e9f33cd4bdd542df884433d873157ad9903f3e45d80f0e476932444e2edf97c9

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2023, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
Size

203KB
MD5

9d3d901efd656fc8cee365a2f1ca34d0
SHA1

a13cc5be83a250fc852fa8bae3011e6ed6be3458
SHA256

e9f33cd4bdd542df884433d873157ad9903f3e45d80f0e476932444e2edf97c9
SHA512

8bbac5cb420956e14d34cbc74cc38f1a512e0f1980830192acfd6ed390d29637d45931ef65d52d6a2c0daaabffdd73fc2c4f2eb3f1d6a7661838db1f4aa529fe
SSDEEP

3072:D2d5XM6CmZVUvSajsMBdbTSZ0U3ouKGYEVEeBP15fmXnYmPp8bjBp:4a6NVXAdb2ZUUOSP7mXh2bjBp

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	usIcQoMs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WerFault.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WerFault.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
3312	GaEQcwMQ.exe
812	TsQgUMow.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GaEQcwMQ.exe = "C:\\Users\\Admin\\NMosUkEA\\GaEQcwMQ.exe"	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TsQgUMow.exe = "C:\\ProgramData\\CKYsEEoo\\TsQgUMow.exe"	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GaEQcwMQ.exe = "C:\\Users\\Admin\\NMosUkEA\\GaEQcwMQ.exe"	GaEQcwMQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TsQgUMow.exe = "C:\\ProgramData\\CKYsEEoo\\TsQgUMow.exe"	TsQgUMow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\usIcQoMs.exe = "C:\\Users\\Admin\\omUEwckI\\usIcQoMs.exe"	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sycoskgM.exe = "C:\\ProgramData\\UaYEAgks\\sycoskgM.exe"	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	GaEQcwMQ.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	GaEQcwMQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3556	2000	WerFault.exe	1136
1156	4476	WerFault.exe	1138

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2980	reg.exe
4888	reg.exe
2868	reg.exe
2292	reg.exe
2932	reg.exe
544	reg.exe
1932	reg.exe
544	reg.exe
676	reg.exe
1956	reg.exe
3448	reg.exe
2536	reg.exe
4720	reg.exe
4388	reg.exe
2292	reg.exe
2152	reg.exe
1004	reg.exe
3400	reg.exe
3120	reg.exe
1948	reg.exe
2828	reg.exe
4780	reg.exe
3352	reg.exe
4160	reg.exe
5036	reg.exe
3844	reg.exe
1900	reg.exe
2336	reg.exe
4776	reg.exe
1712	reg.exe
3044	reg.exe
5040	reg.exe
4352	reg.exe
2276	reg.exe
3872	reg.exe
4176	reg.exe
636	reg.exe
3400	reg.exe
2812	reg.exe
396	reg.exe
1308	reg.exe
680	reg.exe
4024	reg.exe
4688	reg.exe
5056	reg.exe
2980	reg.exe
5072	reg.exe
1152	reg.exe
1384	reg.exe
3920	reg.exe
3092	reg.exe
1948	reg.exe
4580	reg.exe
4244	reg.exe
4400	reg.exe
4752	reg.exe
4204	reg.exe
3980	reg.exe
2800	reg.exe
2072	reg.exe
1712	reg.exe
4284	reg.exe
2032	reg.exe
1888	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
2272	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
2272	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
2272	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
2272	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
3228	reg.exe
3228	reg.exe
3228	reg.exe
3228	reg.exe
4456	reg.exe
4456	reg.exe
4456	reg.exe
4456	reg.exe
3004	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
3004	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
3004	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
3004	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
4584	Conhost.exe
4584	Conhost.exe
4584	Conhost.exe
4584	Conhost.exe
3968	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
3968	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
3968	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
3968	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
2768	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
2768	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
2768	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
2768	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
1096	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
1096	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
1096	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
1096	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
3500	cscript.exe
3500	cscript.exe
3500	cscript.exe
3500	cscript.exe
2576	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
2576	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
2576	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
2576	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
4752	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
4752	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
4752	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
4752	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
4788	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
4788	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
4788	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
4788	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
1552	cmd.exe
1552	cmd.exe
1552	cmd.exe
1552	cmd.exe
1616	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
1616	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
1616	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
1616	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3312	GaEQcwMQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe
3312	GaEQcwMQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 3312	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	81
PID 2628 wrote to memory of 3312	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	81
PID 2628 wrote to memory of 3312	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	81
PID 2628 wrote to memory of 812	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	82
PID 2628 wrote to memory of 812	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	82
PID 2628 wrote to memory of 812	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	82
PID 2628 wrote to memory of 3772	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	83
PID 2628 wrote to memory of 3772	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	83
PID 2628 wrote to memory of 3772	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	83
PID 2628 wrote to memory of 264	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	92
PID 2628 wrote to memory of 264	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	92
PID 2628 wrote to memory of 264	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	92
PID 2628 wrote to memory of 1304	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	87
PID 2628 wrote to memory of 1304	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	87
PID 2628 wrote to memory of 1304	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	87
PID 2628 wrote to memory of 636	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	85
PID 2628 wrote to memory of 636	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	85
PID 2628 wrote to memory of 636	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	85
PID 2628 wrote to memory of 2076	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	86
PID 2628 wrote to memory of 2076	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	86
PID 2628 wrote to memory of 2076	2628	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	86
PID 3772 wrote to memory of 4756	3772	cmd.exe	93
PID 3772 wrote to memory of 4756	3772	cmd.exe	93
PID 3772 wrote to memory of 4756	3772	cmd.exe	93
PID 2076 wrote to memory of 1008	2076	cmd.exe	94
PID 2076 wrote to memory of 1008	2076	cmd.exe	94
PID 2076 wrote to memory of 1008	2076	cmd.exe	94
PID 4756 wrote to memory of 3716	4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	95
PID 4756 wrote to memory of 3716	4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	95
PID 4756 wrote to memory of 3716	4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	95
PID 4756 wrote to memory of 3172	4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	97
PID 4756 wrote to memory of 3172	4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	97
PID 4756 wrote to memory of 3172	4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	97
PID 4756 wrote to memory of 4212	4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	98
PID 4756 wrote to memory of 4212	4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	98
PID 4756 wrote to memory of 4212	4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	98
PID 4756 wrote to memory of 1160	4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	99
PID 4756 wrote to memory of 1160	4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	99
PID 4756 wrote to memory of 1160	4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	99
PID 4756 wrote to memory of 3316	4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	100
PID 4756 wrote to memory of 3316	4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	100
PID 4756 wrote to memory of 3316	4756	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	100
PID 3716 wrote to memory of 2272	3716	cmd.exe	105
PID 3716 wrote to memory of 2272	3716	cmd.exe	105
PID 3716 wrote to memory of 2272	3716	cmd.exe	105
PID 3316 wrote to memory of 1196	3316	cmd.exe	106
PID 3316 wrote to memory of 1196	3316	cmd.exe	106
PID 3316 wrote to memory of 1196	3316	cmd.exe	106
PID 2272 wrote to memory of 1132	2272	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	108
PID 2272 wrote to memory of 1132	2272	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	108
PID 2272 wrote to memory of 1132	2272	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe	108
PID 1132 wrote to memory of 3228	1132	cmd.exe	110
PID 1132 wrote to memory of 3228	1132	cmd.exe	110
PID 1132 wrote to memory of 3228	1132	cmd.exe	110
PID 2272 wrote to memory of 4328	2272	reg.exe	117
PID 2272 wrote to memory of 4328	2272	reg.exe	117
PID 2272 wrote to memory of 4328	2272	reg.exe	117
PID 2272 wrote to memory of 5096	2272	reg.exe	116
PID 2272 wrote to memory of 5096	2272	reg.exe	116
PID 2272 wrote to memory of 5096	2272	reg.exe	116
PID 2272 wrote to memory of 3536	2272	reg.exe	115
PID 2272 wrote to memory of 3536	2272	reg.exe	115
PID 2272 wrote to memory of 3536	2272	reg.exe	115
PID 2272 wrote to memory of 1800	2272	reg.exe	111

System policy modification 1 TTPs 26 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\NMosUkEA\GaEQcwMQ.exe
  "C:\Users\Admin\NMosUkEA\GaEQcwMQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3312
- C:\ProgramData\CKYsEEoo\TsQgUMow.exe
  "C:\ProgramData\CKYsEEoo\TsQgUMow.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
    C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3716
    - - C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        7⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        8⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        9⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        10⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        12⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        13⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        14⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        16⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        18⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        20⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        21⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        22⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        24⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        26⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        28⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        29⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        30⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        32⤵
        System policy modification
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        33⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        34⤵
        
        PID:4776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        35⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        36⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        37⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        38⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        39⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        40⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        41⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        42⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        43⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        44⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        45⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        46⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        47⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        48⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        49⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        50⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        51⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        52⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        53⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        54⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        55⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        56⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        57⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        58⤵
        
        PID:912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        Modifies visibility of file extensions in Explorer
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        59⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        60⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        61⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        62⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        63⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        64⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        65⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        66⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        67⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        68⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        69⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        70⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        71⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        72⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        73⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        74⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        UAC bypass
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        75⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        76⤵
        
        PID:3504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        77⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        78⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        79⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        80⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        81⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        82⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        83⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        84⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        85⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        86⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        87⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        88⤵
        
        PID:3640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        89⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        90⤵
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        91⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        92⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        93⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        94⤵
        
        PID:4948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        95⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        96⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        97⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        98⤵
        
        PID:2324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        99⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        100⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        101⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        102⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        103⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        104⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        105⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        106⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        107⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        108⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        109⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        110⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        111⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        112⤵
        
        PID:3148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        113⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        114⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        115⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        116⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        117⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        118⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        119⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        120⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        121⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        122⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        123⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        124⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        125⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        126⤵
        
