
Size

193KB
MD5

82f5e411ef65e9be31d9cbeb2589e679
SHA1

c670c77887ecaf164040fd67a0819442af8c66fc
SHA256

0c13d0a680ca5ffa8c135872cc0366156e49eeb9fcbc5441fd4d7bc1ab4a527a
SHA512

cfeec157e42257c0e446de84f9660d37c636ad7c39d5d9d8bfe2b1bc88e33b4c18602e7abe2cade549ce7706a3d6592ba05ab6d0bd5d6ddc22884f0d7f17f8df
SSDEEP

3072:ss0Wj5goWC9Rdeouh3iCaNMikcWDfMtqmIrvOo/S/:sq5ge9Rdeo/N9U/D/S

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
4764	QMAsEYMc.exe
5016	PikMYoEY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QMAsEYMc.exe = "C:\\Users\\Admin\\hkcwoIsc\\QMAsEYMc.exe"	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PikMYoEY.exe = "C:\\ProgramData\\DikYcUos\\PikMYoEY.exe"	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QMAsEYMc.exe = "C:\\Users\\Admin\\hkcwoIsc\\QMAsEYMc.exe"	QMAsEYMc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PikMYoEY.exe = "C:\\ProgramData\\DikYcUos\\PikMYoEY.exe"	PikMYoEY.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	QMAsEYMc.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	QMAsEYMc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3900	reg.exe
3516	reg.exe
4568	reg.exe
644	reg.exe
4260	reg.exe
4388	reg.exe
4904	reg.exe
4520	reg.exe
4644	reg.exe
2272	reg.exe
3224	reg.exe
3952	reg.exe
4648	reg.exe
4720	reg.exe
4556	reg.exe
2108	reg.exe
5012	reg.exe
3672	reg.exe
3044	reg.exe
380	reg.exe
3628	reg.exe
4836	reg.exe
420	reg.exe
1828	reg.exe
2044	reg.exe
2444	reg.exe
4340	reg.exe
5012	reg.exe
3892	reg.exe
4392	reg.exe
3748	reg.exe
1524	reg.exe
552	reg.exe
4080	reg.exe
4948	reg.exe
4336	reg.exe
2092	reg.exe
440	reg.exe
4068	reg.exe
4232	reg.exe
2216	reg.exe
3944	reg.exe
3488	reg.exe
1284	reg.exe
4936	reg.exe
3556	reg.exe
1592	reg.exe
4372	reg.exe
4496	reg.exe
2456	reg.exe
4996	reg.exe
500	reg.exe
2176	reg.exe
1412	reg.exe
4568	reg.exe
4928	reg.exe
1096	reg.exe
4564	reg.exe
4720	reg.exe
2728	reg.exe
640	reg.exe
3988	reg.exe
4928	reg.exe
1044	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
940	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
940	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
940	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
940	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
3068	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
3068	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
3068	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
3068	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
1800	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
1800	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
1800	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
1800	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
4268	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
4268	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
4268	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
4268	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
4332	cmd.exe
4332	cmd.exe
4332	cmd.exe
4332	cmd.exe
220	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
220	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
220	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
220	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
2108	Conhost.exe
2108	Conhost.exe
2108	Conhost.exe
2108	Conhost.exe
3988	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
3988	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
3988	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
3988	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
1424	Conhost.exe
1424	Conhost.exe
1424	Conhost.exe
1424	Conhost.exe
1984	Conhost.exe
1984	Conhost.exe
1984	Conhost.exe
1984	Conhost.exe
3492	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
3492	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
3492	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
3492	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
5060	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
5060	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
5060	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
5060	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
2332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
2332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
2332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
2332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4764	QMAsEYMc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe
4764	QMAsEYMc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 4764	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	85
PID 4432 wrote to memory of 4764	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	85
PID 4432 wrote to memory of 4764	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	85
PID 4432 wrote to memory of 5016	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	86
PID 4432 wrote to memory of 5016	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	86
PID 4432 wrote to memory of 5016	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	86
PID 4432 wrote to memory of 3688	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	87
PID 4432 wrote to memory of 3688	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	87
PID 4432 wrote to memory of 3688	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	87
PID 4432 wrote to memory of 3224	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	89
PID 4432 wrote to memory of 3224	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	89
PID 4432 wrote to memory of 3224	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	89
PID 4432 wrote to memory of 404	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	91
PID 4432 wrote to memory of 404	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	91
PID 4432 wrote to memory of 404	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	91
PID 4432 wrote to memory of 380	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	90
PID 4432 wrote to memory of 380	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	90
PID 4432 wrote to memory of 380	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	90
PID 4432 wrote to memory of 3888	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	93
PID 4432 wrote to memory of 3888	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	93
PID 4432 wrote to memory of 3888	4432	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	93
PID 3688 wrote to memory of 3620	3688	cmd.exe	97
PID 3688 wrote to memory of 3620	3688	cmd.exe	97
PID 3688 wrote to memory of 3620	3688	cmd.exe	97
PID 3888 wrote to memory of 4932	3888	cmd.exe	98
PID 3888 wrote to memory of 4932	3888	cmd.exe	98
PID 3888 wrote to memory of 4932	3888	cmd.exe	98
PID 3620 wrote to memory of 3884	3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	99
PID 3620 wrote to memory of 3884	3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	99
PID 3620 wrote to memory of 3884	3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	99
PID 3620 wrote to memory of 3944	3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	101
PID 3620 wrote to memory of 3944	3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	101
PID 3620 wrote to memory of 3944	3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	101
PID 3620 wrote to memory of 1556	3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	102
PID 3620 wrote to memory of 1556	3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	102
PID 3620 wrote to memory of 1556	3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	102
PID 3620 wrote to memory of 4836	3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	103
PID 3620 wrote to memory of 4836	3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	103
PID 3620 wrote to memory of 4836	3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	103
PID 3620 wrote to memory of 3740	3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	104
PID 3620 wrote to memory of 3740	3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	104
PID 3620 wrote to memory of 3740	3620	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	104
PID 3884 wrote to memory of 4332	3884	cmd.exe	106
PID 3884 wrote to memory of 4332	3884	cmd.exe	106
PID 3884 wrote to memory of 4332	3884	cmd.exe	106
PID 4332 wrote to memory of 3412	4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	110
PID 4332 wrote to memory of 3412	4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	110
PID 4332 wrote to memory of 3412	4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	110
PID 4332 wrote to memory of 756	4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	112
PID 4332 wrote to memory of 756	4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	112
PID 4332 wrote to memory of 756	4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	112
PID 4332 wrote to memory of 500	4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	115
PID 4332 wrote to memory of 500	4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	115
PID 4332 wrote to memory of 500	4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	115
PID 4332 wrote to memory of 420	4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	114
PID 4332 wrote to memory of 420	4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	114
PID 4332 wrote to memory of 420	4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	114
PID 4332 wrote to memory of 3716	4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	113
PID 4332 wrote to memory of 3716	4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	113
PID 4332 wrote to memory of 3716	4332	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe	113
PID 3740 wrote to memory of 5036	3740	cmd.exe	120
PID 3740 wrote to memory of 5036	3740	cmd.exe	120
PID 3740 wrote to memory of 5036	3740	cmd.exe	120
PID 3412 wrote to memory of 940	3412	cmd.exe	121

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
"C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\hkcwoIsc\QMAsEYMc.exe
  "C:\Users\Admin\hkcwoIsc\QMAsEYMc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4764
- C:\ProgramData\DikYcUos\PikMYoEY.exe
  "C:\ProgramData\DikYcUos\PikMYoEY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
    C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        8⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        10⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        12⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        14⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        15⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        16⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        18⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        19⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        20⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        22⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        23⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        24⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        25⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        26⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        28⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        30⤵
        
        PID:1680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        32⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        33⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        34⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        35⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        36⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        37⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        38⤵
        
        PID:4960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        UAC bypass
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        39⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        40⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        41⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        42⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        43⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        44⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        45⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        46⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        47⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        48⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        49⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        50⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        51⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        52⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        53⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        54⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        55⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        56⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        57⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        58⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        59⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        60⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        61⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        62⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        63⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        64⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        65⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        66⤵
        UAC bypass
        System policy modification
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        67⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        68⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        69⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        70⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        71⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        72⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        73⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        74⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        75⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        76⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        77⤵
        System policy modification
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        78⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        79⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        80⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        81⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        82⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        83⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        84⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        85⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        86⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        87⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        88⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        89⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        90⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        91⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        92⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        93⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        94⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        95⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        96⤵
        
        PID:4152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        97⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        98⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        99⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        100⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        101⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        102⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        103⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        104⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        105⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        106⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        107⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        108⤵
        
        PID:1108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        UAC bypass
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        109⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        110⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        111⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        112⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        113⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        114⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        115⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        116⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        117⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        118⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        119⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        120⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        121⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        122⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        123⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        124⤵
        
        PID:1184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        125⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        126⤵
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        127⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        128⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        129⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        130⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        131⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        132⤵
        
        PID:3104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        UAC bypass
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        133⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        134⤵
        
        PID:3884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        135⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        136⤵
        
        PID:840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        137⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        138⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        139⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        140⤵
        
        PID:3084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        141⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        142⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        143⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        144⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        145⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        146⤵
        
        PID:4780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        147⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        148⤵
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        149⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        150⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        151⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        System policy modification
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        152⤵
        
