27b263ebe05c7041de444d6746fcc79dbae774644dde22b6cbfe43bc8ac30a55

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/08/2023, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Size

930KB
MD5

fd1be1572ed245d5e2eb8afafe803451
SHA1

b1dd2828c4b0f834fc6665cb26bbe60dab3fe42a
SHA256

27b263ebe05c7041de444d6746fcc79dbae774644dde22b6cbfe43bc8ac30a55
SHA512

b8795b2c95b45eee1e532a486c433aee25675b4f1dcbee09faa658eaf534f6889115a76cac14f3f1d5b7ba646aac390880b69a11012a22bc351b19630da60b5a
SSDEEP

24576:QcSGmlVcNLJMSGw8p5tOF8KOc+YsVgrz:QRGm7cNLVGzgF8zl2

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Executes dropped EXE 2 IoCs

pid	Process
4940	FUAQMMkQ.exe
4168	NwssMoIE.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FUAQMMkQ.exe = "C:\\Users\\Admin\\KoAgYYUE\\FUAQMMkQ.exe"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NwssMoIE.exe = "C:\\ProgramData\\asosoccg\\NwssMoIE.exe"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FUAQMMkQ.exe = "C:\\Users\\Admin\\KoAgYYUE\\FUAQMMkQ.exe"	FUAQMMkQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NwssMoIE.exe = "C:\\ProgramData\\asosoccg\\NwssMoIE.exe"	NwssMoIE.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	FUAQMMkQ.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	FUAQMMkQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2212	reg.exe
1644	reg.exe
1516	reg.exe
3916	reg.exe
4192	reg.exe
3960	reg.exe
1144	reg.exe
208	reg.exe
3724	reg.exe
2904	Process not Found
1364	reg.exe
2312	reg.exe
3348	reg.exe
3452	reg.exe
2716	reg.exe
3028	reg.exe
3260	reg.exe
2192	reg.exe
828	reg.exe
3576	reg.exe
488	reg.exe
2456	reg.exe
1876	reg.exe
1652	reg.exe
116	reg.exe
3460	reg.exe
4288	reg.exe
3944	reg.exe
3128	reg.exe
1368	reg.exe
4836	reg.exe
4624	reg.exe
4364	reg.exe
2456	reg.exe
1300	Process not Found
1644	reg.exe
3664	reg.exe
2060	reg.exe
4556	reg.exe
1296	reg.exe
2620	reg.exe
4740	reg.exe
1036	reg.exe
4376	reg.exe
4724	reg.exe
4328	reg.exe
3656	reg.exe
4304	reg.exe
4384	reg.exe
4788	reg.exe
4288	reg.exe
2984	reg.exe
4216	reg.exe
3848	reg.exe
4364	reg.exe
3140	reg.exe
1536	reg.exe
1308	reg.exe
4428	reg.exe
3820	reg.exe
3244	reg.exe
2704	reg.exe
4184	reg.exe
4736	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
3740	reg.exe
3740	reg.exe
3740	reg.exe
3740	reg.exe
1488	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
1488	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
1488	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
1488	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
4704	Conhost.exe
4704	Conhost.exe
4704	Conhost.exe
4704	Conhost.exe
1640	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
1640	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
1640	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
1640	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
2508	Conhost.exe
2508	Conhost.exe
2508	Conhost.exe
2508	Conhost.exe
3016	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
3016	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
3016	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
3016	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
1452	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
1452	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
1452	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
1452	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
868	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
868	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
868	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
868	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
2908	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
2908	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
2908	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
2908	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
5096	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
5096	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
5096	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
5096	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
3820	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
3820	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
3820	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
3820	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
3896	Conhost.exe
3896	Conhost.exe
3896	Conhost.exe
3896	Conhost.exe
3152	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
3152	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
3152	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
3152	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
4936	reg.exe
4936	reg.exe
4936	reg.exe
4936	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4940	FUAQMMkQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe
4940	FUAQMMkQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 4940	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	81
PID 4408 wrote to memory of 4940	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	81
PID 4408 wrote to memory of 4940	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	81
PID 4408 wrote to memory of 4168	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	82
PID 4408 wrote to memory of 4168	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	82
PID 4408 wrote to memory of 4168	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	82
PID 4408 wrote to memory of 4336	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	83
PID 4408 wrote to memory of 4336	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	83
PID 4408 wrote to memory of 4336	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	83
PID 4408 wrote to memory of 1308	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	85
PID 4408 wrote to memory of 1308	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	85
PID 4408 wrote to memory of 1308	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	85
PID 4408 wrote to memory of 3452	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	91
PID 4408 wrote to memory of 3452	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	91
PID 4408 wrote to memory of 3452	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	91
PID 4408 wrote to memory of 3696	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	88
PID 4408 wrote to memory of 3696	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	88
PID 4408 wrote to memory of 3696	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	88
PID 4408 wrote to memory of 1508	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	87
PID 4408 wrote to memory of 1508	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	87
PID 4408 wrote to memory of 1508	4408	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	87
PID 4336 wrote to memory of 4728	4336	cmd.exe	93
PID 4336 wrote to memory of 4728	4336	cmd.exe	93
PID 4336 wrote to memory of 4728	4336	cmd.exe	93
PID 1508 wrote to memory of 1928	1508	cmd.exe	94
PID 1508 wrote to memory of 1928	1508	cmd.exe	94
PID 1508 wrote to memory of 1928	1508	cmd.exe	94
PID 4728 wrote to memory of 4844	4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	95
PID 4728 wrote to memory of 4844	4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	95
PID 4728 wrote to memory of 4844	4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	95
PID 4728 wrote to memory of 2108	4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	97
PID 4728 wrote to memory of 2108	4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	97
PID 4728 wrote to memory of 2108	4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	97
PID 4728 wrote to memory of 1296	4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	101
PID 4728 wrote to memory of 1296	4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	101
PID 4728 wrote to memory of 1296	4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	101
PID 4728 wrote to memory of 4880	4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	99
PID 4728 wrote to memory of 4880	4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	99
PID 4728 wrote to memory of 4880	4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	99
PID 4728 wrote to memory of 4720	4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	98
PID 4728 wrote to memory of 4720	4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	98
PID 4728 wrote to memory of 4720	4728	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe	98
PID 4844 wrote to memory of 3740	4844	cmd.exe	174
PID 4844 wrote to memory of 3740	4844	cmd.exe	174
PID 4844 wrote to memory of 3740	4844	cmd.exe	174
PID 4720 wrote to memory of 116	4720	cmd.exe	106
PID 4720 wrote to memory of 116	4720	cmd.exe	106
PID 4720 wrote to memory of 116	4720	cmd.exe	106
PID 3740 wrote to memory of 1988	3740	reg.exe	107
PID 3740 wrote to memory of 1988	3740	reg.exe	107
PID 3740 wrote to memory of 1988	3740	reg.exe	107
PID 3740 wrote to memory of 4080	3740	reg.exe	110
PID 3740 wrote to memory of 4080	3740	reg.exe	110
PID 3740 wrote to memory of 4080	3740	reg.exe	110
PID 3740 wrote to memory of 2364	3740	reg.exe	117
PID 3740 wrote to memory of 2364	3740	reg.exe	117
PID 3740 wrote to memory of 2364	3740	reg.exe	117
PID 3740 wrote to memory of 4724	3740	reg.exe	116
PID 3740 wrote to memory of 4724	3740	reg.exe	116
PID 3740 wrote to memory of 4724	3740	reg.exe	116
PID 3740 wrote to memory of 4272	3740	reg.exe	111
PID 3740 wrote to memory of 4272	3740	reg.exe	111
PID 3740 wrote to memory of 4272	3740	reg.exe	111
PID 4272 wrote to memory of 1440	4272	cmd.exe	118