        PID:4080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        127⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        128⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        129⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        130⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        131⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        132⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        133⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        134⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        135⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        136⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        137⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        138⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        139⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        140⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        141⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        142⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        143⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        144⤵
        
        PID:4276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        145⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        146⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        147⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        148⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        149⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        150⤵
        
        PID:3768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        151⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        152⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        153⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        154⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        155⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        156⤵
        
        PID:1900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        157⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        158⤵
        
        PID:676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        159⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        160⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        161⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        162⤵
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        163⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        164⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        165⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        166⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        167⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        168⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        169⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        170⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        171⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        172⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        173⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        174⤵
        
        PID:2072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        175⤵
        UAC bypass
        Adds Run key to start application
        System policy modification
        
        PID:4204
        
        C:\Users\Admin\omUEwckI\usIcQoMs.exe
        
        "C:\Users\Admin\omUEwckI\usIcQoMs.exe"
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 220
        177⤵
        Modifies visibility of file extensions in Explorer
        Program crash
        
        PID:3556
        
        C:\ProgramData\UaYEAgks\sycoskgM.exe
        
        "C:\ProgramData\UaYEAgks\sycoskgM.exe"
        176⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 224
        177⤵
        Program crash
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        176⤵
        
        PID:3428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        177⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        178⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        179⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        180⤵
        
        PID:4416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        181⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        182⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        183⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        184⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        185⤵
        UAC bypass
        System policy modification
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        186⤵
        
        PID:4476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        187⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        188⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        189⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        190⤵
        
        PID:3632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        191⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        192⤵
        UAC bypass
        System policy modification
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        193⤵
        System policy modification
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        194⤵
        
        PID:3204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        UAC bypass
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        195⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        197⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        198⤵
        
        PID:4136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        199⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        200⤵
        System policy modification
        
        PID:1524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC
        201⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC"
        202⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TocAMkMY.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        202⤵
        
        PID:3868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        Modifies visibility of file extensions in Explorer
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:4952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCQkwYYk.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        200⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKIkggAM.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        198⤵
        
        PID:1180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies registry key
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcEYsAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        196⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omQcUgoA.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        194⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        UAC bypass
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkgMMwkk.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        192⤵
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        Modifies registry key
        
        PID:4752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        UAC bypass
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        UAC bypass
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqUEwoIo.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        190⤵
        
        PID:5036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies registry key
        
        PID:2980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCUwgIoY.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        188⤵
        
        PID:4068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWwgUUUM.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        186⤵
        
        PID:2276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:3948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:1580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOkwIsMQ.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        184⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies registry key
        
        PID:680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSAkkkQE.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        182⤵
        UAC bypass
        System policy modification
        
        PID:3844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCwUwgEU.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        UAC bypass
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        Modifies visibility of file extensions in Explorer
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWQYkYoA.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        178⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:4752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        UAC bypass
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcAAEscE.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        176⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        UAC bypass
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAMsQIoM.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        174⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcYsgEEE.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        172⤵
        
        PID:3308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKsYUcYM.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        170⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        System policy modification
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        Modifies registry key
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies registry key
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIYcgQQM.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        168⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:4744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:2148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEoUoMow.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        166⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOIUIckA.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        164⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XugUAocc.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        162⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        UAC bypass
        System policy modification
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIgkookQ.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        160⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:4196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        Modifies registry key
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCYkMgUw.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        158⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaMsEcAI.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        156⤵
        
        PID:1680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgYccMQM.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        154⤵
        
        PID:776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EeAMIwcc.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        152⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        Modifies registry key
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fewEIUUg.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        150⤵
        
        PID:3304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:3436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMQQscQM.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        148⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:3300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nksQgoMw.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        146⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        Modifies registry key
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUQscgos.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        144⤵
        System policy modification
        
        PID:3536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAcAQQsY.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        142⤵
        
        PID:1384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies registry key
        
        PID:4244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMYMIcYk.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        140⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        UAC bypass
        
        PID:3600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGcMckkQ.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        138⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyogIEwY.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        136⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        Modifies registry key
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAgAswoU.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        134⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCAYUAcQ.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        132⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaMQooIg.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        130⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\locEMwIE.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        128⤵
        
        PID:1308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:3316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyMoAIYk.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        126⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies registry key
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymQMAAYU.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        124⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies registry key
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGsIQcsQ.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        122⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JawcwcUk.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        120⤵
        
        PID:4116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        Modifies registry key
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsEgQMMM.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        118⤵
        
        PID:3556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:5072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyYwUkMk.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        116⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqEwgkAU.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        114⤵
        UAC bypass
        System policy modification
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOgcwIMI.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        112⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSYsIMgk.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        110⤵
        
        PID:4220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        UAC bypass
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwAUIYYY.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        108⤵
        
        PID:2964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMcocEgY.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        106⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGEIYEAo.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        104⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:4000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies registry key
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEUAAIQM.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        102⤵
        System policy modification
        
        PID:3192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGYEQIcc.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        100⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmMgYssk.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        98⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQwYkcoU.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        96⤵
        
        PID:3776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsEwUoEw.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        94⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:3120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUMUEQww.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        92⤵
        
        PID:4932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:3364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:3400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        UAC bypass
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEAkccwA.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        90⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiIIYgQA.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        88⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqcIgkEg.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        86⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmocEMwc.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        84⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWYQQQwE.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        82⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmcQAMoA.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        80⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies registry key
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMkcMYEg.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        78⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        Modifies registry key
        
        PID:544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        Modifies registry key
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEkEcIUM.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        76⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        Modifies visibility of file extensions in Explorer
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agQUgcss.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        74⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaMscEgM.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        72⤵
        
        PID:2532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        UAC bypass
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        Modifies registry key
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSkMgYsw.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        70⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKwwosEU.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        68⤵
        
        PID:4752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HycEUgEI.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        66⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMIwgUMg.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        64⤵
        
        PID:792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmcgEskM.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        62⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkwYUcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        60⤵
        
        PID:1156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayUgMIUo.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        58⤵
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BeUkkEEA.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        56⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NacgoIUA.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        54⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwcwIoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        52⤵
        
        PID:4744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWgEoEQY.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        50⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:4352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYwswcIA.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        48⤵
        UAC bypass
        System policy modification
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:3144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayAccMEk.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        46⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:1020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:1480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQIEIcow.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        44⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyUgQAwY.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        42⤵
        
        PID:1256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkAscUkI.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        40⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ockUYIMs.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        38⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywsQYEEI.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        36⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        Modifies registry key
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcwIoAwg.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        34⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\usEAEgEs.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        32⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgEgQMQE.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        30⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOkowIow.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        28⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIQwwAkw.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        26⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYAEAssE.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        24⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcYQUAEo.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        22⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSQMEkYc.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        20⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGgcoYEU.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        18⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Suspicious behavior: EnumeratesProcesses
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMsYMsIg.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        16⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcwUAsos.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        14⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoYsAssU.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        12⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEQEkskc.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        10⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KscEIQIc.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        8⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWIQsUwM.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
        6⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3700
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3536
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:5096
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4328
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3172
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4212
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmEsUYoo.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3316
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1196
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsEccAIw.bat" "C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1008
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1304
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:264

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 71bacd41ad0de06c902f97c0ef4098a4 7XNjOOKfxkWLTbR7jvsYxw.0.1.0.0.0
1⤵
PID:4208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4476 -ip 4476
1⤵
- Modifies visibility of file extensions in Explorer
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2000 -ip 2000
1⤵
PID:3104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:2272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe

Filesize
517KB

MD5
8e9bd7ec92b78e4a8fae5a7cf773c25b

SHA1
75a6e1be0172e94400fd73cb63421a1c3c4914f6

SHA256
d1504d705c9ba3e7f6cc4117781ca84fd8b45bcf5f53ea06ca1197c1ebaa8f1f

SHA512
10047f19cdbda239ff69f21e1704f9a0f65667d235f2fd5050a273dc3a78c141810e925feaa6c1a5b0428811afaa446e146ff6e03a7d67aea2c12f280171763a

Download Submit
C:\ProgramData\CKYsEEoo\TsQgUMow.exe

Filesize
197KB

MD5
afae51969746a86e73fba9034d42a76b

SHA1
ff049dadd573d15b657a52e9a2298b56d24eedc7

SHA256
53dead66e15e80a0ebcda032fd1a164f9cc222b7eb264cb710977e230c25f723

SHA512
1bc7d68a6f9371b283c8eef907244ff9e81b4e5963d4def49327f4b7313d8086e140cefc6893b5b3a31d2a799bbb9e66712c8a01d3d8831a1f9c960bd5bf0876

Download Submit
C:\ProgramData\CKYsEEoo\TsQgUMow.exe

Filesize
197KB

MD5
afae51969746a86e73fba9034d42a76b

SHA1
ff049dadd573d15b657a52e9a2298b56d24eedc7

SHA256
53dead66e15e80a0ebcda032fd1a164f9cc222b7eb264cb710977e230c25f723

SHA512
1bc7d68a6f9371b283c8eef907244ff9e81b4e5963d4def49327f4b7313d8086e140cefc6893b5b3a31d2a799bbb9e66712c8a01d3d8831a1f9c960bd5bf0876

Download Submit
C:\ProgramData\CKYsEEoo\TsQgUMow.inf

Filesize
4B

MD5
d6c584c6d7b1ceea40cad51d35d65d4a

SHA1
ba133ba06542a4f6d04610de01d4f6ab4b2e026e

SHA256
3466ea57f5fb17e02faafb65086dda11f23da6e50557c01d6f944d82fa7d65ef

SHA512
a610b730913fba0fd905ccc68c286eabe7a548327bd0bd744e3abaef8c3aff3d8ca2f65ba75f0c85868523ea44a877f69ab68ffd00b907fec463a7cd56e697bc