        PID:4840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        UAC bypass
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        153⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        154⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        155⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        156⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        157⤵
        System policy modification
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        158⤵
        UAC bypass
        System policy modification
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        159⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        160⤵
        
        PID:568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        161⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        162⤵
        UAC bypass
        System policy modification
        
        PID:4532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        163⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        164⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        165⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        166⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        167⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        168⤵
        
        PID:640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        169⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        170⤵
        UAC bypass
        System policy modification
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        171⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        172⤵
        
        PID:4208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        173⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        175⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        176⤵
        
        PID:4248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        177⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        178⤵
        
        PID:5080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC
        179⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC"
        180⤵
        System policy modification
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAAkMYAM.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        180⤵
        
        PID:404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:2908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        UAC bypass
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:4576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGgEUgQc.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        178⤵
        
        PID:3960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        UAC bypass
        
        PID:928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKQUAEYA.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        176⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        System policy modification
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies registry key
        
        PID:4928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIYYsYMY.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        174⤵
        
        PID:3148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:2824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WucYIwMc.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        172⤵
        
        PID:4704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:4964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        UAC bypass
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RyAAEIsg.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        UAC bypass
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAQMIAMA.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        UAC bypass
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies registry key
        
        PID:1284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyUAsEkc.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        166⤵
        
        PID:3828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QikYwwkM.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        164⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies registry key
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UukgIYUg.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        162⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:3260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOIAEgQc.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        160⤵
        
        PID:1560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWYwwcIA.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        158⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        Modifies registry key
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggMAgcsU.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoIkYcAA.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        154⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:4232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        UAC bypass
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSgQskEE.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        152⤵
        
        PID:3492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        UAC bypass
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAMEkcgI.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        150⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        Modifies registry key
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMgMwAAg.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        148⤵
        UAC bypass
        System policy modification
        
        PID:460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqQUEQII.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        146⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYAMEEII.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        144⤵
        
        PID:644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        UAC bypass
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        UAC bypass
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgooAoow.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        142⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:3848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSEoggck.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        140⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        Modifies registry key
        
        PID:2444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgQgooYk.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:1276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYEMgsAA.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        136⤵
        
        PID:1376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOQoogkE.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        134⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcIMcYIg.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        132⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FokcwQok.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        130⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lggUUoUw.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        128⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        UAC bypass
        System policy modification
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmsAUUIE.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        126⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwEUAUoo.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        124⤵
        UAC bypass
        System policy modification
        
        PID:2868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        Modifies registry key
        
        PID:3900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCIkEoUU.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        122⤵
        
        PID:4712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCUwIkQk.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        120⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkUIIYoE.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        118⤵
        
        PID:4108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        UAC bypass
        
        PID:1096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUksUocg.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        116⤵
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        UAC bypass
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies registry key
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAQscAYs.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        114⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISIUMEsA.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        112⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:4648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCYwUMEk.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        110⤵
        
        PID:644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies registry key
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkEYIAgA.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        108⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuIAwgws.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        106⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaUkcMkk.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        104⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSQwwYoI.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        102⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        Modifies registry key
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgcMAAoo.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        100⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKsQsIUo.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        98⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        Modifies registry key
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HugwgooU.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        96⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        Modifies registry key
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKAYAAQc.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        94⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        UAC bypass
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lykswgcs.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        92⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IckcwYoI.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        90⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyksYMsY.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        88⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies registry key
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSsUcAgc.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        86⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmoUoEEg.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        84⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        Modifies visibility of file extensions in Explorer
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEcEsYEc.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        82⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:4904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiwQkQIY.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        80⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIUYEUQU.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        78⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUEQsogY.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        76⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        Modifies registry key
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emogIUwE.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        74⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwEIgIsM.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        72⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        Modifies visibility of file extensions in Explorer
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies registry key
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEAUAwMI.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:3100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        UAC bypass
        Suspicious behavior: EnumeratesProcesses
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUMIYUIo.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        68⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEkMUQos.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        66⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emEkwwsE.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        64⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGgkYkgw.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        62⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSIkUkEA.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        60⤵
        
        PID:2868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuoAkgso.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        58⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUUUQEQw.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        56⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYUAwYcg.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        54⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEAkUIYo.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        52⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuAMokUg.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        50⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYwwwEEA.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        48⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqAgMUcI.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        46⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqgsAIcI.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        44⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIAgEUQg.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        42⤵
        
        PID:712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies registry key
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMMQAkcY.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        40⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQAMssIE.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        38⤵
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkoAIEkY.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        36⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAMIUAAM.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        34⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmMkwEEM.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        32⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCgsoIUs.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        30⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seoIEkAY.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        28⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIwosscQ.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        26⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSkIUAwk.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        24⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iakgoAgU.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        22⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icQMoEEI.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        20⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asAMQoMs.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        18⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmkoQMgA.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        16⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feswQcAY.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        14⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgYUMUIA.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        12⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faQAUgUg.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        10⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYUAkUkw.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        8⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:656
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKcAIcgk.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
        6⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3780
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:420
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:500
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:3944
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:4836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMgQIkcY.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3740
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:5036
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3224
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:380
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OakQUUUk.bat" "C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:684

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4768

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv jNt4mt57mUCSLX2v79o7AA.0.2
1⤵
PID:4384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4192

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1364

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4256

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DikYcUos\PikMYoEY.exe

Filesize
200KB

MD5
849c21a5ae6ed2e34b36be5db60c4b7a

SHA1
e93ee999214f7aa932a074b5ef982eae83387f9c

SHA256
8fc16016fb50cafdb6e7cae45ec5e8595e046bbe949fbd3bd674fd50876befcf

SHA512
e1a16a5a5b976fbae76409dbe2a5aff0136361c2222bf5e5ee5f6874a959d86d97a5da0fd2d473c2bc1535fa845d71585d609fbef779b63e5d92dd7b5670564a

Download Submit
C:\ProgramData\DikYcUos\PikMYoEY.exe

Filesize
200KB

MD5
849c21a5ae6ed2e34b36be5db60c4b7a

SHA1
e93ee999214f7aa932a074b5ef982eae83387f9c

SHA256
8fc16016fb50cafdb6e7cae45ec5e8595e046bbe949fbd3bd674fd50876befcf

SHA512
e1a16a5a5b976fbae76409dbe2a5aff0136361c2222bf5e5ee5f6874a959d86d97a5da0fd2d473c2bc1535fa845d71585d609fbef779b63e5d92dd7b5670564a

Download Submit
C:\ProgramData\DikYcUos\PikMYoEY.inf

Filesize
4B

MD5
9606926fbf874cb9e1c71290c9b21e1c

SHA1
99d624e77341b4abd33c8f1315fb67c8aae68ff8

SHA256
9001921078bb16b5cb2d76e69bad76a226d32a0596d002b34f6619a1540228ef

SHA512
dd9577c2611878e68e644eed945ce3b199ef3b67ebafa9c6e4842d8a1ec072c65628bd0dfb04012e3d9517710b1fc465ec2313c0c442427c649ae13ee6f21689

Download Submit
C:\ProgramData\DikYcUos\PikMYoEY.inf

Filesize
4B

MD5
a91f3d527c7f7b5b9eecbcd97da6abc1

SHA1
e8377f29d0c47e7f3d62668bb8e6204e91cea89e

SHA256
d6b34787642dbe4634211074d432b78373e7c77f5870f619cadb3b0acb9b3179

SHA512
4d3ae6411b9c45052d78acddd678ee554f75b29be7ba22cc5ddb644261579448d974749fc947b8faa3b6dae84e95d51cbe1dc7efa2dc00aa777b7278096ef036

Download Submit
C:\ProgramData\DikYcUos\PikMYoEY.inf

Filesize
4B

MD5
2ba729c7be7d682622ef55334e4cf0d8

SHA1
1b8cfea9cbb8a49d52e2f0f2c588df5853f9b91c

SHA256
f7cdf3e64a4b2707cedf866239dc75535e9621f400a8a8219de4b1a2d3d57bfc

SHA512
51f89d1ebebbf47a4a2d8548340acab0469a18545de48acbbf22628c5efb537956007b9d009c0bbae8ba88a21eaf4c5de38401b35da09183dee86622556efc6e

Download Submit
C:\ProgramData\DikYcUos\PikMYoEY.inf

Filesize
4B

MD5
269921dec930caa2395ea1a2298107f0

SHA1
62959041574d356084d9c8a554839e5017ee7b33

SHA256
85d86e5d867ea823916378993cfcdd39d4c1a93e00e1c3fa5781acaa9c2fe1ad

SHA512
702e1d4c270021e3535c5a3a7e09ea57ebf7839767310a0efa39599b209150b539ad1cd1f8ef7aa122f214517a2c4b4a8c6d4b15bec1cb52b7002f4d6e5228a5

Download Submit
C:\ProgramData\DikYcUos\PikMYoEY.inf

Filesize
4B

MD5
c944baee92db822db28c41e149521762

SHA1
8415a52e8c17779be0c373848b086fa1bae73821

SHA256
e423cc55a9c47fd27bd988c6b0b4a0b0a447488385c4f5f2d00cdcb5bcb78302

SHA512
0e0730c9019ef26bd1d5bfd4702e0191351e530cb97a5a41276594c0fda8d7d35fc6746abfc2024a9878fdce538c13530e162de7d5af1213db1f0800c6ce6942