System policy modification 1 TTPs 56 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe

C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
"C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\KoAgYYUE\FUAQMMkQ.exe
  "C:\Users\Admin\KoAgYYUE\FUAQMMkQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4940
- C:\ProgramData\asosoccg\NwssMoIE.exe
  "C:\ProgramData\asosoccg\NwssMoIE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
    C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        5⤵
        
        PID:3740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        6⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        8⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        9⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        10⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        12⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        13⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        14⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        16⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        18⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        20⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        22⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        23⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        24⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        26⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        27⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        28⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        30⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        31⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        32⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        33⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        34⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        35⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        36⤵
        
        PID:488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        37⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        38⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        39⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        40⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        41⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        42⤵
        
        PID:924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        43⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        44⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        45⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        46⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        47⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        48⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        49⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        50⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        51⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        52⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        53⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        54⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        56⤵
        
        PID:312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        57⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        58⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        59⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        60⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        61⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        62⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        63⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        64⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        65⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        66⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        67⤵
        System policy modification
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        68⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        69⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        70⤵
        
        PID:440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        71⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        72⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        73⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        74⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        75⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        76⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        77⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        78⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        79⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        80⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        81⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        82⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        83⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        84⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        85⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        86⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        87⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        88⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        89⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        90⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        91⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        92⤵
        
        PID:4808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        93⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        94⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        95⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        96⤵
        System policy modification
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        97⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        98⤵
        
        PID:4772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        UAC bypass
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        99⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        100⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        101⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        102⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        103⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        104⤵
        
        PID:4584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        105⤵
        System policy modification
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        106⤵
        
        PID:3016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        107⤵
        UAC bypass
        System policy modification
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        108⤵
        
        PID:3904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        109⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        110⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        111⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        112⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        113⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        114⤵
        System policy modification
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        115⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        116⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        117⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        118⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        119⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        120⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        121⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        122⤵
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        123⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        124⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        125⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        126⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        127⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        128⤵
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        129⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        130⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        131⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        132⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        133⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        134⤵
        
        PID:4312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        135⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        136⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        137⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        139⤵
        UAC bypass
        System policy modification
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        140⤵
        
        PID:488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        141⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        142⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        143⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        144⤵
        
        PID:1444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        145⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        146⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        147⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        148⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        149⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        150⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        151⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        152⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        153⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        154⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        155⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        156⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        157⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        158⤵
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        159⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        160⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        161⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        162⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        163⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        164⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        165⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        166⤵
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        167⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        168⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        169⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        170⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        171⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        172⤵
        
        PID:4852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        173⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        174⤵
        
        PID:4432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        175⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        176⤵
        
        PID:3904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        177⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        178⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        179⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        180⤵
        UAC bypass
        System policy modification
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        181⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        182⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        183⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        184⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        185⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        186⤵
        
        PID:1876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        187⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        188⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        189⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        190⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        191⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        192⤵
        
        PID:1264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        193⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        194⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        195⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        196⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        197⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        198⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        199⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        200⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        201⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        202⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        203⤵
        System policy modification
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        204⤵
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        205⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        206⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        207⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        208⤵
        
        PID:2876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        209⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        210⤵
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        211⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        212⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        213⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        214⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        215⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWMEosQg.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        216⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        216⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        217⤵
        UAC bypass
        System policy modification
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        218⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        219⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        220⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        221⤵
        System policy modification
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        222⤵
        
        PID:1796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        223⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        225⤵
        UAC bypass
        System policy modification
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        226⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        227⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        228⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        229⤵
        UAC bypass
        System policy modification
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        230⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        231⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        232⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        233⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        234⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        235⤵
        System policy modification
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        236⤵
        System policy modification
        
        PID:2240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        237⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        238⤵
        
        PID:2144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        239⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        240⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        241⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        242⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        243⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        244⤵
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        245⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        246⤵
        System policy modification
        
        PID:4624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        247⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        248⤵
        UAC bypass
        System policy modification
        
        PID:3140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        249⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC"
        250⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC
        251⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:2608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEgQoIgo.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        250⤵
        
        PID:4036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:2704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmcYMkYc.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        248⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:1252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugsgAEEg.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        246⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:3816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        UAC bypass
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYcocwwM.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        244⤵
        
        PID:728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgEkAYoI.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        242⤵
        
        PID:4680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:1364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:1448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        UAC bypass
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEcMEcQY.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        240⤵
        UAC bypass
        System policy modification
        
        PID:2684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        UAC bypass
        System policy modification
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWkwgscA.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        238⤵
        
        PID:2508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:2428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:2848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACEsgcMU.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        236⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUMUcsUU.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        234⤵
        
        PID:3752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIkcYYEY.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        232⤵
        
        PID:3660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        UAC bypass
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:1544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        Modifies visibility of file extensions in Explorer
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:1368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        UAC bypass
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOkAMQok.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        230⤵
        
        PID:3056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies registry key
        
        PID:2704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        UAC bypass
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKcoYAkU.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        228⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        UAC bypass
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emAUkwQs.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        226⤵
        UAC bypass
        System policy modification
        
        PID:4272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMgsgkcI.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        224⤵
        
        PID:3388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWwsoMoo.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        222⤵
        