Download Submit
C:\ProgramData\CKYsEEoo\TsQgUMow.inf

Filesize
4B

MD5
83a922bb5f919a1660b923c836449a21

SHA1
67ec11842a36febd50e477311eea92666775452c

SHA256
af4a0268698059bd44680a8fa2003357f45e3e49eb0768b1eadc8af12ed4e01c

SHA512
f370941c635d9ae19eb0bef31f542b050faea5118833cef7a49020b6ef1673b4880c2f6973589afc0a9b1f141dd62d06191f5370837b98d757463959910f1182

Download Submit
C:\ProgramData\CKYsEEoo\TsQgUMow.inf

Filesize
4B

MD5
a24aba60192322bfa2babf3b65fd5503

SHA1
cfc3410dce7e0d6f8f4f8595f42c40cb24819ba3

SHA256
b2ec2dcf0725168e74e8e80b6211aff0d8620df25009bac0874bba44cd4c91f4

SHA512
b4c231cbf3e952c91252ca642330b989535da14c50cf1a0039f14af33a6ff792212504dbe4aa4609045129804b5db2698e35d88ba9a09deee02e6eca72678248

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
315KB

MD5
34ef1460358a6e40a61291ab100b4af2

SHA1
ff50e44c890257a8e39184b253bca9cb34c355e7

SHA256
deaea3df2d16f64c10947ea491879f5b4589258a98b0981b1d3bdc1fec9cceed

SHA512
249317b79924e1f841f519451e4d9c0e2be6fc096f7c11061016b4916615e4044cf2759d556b145c8f51d5377ce58ac542a00e77af96c105727a4c606dace42b

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
229KB

MD5
f8ad2f993b798df234906065d2d7175c

SHA1
bcfb65432282223611f26eab4264e787a9c3f8a8

SHA256
baa62147b7c53c295e5311c5805285be525aa2baccd8d579f7c97ca22513d4b6

SHA512
50124c8e3cf21149f4fe54f4c657d5554989dc1ce6da59f885b4106e835facb15ab3315db581e3319e8064ebaaf01e5f67b079576d07e53bb723556d315e0fbc

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
227KB

MD5
61b1b5b12bb51380534ad3585d0f8f52

SHA1
4cd7e0aabbf6211dc418ac5b71f4580f85111185

SHA256
514a86bb9d5c385574fff91de70e93269dcfbd51cd80a4bb947d55f4dae3b92d

SHA512
c26bf65f754d098465284e31f5ba3cdd3934274206c94010cb8de4a4159476b40da9ce84393672a50a9bf8dd957ba4003592106c52092af21a3bc64ab947b6c7

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
209KB

MD5
9ddd8a82fa9728762f6eea0f1ae7b50b

SHA1
85444118580cc92efad0259fb8badced050e120c

SHA256
021d5c64e9f04d203f375ca7fb8842f87b83e57ab0523f2a2203b1fff985d4e1

SHA512
4ab32684d0c0ea5d223e664ba6e0faae9fb0180af631d60c719d239e0046e47c2acd624d4d797044b487d42ac3d09c5ce80a4e3a5b040bb43a6767ed9dd6283e

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
636KB

MD5
f18b5f72571608ca13418c300c5260a3

SHA1
1da6b5873653fae7a703e05b49fb706804d9b40c

SHA256
05d266fa69225eb7c784669f8013169890657baea193acea9636e18bba48fc80

SHA512
f4e14316cb4f66b420de01443a2d856d031f8e5c9e6d9fe34b647dff4c7490f7520a833b3a2eb7ad89aa0fb5391783162ecae80f92d60526b320cc3b4dc6669f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

Filesize
218KB

MD5
0c6cc152c91f55896f74647a9d10596b

SHA1
ac19a4a81d29b09936d9e4d970a42f2ea027e2bc

SHA256
614d9d7d99618c68556db7768fc2cd92c01f6e6baa8a3e6c78a498a6112411df

SHA512
99d8a83436c86a4d9c4c88204cd479ff1f20efb899fe9892deb956828483bc21eb12c05f87fe7ed8ce15c81c30162a896339e8a40f79f7466f416a6d3c5307a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

Filesize
196KB

MD5
4bf4b412a8d46a5faa6e4d22745312b3

SHA1
adf88e37050e549697c614154ebe427c846471b5

SHA256
e8e322f865209e2becbe6d28f7e86ee0257bc8583a9e77ad2d1998b199c54082

SHA512
d94e4dfd51101d00dae8229eef67c852b99d34269ba6f88b7931654ff88c9f03b92de4f543a182933607f7314db846e81129de71056d96124b4908b85495f8fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

Filesize
203KB

MD5
a32077c92f0d23455631ec26442d389b

SHA1
a70a7903edb8a2ce9f3e91945d5beb98107a10b0

SHA256
f5b0aafa4bf20345c1befbc93f97313af05bbb11074bf9608e8ca637113221e7

SHA512
c1cebae2f12e30de6349488c52ee8cd5fd44beaa1f78fe327af75ff84df832773e60568e26d59171a85e9640d97aafd6f04179871bfb648a22b89417c590ba8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
194KB

MD5
b831cce7f2e47d240177b43c6ce4b327

SHA1
fb209c3272f2796e207ef6edc0ba7a7ef85d9af8

SHA256
2ed442e0ceba2e4530eda6bdbd599e4c1481db4d7b3a050b515c0ab35c08e875

SHA512
74c180a1c873ee111078f7607c497f93fc088e253b70f5ee5120d7b802ad9306d8330d5ad7e23cfa6fd10648190e7196cb45c5d6ff4dc77fcb719be8df587196

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
180KB

MD5
5bd13b810647b84f57747c205c8b44d2

SHA1
3fdd095d3f58ddcc405a6576e0bb5172c684c64d

SHA256
bae374a9783fa2305b416adf368a8ba69eff9f785c398e5b236a6b203762891f

SHA512
77a05a44ce7232816ca1bb8c5393343d1bbfd0f17f2a757113bc3204c1e84dce41a0e47bfc63a5f957db5c8a2af7ab246aaa01082cd66d1d067a2fede36e570f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d3d901efd656fc8cee365a2f1ca34d0_virlock_JC

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYYe.exe

Filesize
195KB

MD5
e08878c6f176dea24767c99dd00ceea8

SHA1
fdd688ddf5a1be27859089a65022edab0c7569fe

SHA256
6adfbbb20a33d51c68378c4e408229c4bd987899773e367af7fcd60f6842245a

SHA512
0e8970894c63e341dbbca87fa6de7e0c24d9d43a2dbefdcf74c4e039230473f4515e22b0b149b628a5319845b883fa1c67abaf97562d931768071d5849269053

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQQi.exe

Filesize
205KB

MD5
3d514511ee32a26fd6cf582c92e79098

SHA1
14ece6b23c5b36f7a28c1e227f1cb1c62477403d

SHA256
3d59c7c7b5d92cc0eb7b2f581dd2e13d01f60a2bda32a6f4864dd4a81356bd8f

SHA512
c57ee71d95bb56b5635abb0b6d509e0ebd3bb625ff650ecc6a8d870667d797098274121604aceefd75290da11f18dc739fc90ddfadd1d6fd8c222dd106146183

Download Submit
C:\Users\Admin\AppData\Local\Temp\CksA.exe

Filesize
824KB

MD5
2da01d098e922b7633b142da37978e0b

SHA1
55ee2514633ffdf68df5303136be3d6c52144ab3

SHA256
58fe69a3a57a87876533028036193587b8084b434e9a680f5bfd0042c7c0763e

SHA512
c503a049d33be1efde876129927d59bc3f7be57317097cc57217f15cf9023002b0a399b7369d68b05c83c325cb636008f3c581a60824c4ddc4cef746e882aa90

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoYsAssU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUgm.exe

Filesize
862KB

MD5
deb048f53fd6760ebab313881fc18fe2

SHA1
e74df995745bb9702f02e96c33ab719b509e911b

SHA256
698ef241867fc6d48606376d7c09539034270d6fe5a7b84e7408799840c19898

SHA512
44c4343386442860bfeacbc85a58e9717f9dc8f9dc2a0b5360f2e54ea06cae5bddc6b4e3c4eb550adc64e200021e1615d9870ffa53e75debeee227f7c7df0c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcEW.exe

Filesize
193KB

MD5
8c088760131fd5e38940457161bc8de7

SHA1
39aa04f56a41683f0320c2a45f1ae3bbbeb4b7ac

SHA256
de1896c10d72e916c0163e96d3ad10b5638b9ef670bed1e00061d7a6efa73334

SHA512
2d8fc54aa0b3b91614d00319e8fe2a60eea5023716fb0bd7d68b6570f42fb36e51ef14c40d16f30483977c6ab6e773d557e87e40517bc87ddac1ac242368ec87

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQkC.exe

Filesize
189KB

MD5
cb9f8d3c26d732199797329e948568c9

SHA1
9288312ea55bd838dc20c041964d6bbfb69b3138

SHA256
c623697833250524a58660462bbe50ee67af3add5052b39d962feaa5366b48a5

SHA512
c224ec8a3c9c08bdbd7dc1a9344bae8d43047219b57b727ddf0f90dad11cfc11d8debe23d6109ae7b6c416f9608e90419fc6a4aeb2fc73e7ed786245e79fd16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FsEw.exe

Filesize
187KB

MD5
1864e01938eb9b653510adf6038eb3ea

SHA1
0d1631ec155883302d2e464601aa5c9c1aeaf2fd

SHA256
d2cdc5408b770ef6a2779a3796f0c9db9d1c445a4c0f635f8ca6c53c67ab1136

SHA512
1f8713e9f924b0296b3f19f9ac5f56a41dd014b275238805be1028067be699e89fa7856fc8281480cd2a30224faf82f108f43edbf1a087ce8283552c5f20b453