Download Submit
C:\ProgramData\DikYcUos\PikMYoEY.inf

Filesize
4B

MD5
ec07388755e94d9a1b672f7db33e1224

SHA1
db274b2af69606d8645e2145d049e7f433066e77

SHA256
78640a826da77c3f6c10ef56b6eb2bb57fe3241447dca362a2ed2db56abf6e30

SHA512
974c0cc102a71fdb6aea85b1d48f0aea0fb687dceabe5882dc7c81f81751be6feed1d7aba6936f918cbe79b72832e4d6e2f533252a95ef0086505b2a79a24800

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
313KB

MD5
c37f3e3506aa4c804d8d5b2ea9342a6b

SHA1
d7cd20de0cb3eacbb07e6384e4fed0d7bc8339d6

SHA256
c9a3eb2fd37d096137417604c10f6399819ea7c3ea47ac2be8bee80f03facb3c

SHA512
bc32a1a9149de183b8f6842a09707d952f39b743571cb832614928f1d17db88d685cdb88a458da204e4c74a486c3ef15a263336d69a91ff88d55952e6d284bfd

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
245KB

MD5
55b68008c15286ca55ab513755246109

SHA1
952b269c145e7858cc0d8d49c40ad06bde33aa7d

SHA256
11415b917663c853e4697ca9752916646694eed1072711e9cf56910d97b94ebf

SHA512
467d058506a93ae24c99e846a9d031798b036cec6f5c49ddb84fff33274b52125736ae685628f76a6e02d5e3844c94939a6b8efa71a392066ef74ead3252f300

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
218KB

MD5
408c6693eed7319a3f5322238a5c9e58

SHA1
e061d9ca8b480690a172060fd435398a046c4a76

SHA256
66f2d58b6c73479d5731edfed91a309c592130ecbde40a694d0502fd16de7bea

SHA512
be358a8e7f4318f9f154571aacfa032e9e55478e93501792bdb9adcf79f5e1e9c640629f46bceb88004daa687e83069ce39613acb3e7d95b2abde8f32223aac8

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
652KB

MD5
d087ca75b39598b412a4d3e4b1a5bbc2

SHA1
4560eb02042821eaa236804734f1c3097ec96e1b

SHA256
7d69f6035b6f9a9544f868a3416034c39c61ffee205038053bf88488de9da442

SHA512
236f70f4d2cd3b310aa7dcf1eba635b209ff41ecca79844e866a33618fb98811b99a2fbee127cd88d0be67a04993675345eabaf62b0a832d77221af3ad4f26b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

Filesize
207KB

MD5
02960ef1f87f5d34a938b4772125bb19

SHA1
891b834881d60040f0d37546a2c986a0b7403d52

SHA256
6bd1a4032e154c5abfaee4f4c9a95ab46215d649ad29d101bc93b70b60648127

SHA512
dbfaae616d4bb76e03e1ffb4a5d98e4021ba99e9d2ec214865a1d70566ea291ece63647f0df116fd875959a7d24b761af116121637e81138908516df356d5c62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

Filesize
199KB

MD5
418617af5a5c79b01206ebb587bf62c5

SHA1
05b5b6f626de4c5e7a7d82294a915302632a6957

SHA256
54abaeef3583299f1cde8fe4d69c46f5269f3e67f73536f1dcc273d9c37b3a75

SHA512
d2546e8beebf9e93b703b8268a0fce667e258d00b8b12686d33be69c7d5648c2f070bb414de65e6083afe4dc1662ca4bd5e691a334c57532beb062f1aea9a750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

Filesize
205KB

MD5
ddcf95aad4d26e18687032d587220cea

SHA1
a7267a6c7e748ccc693997402c2f06bafb4fac9c

SHA256
6a7e527b7c67ed19fdc0366a7d359e80ef8c263ce0cbb53a7ada1bf7ecd9964f

SHA512
87712fdf9540088acd4332bd5e2b2e96f4e0748ebe5b610afc97c1af0868978045b0acfa1fa72de6e4d17c91d0edaa05de330d45f64f460b869059c340f95510

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\82f5e411ef65e9be31d9cbeb2589e679_virlock_JC

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgMu.exe

Filesize
327KB

MD5
84fb690f4bfdacddc41e12e0973d39d2

SHA1
ac83282825870b3a816c942cd1baee13e283be86

SHA256
98152445f39782d9a9f5e3af1375d8b06e682481cd2f64776d5e9be0f4b3f2c8

SHA512
e1d0fffa6db5034f25e13c677bc696d958b1231fff2fe7503522188a9f74896eeee26d61e5f878a6c8fb08d29f509c73a4c3ffcaa4efccdf21280bea4ee71ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcEq.exe

Filesize
196KB

MD5
a4723ed6b4fd247a4000a58fbe8924e3

SHA1
cd806f7f11972ea1f735c9d9af5ce0f0f113170e

SHA256
e24b91d36740343b55fc2ae90e85a3b89cfc31e8e128ac551c5bb2764c3136b7

SHA512
273bc4c44b47114ec4ab39c14d2d2dcdf4b7350b3bd8b50c284f4855d93a71aa337f9cc96921b583e787c30ca3efd2be25e10a534f2fcfa85cdae402cc33d171

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcsY.exe

Filesize
196KB

MD5
b1aa62a48bb7cb72f17585315a743776

SHA1
6848aa51a2e3f64ff2db2cd8ea1559c2f143b33e

SHA256
4024ae32fd8df61b386ba8ec8c456e2e09bf834fefd7e58d7f67689dde1f26f1

SHA512
b6a95c80732b5f12d13a275fa9b12852e28fdd95561718b19e531648d3eebe9b59db6dc9530f107b57537cf13229b601d9b16a9ad9998382939d417b08948563

Download Submit
C:\Users\Admin\AppData\Local\Temp\BgYUMUIA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAYY.exe

Filesize
183KB

MD5
d89f4e5142c54ee02e2da6526cc97041

SHA1
e1b36e8cd55668e09a2d94774958e5666e4f4a2a

SHA256
26aca567fb056b327c4517bce9ec86b147f36673ad9522285be9b3fce78b9f4e

SHA512
2892a5a950804bbbeb9c636bd8406257669036581f4f8e92bfb1fe3ae2afbed034f9dd5d024cde869f42789d4bd2a82bdfa83940a4c24cd82e04334b6fc2beb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMK.exe

Filesize
642KB

MD5
43c169e6c06cd7e66db9985a64239fad

SHA1
bf624bda1c2459ee57a6b0f8adcfe306b88bd2ac

SHA256
7d7bfef665c88f8c8ef4fea79b7de4e818110e2ca5f01a9d034b856f0b26d2e1

SHA512
51f19ef2e4646766688422903abd44dc04c448dee7d143b28dd5547b489952387f81b4efd4e620b54fed56121711bab6bef55f39005dadc2201cd307d7fba344

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQcw.exe

Filesize
182KB

MD5
c04cc8cf7a24a046f7587180c5d2d1d7

SHA1
c6b41653318b072f85780a3cfa51b6356351fc7c

SHA256
93cfda2837c63fe4c5a56674ab50700baaf94a39c75e2047439a744f9eef34a9

SHA512
b5d2427b6c941276632dc873178a06fd77491823bfc3a63d4354efa7196690ab526c4fcfb39e0fba500253f1cc79d98f29c5f942915f1b11923e1e4cb1b7580d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgQm.exe

Filesize
226KB

MD5
a46bbd3663390d9fbb43d8dabd137456

SHA1
374a4944a4685717f1d13c82e484a9ee97f543fb

SHA256
fadba841c9487147287c821d56197ad8285347581d713666b521a1148d5c0a66

SHA512
d9b4fbde771122d15e5e9b2152b2fcfcd138c7f32655153041f08511bc883ff3606e58756eb7b45034b0e7900d4af4bd8a72d9d56ed5c9e68cbf55c3535cc981

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQYu.exe

Filesize
190KB

MD5
836491262ee4db496d2303ee41bb1006

SHA1
c2e8ef5d5d66c5cbe16fa440af011936407fa202

SHA256
940e4ba18f0d252dd3d0dbd500dc94ed9d60e9c5fa44bcbe51a714c189b31f15

SHA512
e17996d938afc60097806841bb0fd4557fb5e74dd001c72fd41e84711de2b7fc3ca11bd06aec3d156ec6c05d5195a03a687d630cdbe595ffd186d77a0a0c5590

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcgG.exe

Filesize
203KB

MD5
4cd4608ccbb6dd584ebbb1683104ec0c

SHA1
305061569e3e2de7ad9eb25c81123d70a78d882b

SHA256
92e5fdcfb1ed5ba776ceafb979c6929ccbfc7bbb1de37b529107f5bb678c18d6

SHA512
939868ca00b1a8cf592d74123f4d720b75ff4da18e0a2a0eb96aac4a4681a31bf4d8fb0551d85b3064230c368b8296072cae1acbb2da6cca979d004f284b877a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Focq.exe

Filesize
639KB

MD5
84cd5e9be1241c83eea16f5bd8ca9bba

SHA1
cadfe9334b80a78ffb4aa0459e2cf24919325264

SHA256
e21a80f86b31e8e4e3ef237ca6f81c93a3d9b2637ddca231f3f1780faad1b4ca

SHA512
4b2f68953cb664c006090d131f9b6f3c4b64551ed90ea1d88e75bc257fa0181c04f2c312677f8d99126d61b0e4cea5195f3c4ce449c9a35e03cd76de80174ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAgK.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMEo.exe