        PID:2024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:3332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies registry key
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEwUUssw.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        220⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUgkYYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        218⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsMIsowU.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        214⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:3280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMEsIIAg.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        212⤵
        System policy modification
        
        PID:3576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqkUgMgI.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        210⤵
        
        PID:644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWUgkkoI.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        208⤵
        UAC bypass
        System policy modification
        
        PID:4196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEUYocwY.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        206⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:1644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        Modifies registry key
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eagwYskI.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        204⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOIgAggg.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        202⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:1148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIYccYwA.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cacIEoYc.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        198⤵
        
        PID:2876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        Modifies registry key
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oeAUcksA.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        196⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies registry key
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugkAYMQo.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        194⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        Modifies registry key
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwkoMYUg.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        192⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OikMAQYg.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        UAC bypass
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgcYocwU.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        188⤵
        UAC bypass
        System policy modification
        
        PID:4292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        Modifies registry key
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsMYkwYA.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        186⤵
        
        PID:1076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        UAC bypass
        
        PID:5060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies registry key
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        UAC bypass
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        Modifies registry key
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmsYEcEs.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        184⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        System policy modification
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOAIsckQ.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        182⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:1952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCQgkwoI.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        180⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        Modifies registry key
        
        PID:2716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies registry key
        
        PID:4288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        UAC bypass
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uscEYUwk.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        178⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies registry key
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWEQYUMk.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        176⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        178⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roIYkwow.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        174⤵
        
        PID:2628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmMkIQEA.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        172⤵
        
        PID:3336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgAMAgws.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        170⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:3344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CywcsAYE.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        168⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOMwAEMs.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        166⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:2836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        UAC bypass
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkAMwUsA.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        164⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqUgAUgg.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        162⤵
        
        PID:2624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGkQMwQA.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        160⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laEskMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        158⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEIQMwgs.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        156⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        System policy modification
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fggoYAIw.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        154⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:1280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        UAC bypass
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGoIQQcs.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        152⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:4780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyAYoYAk.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        150⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        Modifies registry key
        
        PID:4364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies registry key
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKYgUUYg.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        148⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIEEAwgY.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        146⤵
        
        PID:2724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        UAC bypass
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:1048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuIwAYYI.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        144⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kucQwcwk.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        142⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NycEAIIQ.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        140⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        Modifies registry key
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAQoIAEY.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        138⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeYQMoUA.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        136⤵
        UAC bypass
        System policy modification
        
        PID:4632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies registry key
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuQIQUgo.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        134⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qasYQAsw.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        132⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        Modifies registry key
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QckEgckY.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        130⤵
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        UAC bypass
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:4272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyAwQQEc.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        128⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEYYkkMc.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        126⤵
        
        PID:4036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCYkoEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        124⤵
        
        PID:2108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akEcIocM.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        122⤵
        
        PID:2488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqMUEsgw.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        120⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWkwQYMg.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        118⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:4404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:4324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xucsQMMw.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        116⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaQAIwQo.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        114⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgkcAokk.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        112⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUcocwMM.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        110⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYEoEkEs.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        108⤵
        
        PID:2776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faEUYwQI.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        106⤵
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIkosYMg.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        104⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:2704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wecoskgs.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        102⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        Modifies registry key
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqcAsQUY.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        100⤵
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        Modifies registry key
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        UAC bypass
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies registry key
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyAsgIwc.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        98⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:3772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkksEMcg.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        96⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMwMsAII.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        94⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYYkgAEU.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        92⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgwYMYAk.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        90⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        System policy modification
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuAQsIcI.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        88⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsksIwkY.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        86⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        Modifies registry key
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies registry key
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCUsQokM.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        84⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYYccUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        82⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neIwocck.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        80⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcQoMAcc.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        78⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        System policy modification
        
        PID:2620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        Modifies registry key
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies registry key
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwYUskMc.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        76⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:3664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSYosssM.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        74⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGQMkIgA.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        72⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:2536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkYgckco.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        70⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkAEUsUc.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        68⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKQMcUUg.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        66⤵
        
        PID:4332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\woUEIYQE.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        64⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMMcwwow.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        62⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OewQQgMk.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        60⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dsgQcYQw.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        58⤵
        
        PID:948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgYEIIoU.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        56⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCUYMooA.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        54⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAsEkoYM.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        52⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        Modifies registry key
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEckoowk.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        50⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSEMkcYU.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        48⤵
        