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAYg.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYAEAssE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcwIoAwg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gosi.exe

Filesize
388KB

MD5
32ef31ff3cf1763bd488066acda62569

SHA1
1c415db682f7d347c69c554a785fe6fea3a08b2d

SHA256
d26305ac8dbfece5b12c4c96879e2a93d7d7204204747aadcd6edaddb130e6f8

SHA512
e5eab77e2b84e0a03c097278d2bc8d146f437a4bb4a7e3bc9af3b679eb4dfd18b963ec2a830f2fe4c618c0315812eba0f95c5b27f973ec53a66a13e4a9b640eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Goww.exe

Filesize
200KB

MD5
21dd445d3dbcb9bc15ef8cc7b487d361

SHA1
f67b0764dd7ec6156760619b4628e88f622fd2c8

SHA256
e0395bc8ca89269db838df894d1d8bc8574239a1667222b910c4794adb97c404

SHA512
eccb46eea3ecda95f630628a85892120a1f0758a7bb6a967664b7db813278ad67c5622f8c610c43caa3e844be2f82d4677ff738a4b4a2181b76a550e5d53e351

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwsc.exe

Filesize
645KB

MD5
9044b9a212c509bb837ba4f506c500c4

SHA1
165617266f196d52283236807095a9e9952c9b67

SHA256
5d7e26371e562b32755f639900c499c1f9ca420d3063cb9a9c5560685d0195a2

SHA512
934098ff427c640a55cc5dac6ae33ed5b94e5a67dac4ce3c69cfe043c3be5476714978d1fd76202b8ad694d5a972513c63fcf046fdddeaca4a7b37e1f7e20e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMEm.exe

Filesize
192KB

MD5
0aa7dad9831b523779902a2c6ed4fed4

SHA1
717b20417195a09e1c9dfbb01fa38edaca91adaf

SHA256
46aad2f3ac4b7968cf48cbaf9106e2ccb09cef1b52c6858d0b98e8a7ad998840

SHA512
8725638e943e8bd19a070ced2661097d4119091bb261955668ec2a64a9837af65fc9dd1b095592e14874882f459338429eea38eade88a65faadbc4c3968ef299

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMsS.exe

Filesize
199KB

MD5
7276ab3a99272ff3b85dc244478f87f1

SHA1
ca2791c5aeee24c037f4bdec466da3673bc46e3e

SHA256
b52327eb67fa2fd3c2092c641e80705d58f9d413af57b80906d4303f562c6718

SHA512
4a4452626eac318bfd5394d4beba06d62b8e981b6cee37eb1a8ff4db1547fde6e1f58640e51c0cabd1d4e09c48f05257cd8c476bbe88b81526245df377fee148

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUEM.exe

Filesize
204KB

MD5
62587c276c9bcefecad634e63f169eb7

SHA1
1ac11f0afa4c3b1bbaf5092bdaef578d3c941548

SHA256
e326ebf28e55e0b4360c22cd2fdb6789b1f17a11fd54aa6af6fe0ed9d319963c

SHA512
ea28d2b4e8feba7da120d0be46fa1844dbf560950427dcaf07c609c0ead6ed978576b364b205d1087691d9759c8c7b0f23b492bd42d92b64ad191a6807c0085c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQgE.exe

Filesize
633KB

MD5
75cec5caadb75f02c7a92d9a1bebdb8c

SHA1
3d9e07006369e1a5eaeba11ee22a737423a33aac

SHA256
d20ff34e7e7e476598c1e4b1827e9d6a0003ef1366e857822d3f02a25165bf0a

SHA512
c02cb47203d2fb92b8961e6126b2ffc25f67aca6673a23a053bab040b9358e699c1c11aa46662c004f5b36d5113b40803875a2f71886450b4e8dfef08b93d5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUEU.exe

Filesize
898KB

MD5
278e820028509a586b767412f476bc5a

SHA1
64f6ed1d4824e245dd5d788d030795d9a1d8f6c5

SHA256
9c547f6def10666232581e4e3afa4f5d5caf01e16accdd4366095450b523e2a1

SHA512
2e7f4caeb5c16e0df283afcdda49a2fd3dcec857afd7802f77d1e112854f45ea3444c063a9d42cbf96edff1398ad3238ab278ccb60a4a4af492582556f570137

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQcA.exe

Filesize
183KB

MD5
6c91e974beb5f1453390da8b1090d6ee

SHA1
932dd0e0baa6a3f0fb24b9eda0e2a93caf97b3ad

SHA256
81b5283bcca7e35adfece8e95aa405bd325302e4e0f39f18e8c784fbdcfac54a

SHA512
d6949c336426a41f40c6158b163cf2749a3429348fc33c69ee0321d124bbc49c32f516f12fd7005c39c98eaa4d46dd3cff6876b242f14619240eec77ab8963d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQsk.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\KscEIQIc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMAS.exe

Filesize
184KB

MD5
3f8cdf8a86846790fddc31a0cbbe05e8

SHA1
cd8e0b3c5a20579487c0759fd06761ccdc4a02c6

SHA256
470433892c3834c2b0a13091fb0f58280e7a21c7ff35bf0bda3442efb0e2027f

SHA512
38528ef212154c4d61063cf03415140d34aca449f4759972f89ed92c935b34f7e1a2b1a594be2057dd600b11ccac1fc870c66bbba7ca873237a8075321f752ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQAO.exe

Filesize
786KB

MD5
c2d1682f9fa2ef7d31c9263b220cd18f

SHA1
88aef1d84c066b260be83085b70e9925886601a2

SHA256
63c35a0f7bd4fdcff68868505e8f6b20e83f8e65ba4719de516ac6b97e4f43e7

SHA512
73d5b7415cfab173106c22c1ac502e1fa695c024508eb98b4c95d57fb4e7ce0c22ba3aa0d8e8ed87bb49f75a222b1edb515069e4f3abbeaac98e32e96dcb369c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwIk.exe

Filesize
206KB

MD5
bcceefb8af889d22dd5c0f9d474f0b59

SHA1
931133cfd179d184050df37fec567402f2a3e569

SHA256
914efaa4542071951df0d5cf1324c1e313f84f24adc1c1fff119459ac7ecb9b8

SHA512
1fc039869c42bb3a1f0dc137ffaf0ca78f1d6393c39388c107709c362553a2b2ee5628d5cacae843ce6c235344403d9aa8adf336969f9278e91a5d727c0a7c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEgy.exe

Filesize
196KB

MD5
61d7e8cfa160310defc72dcc76da4db7

SHA1
f05d2cfa455671e16ec87770b7f9739cdf3c9244

SHA256
db54ecac7bd292a8ea84b156a355633b0c012d57d0c2445d7873087447032270

SHA512
54d0cf45d64abc3693dc5e4577e3a4abb5cfa231104c4e9e1771e106a06c327baf80d0e6891161fcd4aaaec676d90d67ef851d7948eabc7dc476e1c850dd0e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIkK.exe

Filesize
641KB

MD5
7cdbf4b63655d128f74bf9d867eb3d18

SHA1
bd53f1cb8c98e9bf41134bc147d9a38ac5281265

SHA256
1bbc8e913761c90a8d4debe40799068122025388ed8dc7c430fd1776e54c162d

SHA512
b4730af96c5fe373ce657c7c743ba58de7de5a62b143e07cccd813b8bc62ff792c836efcf15eb272c2ecdf47fddc2a6ed7c7bd3ded4012531c3f8674147ad174

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMsYMsIg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwMW.exe

Filesize
188KB

MD5
e36842607edcd70990d5175f9f27fd10

SHA1
6e32bd75f22b795b8592ac9369b5c2582f002ae5

SHA256
efdf6cc782dfde13e659188f02e023e9a2d0438e2a44fbcfc9c0e439653f30e5

SHA512
5dce7ac2a5ffbffda69b89436edcc0085f492ef9318a88137fcb2e0d0d43bcf2c5a24c74ea11fbbcc940913b9ed52578ef15c6d1bce8ab8aabce6d5e1126c69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYAu.exe

Filesize
216KB

MD5
9634590418bfb780036f52bae44db777

SHA1
4fd0e6b616e5cb7e2a40326a5dfb99303b912f3b

SHA256
f88caecae24591db18c29e17ed2ebf96351ef757a0b9227c47278322f8b92daa

SHA512
27205ab8d73950c83a1ed754f6788c08bb0631ca6fb4749bf217aa5053f3ae7de21f3be78a8f2ee317c8044d8074ba49d76213cdf7a00210d3c903e710f5740f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ooco.exe

Filesize
198KB

MD5
e8c65f97567fc8a8120ec34e6ef68249

SHA1
a0711026166713a68fc9e4e5b792ef1410b8b59d

SHA256
f6055a4af1a7bc9aa24d8b9bffe69ec8224c5d2259eb1ea0f1b7331eed9e6fae

SHA512
271fddac35dc09a5f8692d8d98dd7530bb7c5e669ddde18ab6ea14660ae2ea0ac307a68dc768805b2a979c829c9803c8f3e49643027774c9cd83e5be13f61cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwwG.exe

Filesize
330KB

MD5
532de3e472a1bbf2e229c30f627347db

SHA1
e3d883856992d44d460de532d0755a4880121d44

SHA256
04374997ecaff5d43e5d4a341fb0db880857d56f57cc7acbf289164541c8e642

SHA512
738aa4a573150f8c7e2e74fe0c55e71d5873e60541ebb2c2a023927c394d0ddb1c514aecfb16445b7d94ff93a62f3f99d6277be8bb14c33fab06446a11d06d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgIS.exe