Filesize
189KB

MD5
0a1c22be0f19485982dc8ecb186100f3

SHA1
ba7ea88701866a3c2117b86c22ff227dfafea454

SHA256
5c98d61e2f56de12135dc3483ba4611eb1c56031d19d3687ce8f71c6f49b367e

SHA512
3feb1ad7a324bc5a48fdf8a28da4e9ba058d5b54f43fc61336af7cf0dcdb5f3de13acfa8e3874b543c45f9a52c85d1ccc84bf9faaabf57aa7aef315ebf096dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUYs.exe

Filesize
197KB

MD5
20215c93b02e5d6cb75cdaba827a17ba

SHA1
e02ed1d09784d3627c15972cee4caa1f5120e042

SHA256
97ee57638defd5d16d5e03f7a6e76e993956bfe776ddd8f03d15c9cdfa8f745d

SHA512
1f0b00a2fe8d0a552c4dac40730d6ffd37bd35de2fb0821df8f6bc22f9a1e9de3ee836f81e1aa8c6dc05c1fd6f2932c9f11f307162080a9b9dba840d6577e649

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYEA.exe

Filesize
319KB

MD5
384ffae3f4e72dfa6f8986e1f14176ef

SHA1
901ab80fa3ecfe1f1327d858b5dcffc0d0754bd2

SHA256
179b8fa78b2d866b073424675922a8b22d08b5e007caaaf07cc9b4a221f60ed5

SHA512
4ee752cf6db285ae18f749e1a249d1559d0fc0937f0a11e79e6b6e92e2c9d1ace530f30ca0a92ff91f9905d1e508c0d2c5d80ecce3f49e7da7e51c3b8f4e1f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcsE.exe

Filesize
192KB

MD5
80a147a9e65c00e5cef12e825e283418

SHA1
825e38c8ff1975ea4499eb51c6c63bf90065adc8

SHA256
d63714555ee7b1734c2cc0a662a94945432ceb2e998b78f5878096bac928d1fc

SHA512
ae919bd6f3ddf31284f96b70cb57185b1c1ac58fb166a89f44332f7529ba072c99553c53c5de4815b47fbe458370e5dd087c88f3d83de60d60b9d46ae4727f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwMW.exe

Filesize
757KB

MD5
286b16b55fefc372864b709c9d3c7169

SHA1
2073c2d070312654b3ee8f95a2e114827d219492

SHA256
38f46d979a86f43877efd39ac28562c9b3bb3bcc6a7375d14c937f9eda84e926

SHA512
0d2d530a123fddad6e5ba48986424bb11565ccdac4da8af5677321f26866aa9983d78d698f441afa596e9d1f11d36f78f417d1eaa649d82cf887625a14d04fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQgO.exe

Filesize
780KB

MD5
df40350ae52aa9c504062d1308d9a9bb

SHA1
89f2085bfecb04e55ad27c5a2d22fb16ae15c76c

SHA256
7b2015a33221580cd3527770b58f1a38e9cad2263fb8d35e7c8dac9129d19214

SHA512
b77bf49bdc9cde4d24882e43374f0b4853820ad8de6e9e3356306d1196eafb138c1614ab0d41d8bc176234b6cb0e0a470317dc98fa26f9754973c9baff942def

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kkca.exe

Filesize
212KB

MD5
a4478d66a5c4e3e0183690b564bb19ea

SHA1
a5c51533a2a9b1d52ee68f07587eef105bb11346

SHA256
0bc70ba8a21ff81248ce70b6c7fd0d77664d7c2c3f6d54d566daec583356ebb7

SHA512
d3c4da49e1874de94755c89448c3c64d182de080d06153fd381729a3b114d240f4919d83ad4e3801c42cdcaced1c0dccd134249ed611d604ea737e4194d5ff52

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIgi.exe

Filesize
441KB

MD5
f7f7a0997f1d347da49504fa23a6c1db

SHA1
1f8adc9fb87bd290b60b2c5d1e785772a598212e

SHA256
5a00fcaa658389bf9347d0bc121b2e2a5e37d4fec1117a2cdb880f36467162f5

SHA512
f569d5d6605d6c0ffdb46cb10301ba0ecf2af0ab514d85e82462740ea20bc1659a88667ac6c1f48891b6b6aef31a25514e63c925cd92c8f010de29aedd0f64ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsUe.exe

Filesize
193KB

MD5
f2f5acc459f0fc3e0c34c64d42ee4884

SHA1
d84f6e84d326f47276423079a7ad58fbcbe5dd18

SHA256
b59626f61cffadbb303dc857c0eccd5a018c96dcc129bbff58669c430e75854f

SHA512
589c27ebb09e124d8699273b1521ca06a8d3b6bebb4adb15372ac154aea4bbf6641e5d7606910b9cf777b2cb8dca9f77648d8c7b596b223756a32a936ebfef68

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUsK.exe

Filesize
192KB

MD5
47826d35118db5ff0c08d7fa59e32189

SHA1
178e906efbb4aeb0746ab55527bd7e491cdeb47d

SHA256
d641bd8836ae4ae372f9560d4ef7325ad71b0cea2b751ae8ca2a63a25c9c9178

SHA512
0104c442459afe2c2ca2ed89630ffa1ea4d82574f99ba1ec82aa6cf87230bc3d6b648d5f81270b79a368b7e44c8fac920d84d1692bda8c7da9556617d624b597

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkcE.exe

Filesize
383KB

MD5
7dd672cdfd8ea4986ecf1199450affa9

SHA1
0da209a3787e5f9ea4ce34834379be2e9eaff3ed

SHA256
bddcdca97b5839c828120dd16ce650d4a5eb18be4601320e5a6773b6794663ec

SHA512
97a495a75763e97dce0ea4717aeb9c2a848c1b6832a9edce84ec35679de747e811b78c2a390f027d511e9acf52097911a9de25d2dc611a6f8cac9eeeb72e1a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Msom.exe

Filesize
651KB

MD5
7c889547b714d99dc6a2cd1d1bb8d0ef

SHA1
df880060fe12bb49acea2d1bb6f40efd28755945

SHA256
038d4f14c4a2b3892930316d3d32481dc5ddf410d068f2dd2c3209925d1652da

SHA512
f31ee8639a7003a2ef38d9b70d092477db14b41dcb6636749773ee52d9891b6f08ef9f2ebca52d1608ff6537356257569ed6e210168365e80413a5946e1a0499

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMIg.exe

Filesize
208KB

MD5
50ccd10faf4002369094e3b225c252a8

SHA1
f69d8f430abb8bc44fe4cadeaf0c239898b89eee

SHA256
6e9a168bf2034f1c1bd108c63cb03264d4bda6a8b0212687d6da95ba28a935ed

SHA512
0fe574ed593929f81c6b79ba4221b838c3bed82cf50f790932379c63b9fec5ec4ac6d9010749e717bd9d886931266a41e11092dec98eea1a78bb403a6622bffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUAU.exe

Filesize
227KB

MD5
56cdd015f3ab01dc175e12dde46eadae

SHA1
397ac547d74884486422c2a42c611c23300e455e

SHA256
7e01297ab82fea3b4dd06596e48a2b495778e61395a9d19ee120d87fd09657aa

SHA512
71ac7c45aecd36cbeeb9d4bad0dc60718d9f9f339e2fe429936f265b853c8ac089f88d9ca2e23e8f8303e9e56baa54c1c23ffca13d17119fdb5958aff2d732d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NogS.exe

Filesize
204KB

MD5
3e4c58450930f6549483a22abf7ee658

SHA1
d4a69aa15498d9119df3096bdc95367ddaf44a68

SHA256
9fa6a23857ddf3f0a00cdb0af121f06bb9270cf812c9c5f4c248f9fe38509da1

SHA512
a767264ad28ee3b131ca1cc389e6909571fbdbd179730ade39769e18bc4fde3a82a3804cf35b5307140b4692c38029c5cc1fea47067cffcd03ab082dd369cfa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Noka.exe

Filesize
212KB

MD5
9c178c59a76c3025212b8e9f2683094e

SHA1
2884c29e182dc7faaab3369326c88abd8e1764c2

SHA256
04f160176e5d9b9a58dd820c200e1ed998e24a59b24a0de3a7971057254b5b7f

SHA512
efd0fb9a057345ce43a79f125cbbc194d94109b544469f487d9c190ae3b76c64ae4774782f9576a57eecf6eb769d5a1393172d5b54abe7aa2bb0102d563bd583

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYUAkUkw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OakQUUUk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ooow.exe

Filesize
187KB

MD5
11363fc6d4a48c012ad888d6072612f2

SHA1
817d56873926a74d52f5d371e37ce30b82bb05ea

SHA256
a896668d3f8aa947f67b2e5c93ef08d9c6b3de36050346386e3e3e128f9754b0

SHA512
fd489be5394ea4062550944bd089b4c701381e2ff3e25e22ad65159e81550bca8d06c227e73753ddce1eb7b45dd22054e0104abf939d47d39c9a28414426f1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcgY.exe

Filesize
202KB

MD5
0dddf408f1cdb77eaea2162f7b990596

SHA1
ff7adfaf6ddb9e0857e31ed56233fc158104b179

SHA256
5dd7def6ad20a1aaf0cdaec7843d0196b9e962042027d949cc6d5daba4f2409f

SHA512
303a01916e61b5a8544c28863ba49c121033ad2991bdb79c14371ab669c5bddab9f8cf02e7c966a6a6b07cf9df64a59b14c3d240df0a8896ecd29f8b1c0af1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMIi.exe

Filesize
204KB

MD5
78230f1ba4fa8a4c09719b556255a38e

SHA1
06fcab7ff76bf17c205cd2e1f8b3f093f9069d60

SHA256
53742b9f2d2c691491ea2d57429b70b598b92dbb9f5b6bb8e9228d752eb3a559

SHA512
dea76f892ee033689177a132792f459c7c0df0cbc839700338a5943c87bd668979b469a9cb2ef48cc0cd284eb743af95547979c40e8b40e50f20573028b6e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIYO.exe

Filesize
195KB

MD5
36f30504b6cc4987d6eb98316f2cb473

SHA1
e774a99af4d8bd14a35caad0c7b13d26348e298f

SHA256
bff7b86ba647c54fcaaff1d5a43c6c33e2463b342b0b2f34c11584657de03611

SHA512
4e69d507b31d2d307624ab126cc6a1e618caebb3b3ee7459a739a69101b9712cb5c10bdf3450897a542af651ee074d10207047c5548185199c095cbcddbcc1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RcIW.exe

Filesize
5.9MB

MD5
1a4ebcf8ad5fb2d610ffd2f27d554b89

SHA1
f48c0cafe790f187f4897ba2bc978011fb20874b

SHA256
dd8ed8883553b22e060f6383be25f9dfba419dbfd6ff0e527823054edf604624

SHA512
653ce4dc25b99f7ba35fa88e63836d1a39cad38f1227d6e7e272adf2168e361b5cfb1ee937f87c0c58010804cdac9f557f9338e24642f874ee2980233fa29c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgMY.exe

Filesize
195KB

MD5
87cebec08dca87bf8199e55df8109512

SHA1
0b7d32bff25224a6f0c911505b296a2b1e8888a0

SHA256
04409f6e5321308a91969bf2282bcfbb643606c1ec489d79319518cdd256decd

SHA512
e10ab5a5ae1951686b61f7ed40315913687be02cb2cf249f6adf365e10bf01e06f4f7f009d2fd36eeab0522d9b0f490dd15d79882c3d7ee06d8a82aa8fb71f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEsG.exe

Filesize
201KB

MD5
8d3e8f6744d1f88319ef2bad9e753cbd

SHA1
62f8b3976560e8b2d8a05376606a3c65d660a803

SHA256
9265d5a64691d8f9a59f102d4f07d061e433c28511a88dde4abf6a762b78726b

SHA512
639a7531e91a38a5f5b1d9b239b5cb9301b17e1d5a0c04866202b77c8a0330eedf3b31df9efeffc8ba493b9cee21d39086f73187c11705c619a183467aa84505

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQkQ.exe

Filesize
188KB

MD5
f1b16b318c8f9021ebde631040eda1ba

SHA1
dd2c6c422439ccb7b6e3b1d13547da0d8bfa9a54

SHA256
ca5e559a970eeb0ee11eea70b7c118d920593871de30f439d57a8ae51a896471

SHA512
fc997e954cbfe7a0cb9297ff5c9ef8e57fcdbf149279daf6fc15b698cbd4426afccd66042ffea060ae6e4a5173c1fac23bc146b5ea62833b8a1b1aa1c16dfaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUUI.exe

Filesize
203KB

MD5
ce37dafb5a4c22abe70da34e8c170384

SHA1
1c8bdcb88e6dc18ff3749b755aa64f774f886e56

SHA256
0169809e91c2b7b63456f82d80f9d1f3f1c33dc72e0b951a854998e7e83f13ab

SHA512
067720f85192973b68a6ee2b1df1099340889b7e37c144708ad67e00f604acbfe47664b75d784420e57e93e2102bfb503595c869f4a77e0a562aed24c683745f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwMY.exe

Filesize
186KB

MD5
ae8cdbeea36ae4182ec3b122bbd1a6e4

SHA1
79311bc1778ac755571610446688eff621c62e33

SHA256
029994d81ce8dac26a658a9acc0296a5476215ab82471e2aded9419175557563

SHA512
c7736a40f84a278f573342555d162dc5979e14715477b8bd19718c283f82b3e0b296dace9bb749ef727716f8a3fa856ea1c4b87108db654c510ea2985142549e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAAy.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\VEwK.exe

Filesize
202KB

MD5
c915a1ef25397f5e39253989294e1ba4

SHA1
5cdee80ca939b611d4b667cb8309c800968762b8

SHA256
0c29e116fc944b61b881e5258668b209352356ff8bf909c99bbbbf88d01d8708

SHA512
0be59b7e1a0757f88ccbbc112e00653c88068069de54cf0bfe0ac1a8536917d6ed4044bf289d9b90db63655ed7d1beab6d1f36fa0d3f15759bec0aa594c14fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIQO.exe

Filesize
781KB

MD5
f8adfe9279cf2ec4e878683d84a3f32b

SHA1
acdce4a19fab372db900519a0f595dd886f7b595

SHA256
f998f36fdd5d85da94b138b99c2006b86ae0915a945ad67c68ac3de67ab4dff0

SHA512
f557358524b4fb4dcfcfac9c1619c50758cbaf9ae3444748f744de03b6104fe057539f6ca440a9bc51c7b6889f1b8d5497dd6cc8148a63fcc6c47aeb59e3a3d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMEu.exe

Filesize
205KB

MD5
bf671262c8c8a1bd8b57aa8f8e23e049

SHA1
0eaee030b1db9cdc40ac4506d4dc82a2331e4303

SHA256
bb81c47c61fd650e3f06e2d695903f24eac627fe42634ef5e65dcdc70dded310

SHA512
f193b0e6453157581b0dec148447cd5d68845622a0a2417e07b7d0524bf4601439c8ff80a07d164931788e616a7ce299b838886d44f2e4f8832e5347d41d6d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUoG.exe

Filesize
189KB

MD5
0f54b16141d28aa057c97994621f2e3c

SHA1
4cbde3e32f69f552e6c222b6e2649b675452f65d

SHA256
7235c1ff1a89244d3b6412e5a91f28c14486837980217f07f145aa7761e93414

SHA512
b3fde28902576f0f53cdd2411737060f667265d7bf1d88301a23ceb8cbb1afd2081b71963cb84b580186b723286733a42862f26904c291c20ea769633965a1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYoW.exe

Filesize
398KB

MD5
acc5c94ed0016d941cf77795455842f6

SHA1
ca695fc33860e01e815e93b28f7fbdcc426c3016

SHA256
cb11fa8db272dfe697232f7e982d75f7819b455464ca73e52e791b25f0aea22c

SHA512
11ec0af15da7ff4510fa31f035a2e3ae953447799659bd78cc781aa53f761118f0dae5e154e3048e82a97bbcbffdc0638a9fe350297a2c6ec2431d8bfa566766

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYsQ.exe

Filesize
186KB

MD5
61cd3afbb1925a5e185f2101b2b05b55

SHA1
619f0fb0d57f041e882c27ea68ce6bfa976712ba

SHA256
4db859d6e7039552cbdbf5f77697e632d4c9a71dfba5299b5e9f5cbb55dbb793

SHA512
c37688082a452894ac1bf67e65724fd258f38e78e15e1391e411c2770aaa5b83252bb9a73132215d89c70f2cfbacc9358f1463bdf685ce4b74222f6dffcf146f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XCgsoIUs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQAQ.exe

Filesize
191KB

MD5
da0348c3186a838bf7ff96b6873f87b2

SHA1
db9c5466b12dadd2f278b8a653ce710e119b54ed

SHA256
2731252aa4f8eedf634f25eec6e64bfca811dab66eaeae47d055dd3d7db69d54

SHA512
e7f353b4d2d09999d64ba2879245af509a97043e4c9f2f34eb3750d0a8d2de5f9282d49a1a9b604b7f97cfb3ad0dad1d27c92e2401b778f20267e535245740e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYge.exe

Filesize
856KB

MD5
da39013ef53c1782f4cd73960bc9945b

SHA1
069f8e8e90a91bcb88651a5c5371c7b464516c87

SHA256
54fe2d2609afa4b6fb04fb480f91c7c08b37f7ee4f884af9a85d8e77ae5a95ff

SHA512
8c54d5304945192dd66c1836ee19af099e459ed806422b2df63a8dba3ae35da834e70d6d27ba74d6b7b4d18841ba8c1d2280ce1148f5dcca084919c3d4e7074a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwMk.exe

Filesize
180KB

MD5
dc88a200bb3b241ff7c8390f7762a62c

SHA1
c269e537c36adf3a8ab8151ae639fa8d80628891

SHA256
34923b3781964fbb491520d0b8270b13c6cfbc4511970baf64b8a129d6cea2da

SHA512
f39a46a2e035034f80e4a74a15cbcea7fbdf609dfaf6808b846a890910bd162dbd1426e5c2942dfa4d4b15fa76feb03b6ec82c6f6449bfdf6527e4acde70b6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\asAMQoMs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bSkIUAwk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcEw.exe