Filesize
223KB

MD5
4317fc5b4b3f7042e53754ae05337a29

SHA1
5aaffc95203a9aac4bc4ddd549826348e4c942f5

SHA256
603639f7e4ed89742e014b67e519c0b0c86318d3e3af92f9a26ffa265f9a8e2d

SHA512
b97a1d431e8c9d3e4921f5a62dfc26496e55a8dc6d03ef04fa7520cd5062bc0f14c31435a6c839f319f7a16b7a0c750c6cd34f5eb1b034767fbe52ebd1c9b2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rwgi.exe

Filesize
569KB

MD5
89ef2477a09601bee672da5cefaaf17c

SHA1
a84f38e5334b3a0d9415f9ec251bc0df28d19a81

SHA256
3cca1a60c0d66b1152edcd91e2a4b8e319af6068f2175dc8e5649b5c849469c0

SHA512
e6ad9cfb17cd715e1fe2f1abb744aeff81c857c308d000f1b09af9289e63015f279ff55491d1ae54dc7eeba55747e46690bd1510a69f451691aa4895355ab586

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sosy.exe

Filesize
184KB

MD5
55a265536ab3a2d3b3ae929631b0612c

SHA1
8bfc20b259c5184f8b8f0eba632dec05e8327f64

SHA256
168ba7ce186d95742890227fc4a7c12045daa0fd69c525a52f747dcc4d1726b5

SHA512
961328217a73d9942214f3ec51ce0158b88185f3cd8f53128b2cb082eebaf53b1f5b0580f90d2d0788067969539be37e516f9faac349d505a9be2b0e533b2467

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgIg.exe

Filesize
198KB

MD5
c9dea89ddafd79ebcb2fc1406d418b59

SHA1
a8e788e8a12cdfce02730546b5313d312673a52b

SHA256
bd532204f5a3cb49fc9d207fde41db46ba6ae2dddf48504ee5df2656f89117e7

SHA512
feba9343dc317a897d3310d762a1f825c55976e9cba1eadd3a61557d6c25d4db2710699223e5018871c3a47defaec1f57f6ec9d5470fa7b19fc146e0a5a28084

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUQc.exe

Filesize
199KB

MD5
9edcf9dfb47142f7f39a7f71f20959a6

SHA1
d2ed1be38bb41ac8aff816d084c1ca22a8ef20a4

SHA256
378a899a6ca8f95c0d544894b988c43985d23d53b7a8374e0057653ba91e5415

SHA512
0ba219aadb326be10d31937a354248b45a148a9c4eb80c209125afc7cb88775970d9036c711de7af7b88f6bbf02b580cd1391fcec74ca43a38935eac2d7323be

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcwUAsos.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vcwe.exe

Filesize
206KB

MD5
dd09056362b3b6e465dd2fb908b9305c

SHA1
dc3ccf8529a6d1886d9ff95d0bd505beb9566821

SHA256
bfce3bd27b55ea6c06d40d22d088f9f6a76104af3c244266803dbc079eb474aa

SHA512
625a6e5c98d7e62f5ddac939d6634fe917dbdc38ca478aea8679cfe281e7ead5e9828c75ae657eb1e6542ea10858b81c2dd3e6d6e7120fb21b14c640214b9e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vcwi.exe

Filesize
874KB

MD5
e38b83b905be54ff96dfc0a4dc0c9b2f

SHA1
ac259b857e8602101a6eff1a22408036b909c2c6

SHA256
9d2ffd2d740770eaafe923afe1f7d516aea9b1cb639b9420bc83f7b5f4bfa182

SHA512
7746449cecc30746a1377aa67981b27556eae37e739898756014381b334391a61b8eb05eee78cbfc0e0e0bf440d7a1a73c0a81c2719012735fd369ab01ed04d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wggu.exe

Filesize
203KB

MD5
585192618d86d573fd535b2023b54fa8

SHA1
3f1caf84fcd1c01fba1b3c18cde14efb173005df

SHA256
ab9bed7a4fb4bdc3b3da478599bf9abe01f2c1e7e313a42b3bc0ffb9ec7c9cf4

SHA512
e295fdd79f100c71cc2cd6bf71103746637776872d051c702663506ae4781452ce1b4bb942e257ff10f9ba9acbe5e5390c46196061157bc402f76be65eb88346

Download Submit
C:\Users\Admin\AppData\Local\Temp\WmEsUYoo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WswE.exe

Filesize
721KB

MD5
5989d131f4b9a773930b44fd4963f5d1

SHA1
cc27ba04c1aefcedeb79c6c17769324c34c2b88f

SHA256
87c47fd2dfd5e02490aead66c8d3e94536cf9d667f8105fdc64f5ac020180ee2

SHA512
a8d5bdb90f7ee9430c2db9c9ccf31c88856ab24cd0dd4dbb8f2f2eb8e5cbef5eea9302620e5c4a5e170ac86648d3a7a3f1e489eb2996d7864429fb0b59fa5257

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAcA.exe

Filesize
652KB

MD5
c975dbc1ea6a883893c1bd678db4656d

SHA1
080fb5153c0dc0a3b47f17135e72efb9378ba264

SHA256
f222da07c650f658c3ecd016c7d003ebfc3f4b28e850547066e11c35a22b7622

SHA512
b0ead494f3853c270bbe117d60e858d4f32f9d7034f6949efd286380e5e8f8e08f1087e098352623445ad50b6d054c75f41dc733fba68eaa2179e73e23568be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XsgK.exe

Filesize
197KB

MD5
c9a0f2bae9c8a5e9a9c5033d1c498eaa

SHA1
c80b835e9d4ff5a5620fbc5c75dec0928fc78de4

SHA256
eb33195877f61346b053b488a22fe9883b0a1cead094c1a136b42d61ff4a7d9c

SHA512
32abc915a1841c8802f6e2238578239c2ba30a9ea1662a0b9a6b6a7fb5f4cbb99b0bec5e3f6aa35c0b3a1648a3458f74e7fe394d5995e076392189fd84759599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAYG.exe

Filesize
240KB

MD5
64b1226a445e30893e1f33a21999d6c2

SHA1
c33ac9c935095fa1f7da642fc8972735744bce6c

SHA256
7dd2dd2651f011ddcc801597c937bd9348edeb0e8fa65e1387b22e6af2241e50

SHA512
4613857086c2428251768a35f2bf38f473347350b91667208255a6f90164c7b51a437c873e41d59862b8c5365dd79ae363f52903dd23f9820a23c09caa24d78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIAQ.exe

Filesize
195KB

MD5
886cd478968ad250e9a1ba2e58b48a04

SHA1
1980df690fafe4f32b227c14353dfe58c6e59c71

SHA256
441cc66f16046f859f0ffa0a05544c98fab7c263dbf499805dafdc182b399855

SHA512
abc06b5257f671a8d47eeda338c6253bbff4ff79982f52e55b82661fb760f4b1aaffca53f94b8e172ac5d6f0f07b823f982c93eeacb2db673603bac2ab5f8c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgEgQMQE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zsww.exe

Filesize
200KB

MD5
c46b4b1c4c366602db2b6bae139dfc8c

SHA1
b568da68326afee827dc17598b2b6828d9b1d669

SHA256
e12f4109edafca51f1649ae887846027489cc5456ec3b43c8c106cffb41bd71a

SHA512
8ac76a009799a1db17fcbd182ec4f9fd92cb5f052994bd14f76e53c745167c5c399f1cc632421be8a0d1e87422ce39e092381aba6d054a963de653591a113f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEQEkskc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\acou.exe

Filesize
5.9MB

MD5
65f82ae651a8a8136a1ae34949d9e273

SHA1
5f5989953a64190993e281d5d5339ff6830112af

SHA256
51e47e752253eea23864df89c10a7be0b39ea4f3836628c16016e03e8f56fb6b

SHA512
eb7d6fb96fdce2dd8488eaedafb65db2fb717c1c7ec1b89b17df91cacf1f9b14bc545d4c4a0be5503e8c5de47c2866f87f01c3521af716f17522cc82935cb149

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEEc.exe

Filesize
194KB

MD5
fd95415196ab79778198a51a41f8ce8f

SHA1
70dee0d69b636456f812ca683a3bfebc0e9a16f3

SHA256
c92b274058e6d99ae11213b6b7d3af2b068ff754fae5b6c8ca765af99a22d5cc

SHA512
24cf855cfde31dfca1cc2edfcb8c66a658d8556bb8fc7df7f85db930642123e537f28d361ecc8909a22467a3b39ff217ce9a15cdba6e9483ba8fe18632aa43a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMoS.exe

Filesize
214KB

MD5
f70b4c87158ae0767e44edaf4a0ab948

SHA1
f1282ea7265efdb51266e53281237b9ed5a5a1f3

SHA256
80374e5a2d154c82260ef5367b98f668ed299268c7fbaf1feba56ce3ad406a0f

SHA512
b7ffc804d8507dedd9c9dc5bb121177f6b71c76450ca9f25f6c8fe9cfe6dad5c3fea7a78131abc05d9bf1def79a7fff71cc80b083c88c4ba57e07a7534523cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckke.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckoK.exe

Filesize
208KB

MD5
39d41cf6b5e587d89b900873dae87d81

SHA1
80def3be1de19ee9c6c28faffc5a76cb4b258f91

SHA256
9fd3c884866e8359742d4f50aa16121e11cd3d444f56e6d43c5b0cccfc3a55ed

SHA512
7c859efee6711823e19740e111237c95633277b9f95b0de9ddd4c7b71288ea70d5880486e900f7e5281a9925df760d9f28886ff9c7f6fef6afb935789b7dfdee

Download Submit
C:\Users\Admin\AppData\Local\Temp\dGgcoYEU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dMoq.exe

Filesize
184KB

MD5
b1ceb77fe28ed69b31b2f213cc694d89

SHA1
5179b63e5cd49e2c90ab38f9b543da5852e3e7a5

SHA256
4a36aff828af2d058e2995edd983aa730ce3f1de0c968fa347b07982cba32a04

SHA512
9742376ec2643d2b5d4acd46a65fe233c7f54854454e656cafde341f1984002ad01ce0f6b7b6bb9f2413ea3c96db0248c0ff3f7bfd8c39e50232cb8156eccccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUEs.exe

Filesize
633KB

MD5
ef48de4b9b2157fab8d24b655579c24f

SHA1
ede98c9ffdf53d53696f86cb407fc06f223d5307

SHA256
77497a0c411cf680b3c6835f157fb70bea0e127b17cfea20e33a476402f730f3

SHA512
2f74704bedd9dd1020a53ef7f0f24d1881753f8659afbbeda6ab562e626e062000e08975406cd0daf92469dd7bda314f089f9040cedec081ac9722e36369e32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAgc.exe

Filesize
193KB

MD5
dd3a2d0eccfba22e53ddcd2e01b6eeb0

SHA1
2b8aafd5f810197d3f6d576db612b375ff88a5ee

SHA256
efc1b5e96359fcba2a9a5868569fd539b3e5b68c091004d63ab7b53b5ced48e4

SHA512
7e135c722509b05d0ab9301b3f433dcd1fa7160e20c90cbab0a78d581263919fe3a4d8f7c09672380d829436d8914456ce7945825bda22e9b14e941f14d843ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcYQUAEo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\foEU.exe

Filesize
194KB

MD5
339ac6100b4375e9d50d3eae42e7622b

SHA1
79f5c44bfd97972784f7f984e31c718c33c1d47a

SHA256
c1de209066247c4a2f52f8da4bba16cbe9ac5e05e6e31472755b1aae92234cc4

SHA512
7ecd161a1f19c8b1de2682726f139e970fd228096f6d5e6714b098afd3fde5878c54a2a7ea816f3872a76487c302474aa28613316d86e74a792d6f66ce916950

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsEccAIw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcAe.exe

Filesize
721KB

MD5
03523adcbd7c76f195deb6f25010bcee

SHA1
d7c87bb6b4f1e8ced95ab8d73d9f8b68f462fec1

SHA256
a3dd40f32517bf55541efa1de37d0a95533df3c2b5d330c0992cd0abe1dacb31

SHA512
cb73965d64826a68584cf9ee0fe13b6d389140bff18e983ef56bd1a50e0aaa59deb2e79dee484e505c92f86ce9b746e9dad3c6bb01d75f1726c55d3a7de382b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoci.exe

Filesize
204KB

MD5
e5a26ffa72504f972d1b9501250a74ed

SHA1
126c5476d1ad86608e934d5d07b91dc1e41ff86d

SHA256
cb46e96c4f916ff4f1a6d1dc595ecf526e633815facbbf239ccc394db46b7189

SHA512
c8bd3c68cfcd125ebe71de0cfe88e7cef24b84f503e517f06f9b040f1edfa3b65866b21c6a9d40011481cc08b55c0647476aad00c892b894e23b5e0f73882a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwYi.exe

Filesize
197KB

MD5
e1241105b608bdd8704d42a557e01726

SHA1
43bc2d4e24076afcdfdf60bcc532618bc3772949

SHA256
e2867265d5011d5b6cc70689aeaa040c21cf6a722e161fc94d63250e1dee6806

SHA512
2921e3ae100e29795fb108659f0bc4248e3350a3c09a56a7633bdf40320547ef22d46655c91d87f9ec5394f20fa67f3cccd0e65e33b2ced7ca6abc82dbcf0703

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIUE.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMoq.exe

Filesize
182KB

MD5
3a0f5fe3a9b370087e94cb173129579a

SHA1
925d4691127625f1eea5f51b5d38b54130a7edd1

SHA256
2cf2dcb64c48bfe6ffbf25faef0c3071feef29536f02023cdbba28c1802d5400

SHA512
70677821ecefdce97a58d2c97c0145969c23427b7a2e8fbe712494709e2274dc72f56d72bc313322324e75db01bba8391a66a4fd8042a36bcd0e5d740aa9747e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwEI.exe

Filesize
316KB

MD5
399270a39a0601b20101f59c3feb34fc

SHA1
b7885611243ae0cc86b641e934fd1d40d0eee278

SHA256
17754a6efdb387cd2e5181512564d91432150a3d0629d2ef0483ddf4529c3e28

SHA512
b60b28e446c6aa9e70cb99bf562bcab1bab6af0d1aece2ef573604bfa6a383d843fdf6d4e8c6e26a49f6d6559e1533e1b280bacc06b246d64c74891a30b7d311

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgkK.exe

Filesize
5.2MB

MD5
1033e38be28a1c103c71befbbf4d0234

SHA1
0543ff7828c891574a489f7a916ce353f612d40e

SHA256
17ccfdefd85e1f1e1ab553685dc973dd3cb7827042c4a7c25f2b716ef326494a

SHA512
60f85b8207ac53656cf13130800c18356482a3c9caeada02eb4a3b31b117c86f01fa79650e4f5042bf69042ff993a900434a7d591199a136951529e5c30c33ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIQwwAkw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIom.exe

Filesize
212KB

MD5
491a585a295ce04995e3a8d344df02a3

SHA1
5c1939a3c4562ec4ba07679511a6041cd5543ebc

SHA256
4f66b3535caf5cd198f26e401d5b8df82d3cb82f6d04a0b8b4b2097bcadbd11f

SHA512
447f5c511d4ea964cfc3b3fb8915cc9f6440942ab8aff85eb0a47b4b1d6c56c765afd7c6f2382a70d7f0127f3551cae79ae558d88911f4785822367220c7b7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMMy.exe

Filesize
201KB

MD5
bc96a981d88ada0e7fbbabbf294487a1

SHA1
10d00fcc02ae41e2afaa4e779bdd7a963490ad45

SHA256
65b40878e82acb4fd1a16cd956b754c3c30779f7fe915e8ff2adc9a9ff6057ca

SHA512
43aca6180a1476bf78977a5a86a9ef7bf7752afbd26f643a692e8e9d3f1abea247c2919bc84c543be0bbb364d6e3581649d9b713ce8a1c91dc7af74a0312d03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgUa.exe

Filesize
266KB

MD5
ed84af3706891488c077ef9a6d2c536b

SHA1
04e5b7d87084306618edf99d9d648346606d1028

SHA256
f0d51b1c5c8dadcffb74e2e828dae5575069dc4d850c0e99b3547d2d1cadfece

SHA512
c73b24447daeb3e224765b7d60fc0bdbe3635dd2c0127264828aa6004752bc68096a337d8dd49c8a5341e98d9cc208920a521fdef946384779828530cec52ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kksU.exe

Filesize
196KB

MD5
33928f043a567344873f267c57e1440a

SHA1
ebe76d60e3dfff5b8ddc196841397da74a4dbafb

SHA256
b7d91295c0ac4e6d5221a73253dcbafc63f46be24a92d17d4f20873866f34679

SHA512
a916316a9b77713488650111e4f22c875bedefc12b2558620a9168ac7edb20af57dd60b0403b3735904a0b4e0551aaafcfc62b8d748208d11714bc831ba33f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\lckO.exe

Filesize
210KB

MD5
28c33e494267db255bb4017d0b6efd60

SHA1
0fd1a213d2187f16e86ec410af09a9712e405873

SHA256
bc8e7b7929fe8cf4f2ebd0f2fd9110f359584abfa4ca98b33e384071ddb5cbb3

SHA512
1e52f66bc0ff03abf8c04ed04c95f3fb1e629263bfd23d4cbc2d4ede754aa99293cdd7fc22bba99d0346c10416e37e8ed57b99a3f04139a0dc2e2a5e7a52b83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkMc.exe

Filesize
184KB

MD5
0aa77cb233b4f460aa8e7c627f576724

SHA1
44eb3deca7b7db46d8b08ef85ac3af57eb895a44

SHA256
f46bc6e8d37ec0d92640ad81076ad97876284d362861b686376944ebb6206871

SHA512
412b8982e101e8405c21927a17cd5a0f6b43aa73664da2116e995776742f1e9d7e84a364afb6c89e9342e30e22c2c7f2f945b458f61f69b3fbc1235e0d416054

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIkg.exe

Filesize
815KB

MD5
ba8f82c79f368e5747db4779b4608927

SHA1
0b94a98d342816ce7afdd8824d744034a0b60ed4

SHA256
304be52332803bcfacacd32f815d92033fc188f9d60fc9efba8ae842b815abaa

SHA512
9b1df3fe8e69c70235b2198f4c685b5007e0f17b2d7712569fe794c5b6819575611d484f785d6987dd696fd71d547d511784dd1f0ca0477a1c69a71e238f4d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMsg.exe

Filesize
198KB

MD5
c9b80013683585bb19ea1ed6ae1731bd

SHA1
0162e2d6f71ff579242c870e307a6c67048eaf5b

SHA256
fd3a2b9737117bcf9c39671f2fc3f137a2f8a3baa49f54cb696bf2029aeddb24

SHA512
acdae992571841957fd22ac5872e34fab9fe03110f7f2b41ec4dcc9516871ae29584d6be9b6f8e94bcd0a53682eb38608f86d2c5452b621bdaf34763857c4a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIwQ.exe

Filesize
5.9MB

MD5
200463a1fe9e6a2c07f08077f60c5a72

SHA1
86e15a669ffabbd021703ed7640901db3e899bb7

SHA256
c6b1e3fb7321cc1d55f7e85673b711aeecc9d82d05a04a610fad407c35b58328

SHA512
9e635144b5051fc998db40b0ae4ed5cc852276e0778e61553148f84b45349855c508ac8fff70acf443a972c2df1ad98264f0b4e7f59e2d07d4729770d4f0f51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUsU.exe