Filesize
186KB

MD5
98725b8aa0e6e95f94db1ecf1f1fa4d1

SHA1
73014dd9b019912e3dbaa3c0ee2e77ef6cac1e04

SHA256
65c6580dcfbd72364058323cea572598d646fd9f5e49bdd03c157d4aae0aa607

SHA512
84b765ada8c00d4ac8358cb0d19ec2dc3f236bdf0d45b933f96096ba13e54e395594d674fe80522365ef20aa987d4366b661a71c6f803dc8b4eaa0769c2d64a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcAu.exe

Filesize
201KB

MD5
7d8a3b6f7ff9254d9754385ae2d7d13b

SHA1
032f95db8a55beee58903563d9a3fefef0cf4167

SHA256
b739b454b17359a5cbd7810ac83936ec44215bbd7102d592f68ee4a6eaf6d1b8

SHA512
63841607039259a02d346f94b2187f48145911cdfedae199e427f4ac01852568db7ed578483808ef32ee4576f96f84e0145b54413c092abf74eece09b3558aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmkoQMgA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUkg.exe

Filesize
208KB

MD5
e3e8682ce57ec6f4bd0099d56d0cbe39

SHA1
cce7fb6b6623e3861fe9371167f745106f7460b0

SHA256
92658d512adcfd8f0a87bc9a56ca254110b4140ae234e412fb93d1aef3e09d49

SHA512
5019d7ed5e178aade61a09847a116afaf4d71795bece1b9028b641c2abe3a035e6becae584210c9666c7c7924e29d21f559ce5da82e6f80a09e17cda82c8102f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEoY.exe

Filesize
198KB

MD5
dd2522d5a35a3b4add002b5aa6178bf7

SHA1
c5333d1f3df9fdb9e9533c92637d49684fc1de5d

SHA256
d6200fa05624b701193859d20e9dcc4e6d6db684689b9e4aaad6627576409657

SHA512
9f7885f38bbe21818fa471de87f9fdf0d17df70c17f42ca20d1c179adda00bafceca6fdd8314b762dbd555ca87413732ac9aac45db76788c0016a96d6211450b

Download Submit
C:\Users\Admin\AppData\Local\Temp\faQAUgUg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcYa.exe

Filesize
321KB

MD5
e590a3dce2728325a278092f21efffd8

SHA1
53527b7a46d70e54c2105e7abc800578d1ed29f9

SHA256
29c091b125ac429c72e665da7ea45e86db17941b930f69c314e85335b2b86c85

SHA512
57493afbb6c3b0b3b70c5d6607abef3518fb4e75983baa6639accd85029427a02613942a583fa690f3a122673c31eb723e7cab1377f90ee8230fd081126841ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\feswQcAY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gowQ.exe

Filesize
830KB

MD5
e15faf6f28e5127685b11fd8a628288e

SHA1
854680c27345394cef013cd20834d1732ef81ed2

SHA256
162f6bb5daf68044d0c56be0cdbbd11bab0a6ca1c114464c626b1a119d6ba1e7

SHA512
f6cd44ed47b46d0d44eb45ec85c3479bf404ae99e72f4f760dee05a076eb2a636d71108d27d0a831423c9ff6b95d130b721bbf9844828e110617a9c75700a982

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYMM.exe

Filesize
186KB

MD5
be10268f39399745152da5d80a225e59

SHA1
15d28bd0ac6d6663e7327206010f1bbba6402413

SHA256
f10c44586e4ee35eee2096514b0d063cfda6eee8d20dea64659601a796a1089b

SHA512
ead5b2d9d2fcc1d1acad64494797b3acfcd6522d51678c84ac273e6af465154d45341d960c2c9068814eca27b8467d521c1585c143b35c942b8d804647e592dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAko.exe

Filesize
567KB

MD5
65f30af3d8317a144298b7e664bbea70

SHA1
cf96137ad083efc5a4cae267decc4d1c5390ef33

SHA256
5860c4fd8eed7fd539dad3271d4b7623302f422b5490a2d2cf84c1c8839a7845

SHA512
bace5a025b10990469b44d1b56e84f5968f68de1a7e60e11e17a9e95de81f345f3676adf4ffddc981c8461c402a0e2caca7a82f4c722f729015fc6048f74dc97

Download Submit
C:\Users\Admin\AppData\Local\Temp\iakgoAgU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\icQMoEEI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioYO.exe

Filesize
194KB

MD5
641bf00ae7aca7b6ba4849f07f1b2b9d

SHA1
cc0b0f135a87aa680f79f04043694f7b38e60fdb

SHA256
c4488aaff888c018399ae2c1a777e26f8ad4de7648051d18f443fab6d75e88aa

SHA512
c05f280536245c7ca06272a5f00edade38352bd7fff3ed17c0e6f0acf2af93bb8d7e61c7be36439ec3c7f4aaae23b23bc76cdca384183b91445037347573bf2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAka.exe

Filesize
195KB

MD5
17ba3dbcc35897d1dc7dc1378cc892cd

SHA1
2d41cfdc0077d2245d4f586531cb7cc7d41fd074

SHA256
79a384da7ef59f0891705e6f1dc8aa6d35392324b87011f9bd095c1be4946861

SHA512
09867dd41d1d57146697691659faa756224cf69b84f28a630e715ee8bb61c3707988126353577d37d96a87ba69db3b86e2885578167ff6b850c4028354215526

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMQU.exe

Filesize
781KB

MD5
f7058fd9dd63744c4999ac560bce671b

SHA1
f1e2f40c357ae67f9c00e0b211bedecd6fd48db2

SHA256
59e6946835b1d575921c9d4cdaf1befdc6f35287c21fda1768e6664f2320de1b

SHA512
3493bd78c62f88166b7bb383d83fd26e7dca21578748cb8d14fda6ab1f6cdfe818716e2540b9f0b3c6e9748693ab3f73b0f662fe339fd5a596c17a4dd1bbb8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQEc.exe

Filesize
825KB

MD5
4741d4b0919d2c233a7d7bea31012eb1

SHA1
da3600c6de6ff713893d7a4dce5c0c36bcdfef79

SHA256
0b397f413a39ce81e5af1e4657775a1ebed29e67326448f9b9cfed10142938d7

SHA512
fb609cb9b6439585f657eb66d40627a91304c89a1c5347fd77075fda29b4c7f07ba9b312cd3f33fcff91237f61afc9080cf8f6fc20b82a40eade1569e9e7b210

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYAe.exe

Filesize
188KB

MD5
48f9b55e4a0f48ce14c055875b6ae069

SHA1
ba99a08690bc6fffac41612312b6a0a7494f769b

SHA256
1b5657b285ad89268109b87ded059929b1b6afb50d1000159860677ea5be260b

SHA512
1fa0a22124d3a2cbf801aff533000847bb1044cd01d59c186191866346c9bd9be92fd5132bdc8b60b0bb34558cb3493ab77a87c2f9f6d12d27f50f8ffa84e59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcQC.exe

Filesize
199KB

MD5
00603152843c590cc2097696ce07e462

SHA1
6db3b3637daf982a762e948f1069416196d8e172

SHA256
acbb21f2420c1181418b75761388c828eb663315aa3aaddb5912d41a5a0aa8d7

SHA512
f836da5ce554f2b2f7d2fe7054a88a71b056c6b184b9c14f0972f55e9733b8f5e12fad33e233c1f5719b0eeb0600e74f509f729a7fa4cc249c934e6d3f2e15d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\joca.exe

Filesize
660KB

MD5
edfb223d2ce06453a35eda7c40b8d243

SHA1
c8d9f25ad7b9c805ca23fd2e1dc382fc3f2212fe

SHA256
e4c11764785f22e8e7ad65fb8d57c8d4436205ce4858cd2551503b19f4cb3eb2

SHA512
338b789227675347d3f47ea4238fcb6e062e8c938d12d24b03f0e385b24b27ceae027df61f2b36a9965d2620fae2aafaac48a2573a5e8625a2c1cc2e6f18b260

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIws.exe

Filesize
611KB

MD5
b15c9ac813bc38ce6808c81b1a9f90a5

SHA1
c57e6fb17185542225e7c0d18fb6e55c6375c985

SHA256
62f5b806c7c81dc771124e08a9a62d818ff85cb1d6d1a818c335ff24ffe26a32

SHA512
4074dd99a40e1f78110742f7adde2077ad216942e66d58264f15d30ce0de6372d4020115c1de26356109412d86c5224a6946c322a5c12908ce16de7db28ee382

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUEY.exe

Filesize
224KB

MD5
b681462dae1242d505d1765ea975059f

SHA1
fe2d5f64202a9025088e4e1ef8a13d7018e245c0

SHA256
afbeed82429ceaabc044fa1f737d2006a4e6b82394050aa6ece551c4fb2f1c5d

SHA512
3373f4b419f9c513bff63fc88c9bcf2e24ebeb2e40ae5375a292776640f899aed94b0191af182d82a30b1d836856431c426699d01118c8615396a384c83ebbed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksUW.exe