Filesize
195KB

MD5
68703d39a31f601172f739f64d0bf4b3

SHA1
6c1ff44751803ced0759e3b05072ef232a6c2c09

SHA256
e9c33168e45b2f93a2f107deb61c95f51ac3255fb6cbc283b43b671cebf31453

SHA512
d376eecc4a5227d997e2ba5a66146278f42f61ad47fe0f6c8f8f0298fd3941886ac0e83bff7555c103ef077b86349c55ad487aa9b86988e7824d059c130de393

Download Submit
C:\Users\Admin\AppData\Local\Temp\nWIQsUwM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nWIQsUwM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMAy.exe

Filesize
202KB

MD5
ba40c1ebb7ba733a7c7e43238039efcc

SHA1
5a78f3d28e3c498b42207a90064b8650579e2f90

SHA256
dfd0faba170c174a7cad97ee1fd872bea0c642194e89e6d89fc293ec1f5278f5

SHA512
42b6f5ec285fd449fad8c593d3f50d7a1781442ed4ebe7d4662b6cc258a0af8a08a7f9f0b1655b25ff933f5e55e4bced5dd123352750ab4e4759b090be3ce2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQku.exe

Filesize
1.2MB

MD5
92b484eb044e7f73b64dcbbccc28e408

SHA1
9453d9b80deb4edc81fe2c31e1e33df1ee70ee7c

SHA256
beed7616f4a200a2b65b7ebdfb531c8290a192f61ba366683258fe7110d48123

SHA512
3c7611eca22e6dec73616b89ff4d36f636cfb0303e0dfca2107c59effc4e1a39b332e8157917ffaaf5cc40c60c2f27e0de341426e6775359c0acb5f11940da95

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUAK.exe

Filesize
440KB

MD5
6ad598ffe80ed2540df1225157135203

SHA1
70d9ae59e90fa4d731b2d7bcb7935a99ecaebf23

SHA256
0dae6e2ffdd0e48c42cdf5def67bc3eb447e21f9a73d1399cb7f3751e6160f13

SHA512
88a22cfd37aa28fe2bbedb93b0c7e2f67eb76cc83e6314b6e865afb298ed100fadf2b04b168a5a60704e82998f4572253793d93cd3cdf7ae9cfbd5a6672d7f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUsI.exe

Filesize
202KB

MD5
8a77458d7e1f9516cffc88c300366ae5

SHA1
f6b052a61e5d7b0d559c1aed2bb521e6254a5ef0

SHA256
04f1473489d324cddf7994e061ea94be7b3eb09ef99a21a70408a269e22612ad

SHA512
e6409e6f5de83b19b9af6f2970b0b52619cb12aee40782632f2273b70a1c5cc693310b5077f09ebc998a53e37b35057cef5973ca2530328b7bc7e035c38d844e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ockUYIMs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEoi.exe

Filesize
200KB

MD5
1d6e4ff5fd7c0dd62e37475db7195438

SHA1
95df4a89435be9e367ea1449e492c84648818595

SHA256
b68e5bfca1d3bd8d4dc711ac794d3cee31265b3d2bc73a08b6027299ee5245c7

SHA512
3bdc7ae4125322f14c60652ae71946dee04e9df76157356afaa48a41275cfdc826cb10b958502ad720aa54e829f67c243a52d3c3cc6ed5d8306a0a07dcd8cc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMwI.exe

Filesize
5.9MB

MD5
7ebbd538ee93baa8ee5029d822be8b15

SHA1
8ce458ff124960cae62ee8cd5a8191d0a4c2e7c6

SHA256
6132bd941af38bb6fc638b52e800969f0e373f24e747de843a6a78f89ad5066b

SHA512
95680ec252de9b69b64b409389e127325352ec19669d19dc35319d15c99a083225d4d4f2a9702450c47b86072dcf3d9a6de43f3efdd59985693c65242f561bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcAc.exe

Filesize
181KB

MD5
324cf33bd8c83dd66ca3c8aa805e5776

SHA1
70e02b354b350ccaa1af27709e2bc489e59869f6

SHA256
daa4a3b526a9f64f4a92a7a0068487dbb34434f5423e7ebe922fee229e52e14e

SHA512
e342e94167d1d2912f0aadf1f5da31bda2761aefcc859677cae2a4ea5ca1d300638121c63f2048b3a72ed8887bc25f0c544c249ad36c7eb27cecb2da9ec38270

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwsY.exe

Filesize
949KB

MD5
b4f2463761242ad74c086b62b60bd503

SHA1
a7375b52cf4349d2ff5cdc294db99d185d154201

SHA256
049232a593d91c4b14e2ee0e3a18e518d12db3de3fd8b23fdefe2ba92cbf496b

SHA512
6e73986edbc958fbf3cc9f3756f46a5fa9265236f11ef8b1275f0b1288a56dea4ddd440b84cfce00217d4c3335809545bc4d673f78ffef1bad1038cfd684adf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYYk.exe

Filesize
187KB

MD5
71da7f04e5f34ae84a3ff5b7f046f51a

SHA1
0067456938da7343b4fb792e7ee953e62b6f923f

SHA256
e38103e517a418f8c1d55a3c7119b20f4c37b765aaeb8178bd265075615c76fa

SHA512
7698cc717beb93a7915d791253c3673a35ead3ed0aec4f2e01185bcf8994592e502b4da5b1897f731218e20fc5e4a1dfd63200224ff13ab8d370ef37077b14ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMQY.exe

Filesize
229KB

MD5
2048b6cc0c92945a8900c4041fdf942e

SHA1
f28f7ed0f3bf591d330d83e35438e5558f0a8dfa

SHA256
398d6318289fda218567e680e06b6063249434c1f43a95bf55ff81b1609bcfaf

SHA512
47e8b326d42fe3b472ced825c6b025f2afe2a69749c91d7be1ac7bb14ada2969a238e737c3d7424967a269bd9b2d4953500c9873f9f28dd20c48a2298069358e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQAa.exe

Filesize
777KB

MD5
ff662f6b2c026ecddafa6b3a6e728d87

SHA1
0be41c38dcc4c5c7c2e5bb02c062077fe1e69c16

SHA256
84990a6a017bb859fa850ef5caa8fd6c285e76338c6bb9c17c2562136ee34cc3

SHA512
fe7703afc19c383d74841060fd991d8f1b8c8496a4feed04187f9f9967f20f041ba86d3e5241111632cd6abaaba09b503f3e237120527789b214b39ff9aff864

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgAG.exe

Filesize
1.8MB

MD5
56f05b2f5f46656d1d5edd00823155b6

SHA1
e76143170ec5e1591da7fc631c4619eb619d35e2

SHA256
8ccfd1c054713dceb7a0a6c1e07e8c7f7e19bb92067ae6e7873a0dcf4404db25

SHA512
d25be365289235376f7bb0d4efe8225437d128ac5a0715e0771479c80ec63688cf2a301962c751567222a72f715db4551c08550a85cdd0d1996eb356a9062b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\swUe.exe

Filesize
194KB

MD5
eef8a23e64b589ed43ca2b788903ae46

SHA1
1060f77b0da95715ee886152cdff61eda76a1d92

SHA256
8625e0f9fb31efd54675fbff9ac2d6539d48758ae00e07da4362420ee1f756f8

SHA512
cf93402f3e979c5fe6bf284a1e379a30489f4a901c9f417bab3d9610eca95e3922bb58bba35f7b0fc2e9f2f78bc25328536c07c866022a2628b9adc97ac23983

Download Submit
C:\Users\Admin\AppData\Local\Temp\swsA.exe

Filesize
202KB

MD5
696f69dc55f590e16f0b948c3619a46b

SHA1
c7f058ceb4908733d7f73caae2287a2adde8187d

SHA256
b69288fbf7621ced19c5c0cf405753c12f9d8403d6703f09e10ce3fc0162ee4b

SHA512
b4114ba66a35da6106528c23760cef3e8a3a93bdf63f16222b353bd7bdd9e5aea8998d6a93c1ce86e22cf794ef7d380c9f27221449a82ef84507d7dc4c3e0651

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMsC.exe

Filesize
206KB

MD5
2a6c1d816d005cc579ba6fe5e0f5ef0a

SHA1
2f0ead48da051fa1abb79e1ed3f11450a9af8662

SHA256
edc580262980f5ffaf3e47e61f304a374be9686993a58ec89db0c3c7c096165c

SHA512
c915017dc2107ea9ae3d5a2048c1c001473f73c5d6fe5cc55e1dae9a03211b547f364f79f329b8fba457826434202e6e423097cd3e8b0f83f4d5c17d387c51a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsEo.exe

Filesize
569KB

MD5
29c637b448e46ba1f5fc9d51519fb1fd

SHA1
5914606424ad175d8dae9fc794a2b0c90e171ddf

SHA256
ddf8bb8a51a898d2fa1481b963afb8d26767e79873c700e2717659668e64055e

SHA512
cb0a9e6c123cdb7ca76d96efa179f378e569658d711ae6cdd48fa01b787a135b3d5445ad3257b182a60b2835e1878493aaadb85b9b30c4a5277ad59da739671a

Download Submit
C:\Users\Admin\AppData\Local\Temp\twYs.exe

Filesize
641KB

MD5
78c5c84a3ace5b520fdfcd72f6abe051

SHA1
2aa0e0f7fe9317cc5adb9daa758865001cbad535

SHA256
d9f419c05cec81628523e2a01de932b1fa4e0d3d6dd17df6e9d76ed7c95002d1

SHA512
76ffc141a6875d60d2d8a87b51d15663bc6aae62587012af1403c3a52f1817f1961c8f83486f21389e10e91e647c40e95b3f460120c32ac06df2910c92e1dfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEgi.exe

Filesize
320KB

MD5
c8633cfe5ac064004501d18eec9e7183

SHA1
46e640e779c3d08aaf8e6c81dec5e2ee35ab1cc2

SHA256
0ead969c5faad0bf7e0b2752b8eb9bfdeab6e2ac1435d15f75b1cf4660da9968

SHA512
7f27651e2e27dd021ca21ebef5e8a4bef7243d32fa3514f66a3747563a227fc2f6ecf08404f0ea872d633ec8587b833cef5ba241c836a59f977a0512b81b2b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIgY.exe

Filesize
193KB

MD5
973b95c171f578dd1ac0ebca406cf367

SHA1
93370f7fd1e356a413c32e0f71d32a75372b75ab

SHA256
18d726bf8087b3e3dff9e16edb1e3922f3a0728c5050108eb61d934b4b42637b

SHA512
a18bfa868ea513ae096dd25aa786dadafe51da4918ba3f6618b10e410f6da54866641ccd7e94392c895cad53c2af2c22ffcc283383f68fb7bb7a55c5b2fb437f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIoq.exe

Filesize
199KB

MD5
d36c1ee9239e01c2a8ce2bc4b43fe7db

SHA1
5e2b9fb3737107a602653e5b3ff57916e86ee793

SHA256
260da16d79c4bc118f0d2be4c936f1e15ddee3caa7201a58d67ac92bdef5a082

SHA512
79023c4d7a61c8894d558dc41236b4b97f0ecbbbe3bb9e857c735aba71fd601dd7e4a88e4e8ccd5edb64cd1b4b5aab0974f161ffc27418bada141b1d8ec9bf05

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoQg.exe

Filesize
212KB

MD5
98c4c3613f44231d2e9d6f5c91ddf866

SHA1
41eff86db06e21092709252ecb9b84c518887d07

SHA256
8dbb78f6d5406fba5674f217992bf02b4fbd1d28c012e063358ad6463e37c2af

SHA512
ed248cfb3986c555618b59e151e35483b8727c9d3a988a79fef8de0a105c2661c11a7badb469d7e2b62a9c92dc18f938c14785f238edf9222d6c81733f6356f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uogG.exe

Filesize
193KB

MD5
b961cfbcf406c501b18943aac4961a53

SHA1
fa45668b6e8b2165ae79a3b690bef793ddd877a3

SHA256
819f35756590ed94ef95df3593f49eeac9254f626f16bcbb6d7bea43355f0491

SHA512
288b636665971c55317680be43dd3e35a8134755b4e89636e9f24b5cb3616e74b3f74014bcc28d29897e79bcb4444b67de0115271f13eec1ca303f95929bb043

Download Submit
C:\Users\Admin\AppData\Local\Temp\usEAEgEs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEIc.exe

Filesize
208KB

MD5
cb3c6c0d4079f77c5f810352f4ba87e8

SHA1
a98118e73f8a7101474d884457531d577ddb2df7

SHA256
3516cf4266f5d1dc9dd0656ed40dd0b24c8d4cc8e187366630d4dad0eefe2566

SHA512
0c0f0c0a9aac3f037a893b61e795402a1e796c6f3aefac8e1c0921aea210801c5255457feac1e538d1d99aa16795fc6f32fe0d262daff74a4e2d59e6e8facbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMIQ.exe

Filesize
398KB

MD5
776052ad0eba29b44fe4f1aec32d3866

SHA1
044b14a5b66afa83049b6e3d1998a2382fceb560

SHA256
83c128609a9ceb803c61b29f731b3cd93a4553ff27d2ec358276cfedb285b1fc

SHA512
7dff4983ea5c8abcab03aeb9e3d43586f3a0d78bb16e14946714ce784fb5a2df1277cc2b5a1de351032c6dd544fe54751bed677f82e691f12850bdc9958820b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYMU.exe

Filesize
193KB

MD5
9d7f2e06049a2bf9603ea0dddbbf9af7

SHA1
490b64c3f03846764d5ae317ef8a2e97f34d0f45

SHA256
697c2d140ce8394ad57c42caea73d734e56842f3d25786ee7f08d16a3113df2c

SHA512
3f419cbe219ceb46c70907f87b2a4dcb8706247f997b979816b567bdf396b1eb382b05b7d7536614d13bc994c26573504de63dbb0fa0a7412ebb98c1a3fe0412

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYoI.exe

Filesize
197KB

MD5
3c0688f504ef273bd44e7c4e047e5b53

SHA1
94bf211c11af359132a7bf5af1d2ff6a833c3337

SHA256
90743ba43ed73eb89041d66115cd09dbd29447a48cebc1d43141fff346fe3620

SHA512
60495de4b6ea68f02e6a0bed70054aa86790c44237f5d67f9dc59dff82e8ecdda466572926513bf2b6fc0353f1b8deb0d21a1f1baed4cfc56a31eba7a7753afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xIIU.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMUM.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\xOkowIow.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywsQYEEI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEUI.exe

Filesize
199KB

MD5
76a01c58f1af3134295e0bad57c7cf0e

SHA1
22d41389ac997594cb87bcdf7bada60357a4bc08

SHA256
31dbb3c222974a7038b952dc9634fbde0b79f2e3834ff108e47f54d65e9ab781

SHA512
a4a80a020d47e4fb3fb523b7b2c8d285aeeaefb4f2e55793a99b98ae2610bb29635ddf14e05e914760dc56d85e2687c56bc970f0f595c4d37649defe7d93e722

Download Submit
C:\Users\Admin\AppData\Local\Temp\zowY.exe

Filesize
228KB

MD5
d1c55c3b794ea8b419690e39c5274d37

SHA1
5d97957a5204ff7f59835de96d747820f7459e66

SHA256
08e1d5d6d6353d8d310d73eb08969e9811f82b5b0d285acc34d9670bd8e7a2f5

SHA512
87edc15901ef1bc34c108d3a018beb5f7d0c54cbd0ece878c21a8dd9ee17203eaf6e184041efdea567264fe039d93682e1bd777eb51957185b71d037895d999e

Download Submit
C:\Users\Admin\NMosUkEA\GaEQcwMQ.exe

Filesize
179KB

MD5
c319107c03938bfa7e15a6191bf6e215

SHA1
2a6dcdc5005e258b0f3ef46a352ca7a4e973ff78

SHA256
fce3e79160837b8aac1b03f4a99dc1c3f7d2041309871db3d10ca9095d87cd02

SHA512
d7c799ba05b86f467eb06dc18069213d51eb4bb4787aa12e24d6f1a986d36c4355d4eae809acbd281cb297d36aa9c173aaf9e08be47aad412cb5ddca12cfad80

Download Submit
C:\Users\Admin\NMosUkEA\GaEQcwMQ.exe

Filesize
179KB

MD5
c319107c03938bfa7e15a6191bf6e215

SHA1
2a6dcdc5005e258b0f3ef46a352ca7a4e973ff78

SHA256
fce3e79160837b8aac1b03f4a99dc1c3f7d2041309871db3d10ca9095d87cd02

SHA512
d7c799ba05b86f467eb06dc18069213d51eb4bb4787aa12e24d6f1a986d36c4355d4eae809acbd281cb297d36aa9c173aaf9e08be47aad412cb5ddca12cfad80

Download Submit
C:\Users\Admin\NMosUkEA\GaEQcwMQ.inf

Filesize
4B

MD5
d6c584c6d7b1ceea40cad51d35d65d4a

SHA1
ba133ba06542a4f6d04610de01d4f6ab4b2e026e

SHA256
3466ea57f5fb17e02faafb65086dda11f23da6e50557c01d6f944d82fa7d65ef

SHA512
a610b730913fba0fd905ccc68c286eabe7a548327bd0bd744e3abaef8c3aff3d8ca2f65ba75f0c85868523ea44a877f69ab68ffd00b907fec463a7cd56e697bc

Download Submit
C:\Users\Admin\NMosUkEA\GaEQcwMQ.inf

Filesize
4B

MD5
a24aba60192322bfa2babf3b65fd5503

SHA1
cfc3410dce7e0d6f8f4f8595f42c40cb24819ba3

SHA256
b2ec2dcf0725168e74e8e80b6211aff0d8620df25009bac0874bba44cd4c91f4

SHA512
b4c231cbf3e952c91252ca642330b989535da14c50cf1a0039f14af33a6ff792212504dbe4aa4609045129804b5db2698e35d88ba9a09deee02e6eca72678248

Download Submit
C:\Users\Admin\NMosUkEA\GaEQcwMQ.inf

Filesize
4B

MD5
a24aba60192322bfa2babf3b65fd5503

SHA1
cfc3410dce7e0d6f8f4f8595f42c40cb24819ba3

SHA256
b2ec2dcf0725168e74e8e80b6211aff0d8620df25009bac0874bba44cd4c91f4

SHA512
b4c231cbf3e952c91252ca642330b989535da14c50cf1a0039f14af33a6ff792212504dbe4aa4609045129804b5db2698e35d88ba9a09deee02e6eca72678248

Download Submit
memory/220-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/780-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/780-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/812-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1180-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1468-564-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-314-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1852-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1852-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2052-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2052-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2060-453-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2060-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2272-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2352-518-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2576-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2768-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3004-213-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3148-500-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3148-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3228-174-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3228-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3312-140-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3324-480-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3500-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3500-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3924-583-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3924-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3968-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3968-227-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4296-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4400-499-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4456-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-536-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-433-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-226-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4608-481-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4608-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-295-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4756-554-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4756-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4756-155-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4788-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4788-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4900-385-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4900-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5072-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5072-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download