Filesize
950KB

MD5
75ced350ea6ab3967e71435aaad78e95

SHA1
6a1645fb5a8037ca7313e060d28a121f33767124

SHA256
c6350fef072f80529fcef925bc46d5583337c8be37023d2325d54d7eac07bb89

SHA512
f57969aace7abd6fd7f3c6edaf1da66255b5f6fbfa45397361375a8485cd66f00f8daf5d04fb1ad91dd63f9c6afbd5da5469e5e9f51fa48e394dfe6db4b206b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAcA.exe

Filesize
196KB

MD5
6cf3e66f245a98240b385acde280fdaf

SHA1
26acc884f973bd6f00b43065d1f40388f1973dc6

SHA256
d7759f2ca60bc287b7a320fff081fd91edf75a9ec1d8e1392a8f03c9404505c5

SHA512
79b0cc5bb168a42cfbdcc98e1722759adc6823d989daba468debe75432c19a5f5b0e749da047c7769d8718c4b57c59b23d9cfd15c114a1b1e48a383cb6e539ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\lKcAIcgk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lKcAIcgk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\locA.exe

Filesize
216KB

MD5
f51aff433957c882fb7cc389f7c4d90c

SHA1
72bc608068d50b83a42ee1b1a9aea4a8cda6e5db

SHA256
f0a3b7672fb143d579ba0fd86b5533325f8937b76736119cd7c0a1cb14f68920

SHA512
96f0f681bac9fba44eb701f584dbec920f3c8171fce2d463c740b7d6011d988e5026f48b0a9107122f9822c84aba9bba01a2e93e063e8ac0791bd459786ffdea

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMgQIkcY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQYG.exe

Filesize
196KB

MD5
eb12858af51b853167c21628bc2ae34a

SHA1
a03a42d7011d0d5f8b47cd495341528fc071a30a

SHA256
5afe8e22fc78ac6a2bb95e184966678cfcb3d53d4be5567589e853f44dfbf9bd

SHA512
1ac6928a01898cf9f7da7cced1d92c89b0e10ee8617350dc74b234615b63244e7d4db170b228b2727b84cdcfdd6428b974a5057fb8f6f4afbd4f3b23d044ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgsg.exe

Filesize
199KB

MD5
0f7922dcd7d68516fcd12bee96c5e52b

SHA1
716499a143d81cfdccce6163d1d29923c645ac20

SHA256
f9adab3f4b5c3cb1e3cae454e8d9257e57b5b3fa2fa4378f57820e513e68afbc

SHA512
b0e6ae3e980f973f8cfbe5a821b7e6d87ba74b78f587a6f43b3a27c41b1d22ae50544c72cff6c29d1cb756b03fcabb2ffea7fa5ea904f03c454bd3f3a233f93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkQa.exe

Filesize
188KB

MD5
12d9ace68cc728f1987c107f461a0367

SHA1
faad83efe16a0401d3ccc2b9c58e3128109b0c64

SHA256
40b4da0455602e44911815dac8ccfef7d95aa79d9bcce71d56ce5acfb2631c72

SHA512
3b216ff893d693301ccaa8154c105f33f653a04f43d9caf0c5c2bfd4df22d7fecf04eee523cf3c6229793023240649396c8f1a2f253327c55eca4143cfd88c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngAU.exe

Filesize
214KB

MD5
296dd035a2b94b6ef7c64ea87bcf4830

SHA1
573017033a3c4764bd25a6e7df703ca75b739bbc

SHA256
437f8f775c405ce7dc9c9863cc3d87d7bdc92664be51b8a1f60a3e8e6296bf09

SHA512
585580625930e304287b345b126a35cfe472789c89c11d20b86ff89bc99a2d757566c96b283ea7f23be9a55348271e502aa5c68be5f21223ef5b3947fe794500

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwoe.exe

Filesize
1.8MB

MD5
99fbb37708d2aaa8936d2129adf93aff

SHA1
e694e225f2b52e4a21f728725d1afca63b78381a

SHA256
45fd0590cd067b04f3fda1ee0dfab37ac0edc7bb5043f24621a5be14276eba7c

SHA512
fac84f14271f21fdc3edc553de9a8505afb2243ac3370f8dae01869a6c3048d7672738384f0d71c8c8c9fd3d55b9295e894cd449619c6b9eff4e290c08c2e09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEsc.exe

Filesize
201KB

MD5
440dca876e92f8c2078b7c54d5e0c972

SHA1
79b556a0b8ff50601f205faaaa7ef189fe3f9de9

SHA256
febc2a07ce537dcdd5c7f32edf5b8911832927e807d159e26538186697f6bd53

SHA512
c329500a7401fc9134ac224f05d11795f319b4824d53d6380bb33b7c14aed567f0e680a4a2d21bb66e3e9d4addde51ae9cf00e72ac4ac906d8421f3c3d5d866b

Download Submit
C:\Users\Admin\AppData\Local\Temp\okYm.exe

Filesize
517KB

MD5
4ff4feb2d8ae5a590cdf92760c630561

SHA1
9167d120a85589a8d0591177a836ad06ca2ff3d5

SHA256
a6b4f1770df5875556ae0464891d550dfed3efb1430520bbeb59bc6531eb753c

SHA512
c6be4132869000e265e246696baf3d17946ae80b47dfff429b18c54a646a8183e33a7fd476c2dc7575d084c99aceb6238200e075e4db4088de972f1c73379ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pIAY.exe

Filesize
192KB

MD5
a8646c6fdf8166ea07a837645bc6362d

SHA1
f07faf89df3668df633463c77f3dd4acf0b39d43

SHA256
75751fc25b7969bdce040e2efed2e993ba44714a21b85e7b83453f1b83c03b28

SHA512
f9a93874ea566ac5b113218c465cea938f9c7249a097fde8078f3c557d0fb3691ae0dde3fe9d36183fc0b9fbe97ffdb6be11ef50846fc6fbaa005ec166492ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\poYa.exe

Filesize
205KB

MD5
93836ce6a30c256cd8d9c539395cb3a1

SHA1
bb829f46489cc1f4bfca759f27f6d3f123adb5f0

SHA256
2db8a69a34a2cb88c51292758df36967ccbdd6607f0932016351be171292715a

SHA512
7ce5594035eb4ec0f72f322e4f784b1a8bb73a0b5c167b304e052a000567def9e17e240e3fede360acb1015e8f2bf014cda9359a49a7b9373f92aa192ec353e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pooS.exe

Filesize
200KB

MD5
972a23e3c2d71f652832a0ac00e33d5d

SHA1
3bc1915832fcd91325176ff06f0b4e607299e6e1

SHA256
1cf6e9219cb993aa704617cd9fd8e9def7fd29a3aa588dc4109438c0b1882799

SHA512
bc6d201553c1f878ea911bc58b0c3a4c363bc2edc81865919adf9bad384b11d63fc2f2b280828b6ba43c42f162db2a9a099eaebad23d5f8a114ac96c4db5b3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkkI.exe

Filesize
231KB

MD5
b5c4c84e0cc9297cdd6e5d3926194f77

SHA1
fd6d0afbd62596484aa3ab64e152611abddebb98

SHA256
ca75228eb60faa7a90186d1ac48214516947a371a90cd5db1ee0f5329e3eb225

SHA512
41124cfe359eb3325fa1a03ca34fbb81b89393dc60ae83dc7916c8ccd5336332b9a65701e11b2ecc6416de7a85dad584570f891d3d450e02f7c43ad8f56380a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEsM.exe

Filesize
194KB

MD5
476fbacb1ebe00fda2e1dd97986e20df

SHA1
21fef4e121b1b5a789bef82bdabfa5d030092f4e

SHA256
6022f5bba641dd6eef6cc279e2383e5c7fe174533fda8621bf36269cbed64fc2

SHA512
b9e86f2d9efa94947b6e5dc1deadd7f0bcb00ed4df286c57aeb17a976dcd0b1af26a9ea26cf02643a7cb1f233d23a44cc67c7550fef985361811f920ba2d8ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcYC.exe

Filesize
199KB

MD5
e1703d86aeb8784e9961ba9d88890ec1

SHA1
8284cd58538a51981ea1ff9d28b075db737824a7

SHA256
aff856d7827f740bba7cde6c5a02945a4c851a474f183eacf4e5b193c70a2b9a

SHA512
3641bc8f9a9b7fc1f741fd010f4bd4279e64f5434f574b9c53d349ea28430e642cc245123bf58b14a19d179677078fb3e2e1faa8e3164f381d5785cb204c56b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\seoIEkAY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgAQ.exe

Filesize
637KB

MD5
8c0c80fe16c8ca8cfec40eccb1471b96

SHA1
df47115ff2671f08e92e59b4265ab69bfd59e5e4

SHA256
7183e155459fd62e01fc5d3f76c5e7863c377294c229b1927767adcfd12bf6fb

SHA512
9ecc3ac94995d20e6da93aa56912a3148a2e1542705e8c1fd4703cb65de75f8dcc6c24f01da87bcb07bfad89532f3c99eecb942b6f6ac53d84da8e2db090a273

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIAO.exe

Filesize
227KB

MD5
50ba9fe0538816651d20ab36f85ff08c

SHA1
85fcf9e33a3b2dec33a703dff56be0ed41f4aa76

SHA256
812168830eb292d0707f01bb71e90371a78eb6587a3fb470e79e103f06c53320

SHA512
535b4386c85365420c82afcb854472c89fd37926e137099d8665f4402c1671612c32bf577e5757d5b7eb93efc4541280527f451b3549c3d9007c90c389aa3f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIsG.exe

Filesize
201KB

MD5
6df0b92a6c9ecfc54684407416af3379

SHA1
179657f2401b2f34ed13661e14296344b3ec5e14

SHA256
7dce61e23ef75535e3b6465386dc49433f26d7a9c3c1d051aff81213fd066623

SHA512
c5a4dc13e3eccb980766d4d1c6a9664a8953b7e84b1d0f87018ba13ea7c6b9334f9b55e1093c12bc58e3e1d36eac267491f9e73a30d52397fa084512dab3f4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYky.exe

Filesize
5.9MB

MD5
8e9c6f4d0c816514dfe9bd3b9bbe27da

SHA1
21868c4c7bbadd8e7adb94116e81ae988034392a

SHA256
240d96303db6796801f2ddf7b21bebc05432d569c8dd8fd72361602b870a7827

SHA512
f8a5c12177fe7ef526fdef7e6fc7948f2cd700a5fa8d677a1fa3a1caa663a3e36a09ceb965a61b4e02673a52f721ac09d9b72ff6574af3bce522fdaaa14bed86

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucok.exe

Filesize
201KB

MD5
0c0ca3cabe62880d1f8fda7427c476ba

SHA1
43fc83e7adfcd41ba79c682d5ee2da4d7494c28c

SHA256
85f87f70e796237cba73e08a4fe38dccbe7abf4a45f7bd839955afaf76beef06

SHA512
ded46ea4c5b0cff019d4d422f7c53cc8203a0ccf96b79560ef70a0a7e747e4873d33f7af87f0994fa4943eab18693f28b2c44548be094551e7d1d286ee2647a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\usYk.exe

Filesize
185KB

MD5
3136ac3a15ef4bc52f0aa9fd1b3f9dcd

SHA1
f733cf3e2629e5301484623bdf23f895674d837c

SHA256
37cdd60d46ec3fd450aa02270dfae4a02106236bf236c4fcc036f0fb351b6448

SHA512
7a9b13c5eff6bfcaa544294de7d496990b0f649163750097282ed64913963db87d52e8dba1181127e6ae62f78a8d988f985cacb401e2a64f7271385c1dd38fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAAk.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUUw.exe

Filesize
230KB

MD5
36542a70cfdbb5d1e76b4a1eda47d6ad

SHA1
1f2836fffe8f1426f5a686a2ca3da47e5530270c

SHA256
85d56d5bf866b8307ffabe8907a826c0c8fc3f416102b764bf1b5e8f16e5df56

SHA512
4d96b755a9dc9c98204125a4c0a47cb19bd654692cf2bf768b90cd1a319f2d0d1cd775cbb1a811ff7e5cbf6c001aa41f53e73d92a196e615bd25ac079abf1a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmMkwEEM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xYgy.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIwosscQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQwm.exe

Filesize
5.2MB

MD5
4c0dab45d20e23c69fe0ca18c34c7dc0

SHA1
53d598bf6f20b212c5e5ed9b647fa6ee399924f4

SHA256
f1d53aec9be7f55db72a87a6e03bd4ec9007402ba9aff28eb29aff8e24a0ab18

SHA512
3bfe8b87d1eee8cbe9afba7d63cd7f5e36ca060dc351cc9b6bf71480277d7172a8984382845261ff48d32647a3ced9ecda0d49349b18c5b338a65fcb1a4bc9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYMK.exe

Filesize
200KB

MD5
034ee82c449112a8f164a96286735e13

SHA1
9094778a5d1cbe6e0e417817cd21d76287425c82

SHA256
41fd1862af5deaa3206bf16e087c28dbfc8a3d9ea3a11111ed6fa450b1d872db

SHA512
76fe950dcc8bee6f557ec15e16ae135285f7265c524cbf10bc1d867b0454f73431f4d8b5b1ab5c7f08e4375016a48fd57ee1311765144ec64e651a365728e761

Download Submit
C:\Users\Admin\Pictures\InvokeRegister.gif.exe

Filesize
1010KB

MD5
93f9b930dd9dd8f70cac78cf1a70b0d5

SHA1
8de5f3944f8141b2ef4e43d5fc1987c0a5f8f3d8

SHA256
727c8ec871708a3c8843a832d8139e4195403d76d2458a008a1b42e733924547

SHA512
b4f226489a5a281fc193a30f0095a619602778e1fc4002e048182d2edb40f3e84a57241da77b8787427dc13a3c3789ae73ae736ff104fa31933f5b33d8fd8afb

Download Submit
C:\Users\Admin\hkcwoIsc\QMAsEYMc.exe

Filesize
182KB

MD5
b6c6aba5e6ca97f2314d40bf55b9f0c1

SHA1
804ca17c10c2dc4a21920ae2f5a66eaa4a885c1b

SHA256
ce90776c76f288d857d6b6a65826faf0311915dba58012dc18debe2710c21008

SHA512
83fa2df0ca1dec7fc422e44870770e019ce272daec12236fb61a03d232c062d36a798bee81d9c29a57fc0879d044a73220f8a5704057531985ef676cba74cc90

Download Submit
C:\Users\Admin\hkcwoIsc\QMAsEYMc.exe

Filesize
182KB

MD5
b6c6aba5e6ca97f2314d40bf55b9f0c1

SHA1
804ca17c10c2dc4a21920ae2f5a66eaa4a885c1b

SHA256
ce90776c76f288d857d6b6a65826faf0311915dba58012dc18debe2710c21008

SHA512
83fa2df0ca1dec7fc422e44870770e019ce272daec12236fb61a03d232c062d36a798bee81d9c29a57fc0879d044a73220f8a5704057531985ef676cba74cc90

Download Submit
C:\Users\Admin\hkcwoIsc\QMAsEYMc.inf

Filesize
4B

MD5
9606926fbf874cb9e1c71290c9b21e1c

SHA1
99d624e77341b4abd33c8f1315fb67c8aae68ff8

SHA256
9001921078bb16b5cb2d76e69bad76a226d32a0596d002b34f6619a1540228ef

SHA512
dd9577c2611878e68e644eed945ce3b199ef3b67ebafa9c6e4842d8a1ec072c65628bd0dfb04012e3d9517710b1fc465ec2313c0c442427c649ae13ee6f21689

Download Submit
C:\Users\Admin\hkcwoIsc\QMAsEYMc.inf

Filesize
4B

MD5
a91f3d527c7f7b5b9eecbcd97da6abc1

SHA1
e8377f29d0c47e7f3d62668bb8e6204e91cea89e

SHA256
d6b34787642dbe4634211074d432b78373e7c77f5870f619cadb3b0acb9b3179

SHA512
4d3ae6411b9c45052d78acddd678ee554f75b29be7ba22cc5ddb644261579448d974749fc947b8faa3b6dae84e95d51cbe1dc7efa2dc00aa777b7278096ef036

Download Submit
C:\Users\Admin\hkcwoIsc\QMAsEYMc.inf

Filesize
4B

MD5
2ba729c7be7d682622ef55334e4cf0d8

SHA1
1b8cfea9cbb8a49d52e2f0f2c588df5853f9b91c

SHA256
f7cdf3e64a4b2707cedf866239dc75535e9621f400a8a8219de4b1a2d3d57bfc

SHA512
51f89d1ebebbf47a4a2d8548340acab0469a18545de48acbbf22628c5efb537956007b9d009c0bbae8ba88a21eaf4c5de38401b35da09183dee86622556efc6e

Download Submit
C:\Users\Admin\hkcwoIsc\QMAsEYMc.inf

Filesize
4B

MD5
269921dec930caa2395ea1a2298107f0

SHA1
62959041574d356084d9c8a554839e5017ee7b33

SHA256
85d86e5d867ea823916378993cfcdd39d4c1a93e00e1c3fa5781acaa9c2fe1ad

SHA512
702e1d4c270021e3535c5a3a7e09ea57ebf7839767310a0efa39599b209150b539ad1cd1f8ef7aa122f214517a2c4b4a8c6d4b15bec1cb52b7002f4d6e5228a5

Download Submit
C:\Users\Admin\hkcwoIsc\QMAsEYMc.inf

Filesize
4B

MD5
c944baee92db822db28c41e149521762

SHA1
8415a52e8c17779be0c373848b086fa1bae73821

SHA256
e423cc55a9c47fd27bd988c6b0b4a0b0a447488385c4f5f2d00cdcb5bcb78302

SHA512
0e0730c9019ef26bd1d5bfd4702e0191351e530cb97a5a41276594c0fda8d7d35fc6746abfc2024a9878fdce538c13530e162de7d5af1213db1f0800c6ce6942

Download Submit
C:\Users\Admin\hkcwoIsc\QMAsEYMc.inf

Filesize
4B

MD5
ec07388755e94d9a1b672f7db33e1224

SHA1
db274b2af69606d8645e2145d049e7f433066e77

SHA256
78640a826da77c3f6c10ef56b6eb2bb57fe3241447dca362a2ed2db56abf6e30

SHA512
974c0cc102a71fdb6aea85b1d48f0aea0fb687dceabe5882dc7c81f81751be6feed1d7aba6936f918cbe79b72832e4d6e2f533252a95ef0086505b2a79a24800

Download Submit
memory/220-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-638-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-726-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-779-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-646-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-605-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-607-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-628-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4768-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download