        PID:4336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGggUEIk.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        46⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        Modifies registry key
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEgccsMM.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        44⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoYgoEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        42⤵
        
        PID:4756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAAkYUQo.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        40⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jygEYswQ.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        38⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKwMMosc.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        36⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies registry key
        
        PID:4184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAYwIUwA.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        34⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiQwwwUk.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        32⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:3960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KokgUkwk.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        30⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMgcYokM.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        28⤵
        
        PID:400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siQswYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        26⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKssIsAI.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        24⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGUEwAoE.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        22⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIYAggsc.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        20⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        UAC bypass
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiMgUcAU.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        18⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:3140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyEgsoQU.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        16⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoMIoQYw.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        14⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKEUUsow.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        12⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMAkIgYY.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        10⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hykwUAMw.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        8⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:3796
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKYIcIww.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1440
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:4724
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2364
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuEQIsAM.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4720
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:116
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4880
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1296
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYgYscUc.bat" "C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1928
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3696
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3148

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe

Filesize
518KB

MD5
9070948069093738b73cfdfc0f78ce63

SHA1
a708554a2291c4d9ddaf9b5bdc6227528b02aceb

SHA256
7635eed1c50378f85aae7bd789cc92c249f353d7448ffbc0291adc988e163e44

SHA512
6bfed7dc2d1274e77c6162ed3e8cb1dd5207c95745c9df8f18844d2bbd5cb812da4c2ffd14bb3d64d9c499608af9c335523b200d9c0dc4fba5252330b73135cc

Download Submit
C:\ProgramData\asosoccg\NwssMoIE.exe

Filesize
183KB

MD5
302a7dce3898e37652cb69ca508f471f

SHA1
a4e564e7727f42c0ab2e383f4f2dc37c83d9ab84

SHA256
159668ebc4204b91ecc02b85e8d3f3114ed697172f9728b993299807cee093aa

SHA512
b0875a43372f326f52cc4982412c81610871e5e9a36b6e765c5f7313cf10227f6673d114cad207e33b6715c114892654d81352e0efd20ff81fbceef94d26aa25

Download Submit
C:\ProgramData\asosoccg\NwssMoIE.exe

Filesize
183KB

MD5
302a7dce3898e37652cb69ca508f471f

SHA1
a4e564e7727f42c0ab2e383f4f2dc37c83d9ab84

SHA256
159668ebc4204b91ecc02b85e8d3f3114ed697172f9728b993299807cee093aa

SHA512
b0875a43372f326f52cc4982412c81610871e5e9a36b6e765c5f7313cf10227f6673d114cad207e33b6715c114892654d81352e0efd20ff81fbceef94d26aa25

Download Submit
C:\ProgramData\asosoccg\NwssMoIE.inf

Filesize
4B

MD5
54d2eb4d8b704f57351acac6fdda6f45

SHA1
b3e6f0dea3fdd688f2535199409ba5283e4992e8

SHA256
cf8a27c5b0e9f63db80805f12e9d9e29a56b044393873d4fd4d908294bf0b1d8

SHA512
373f223229b209dfdf944348cb8eaa51c4f35c023839a8fd2ead1984f306398bf276b1edc1e8dc958b0dc05876d6543dfbb29f842923f249411319c597db71a5

Download Submit
C:\ProgramData\asosoccg\NwssMoIE.inf

Filesize
4B

MD5
953060181778ceb9789ff0cb619cda64

SHA1
b1a446baa58ee8b2e21407a9ca59fc80c7885f25

SHA256
c845b7b398f4fd62834096eb6c4eddfb030d8e3be67dab758466a868f7022622

SHA512
49f91a0e8d61a4e73d1f54fd4cda30a15c94f8d6db0c948f4b6c6b7cc10c126bd4c0c0d98caaeb54aea887da56b072b70fe14820fd9f910fe35d2306a16863e9

Download Submit
C:\ProgramData\asosoccg\NwssMoIE.inf

Filesize
4B

MD5
4dde8b1922a2e26ef0c940919059bce7

SHA1
75ce6817ecce9354b320f385acde5e1cbdc4c69b

SHA256
17b9f32062b2bb1e076142665d28efabf6139c1bfeebc5e6d97b079188a35679

SHA512
98fa7fff764d7e883f6464153fcfbe60f549664e7bd787eb3e99aa270ee9313411fc1d9584303ddb6055bcf9591660b0cadf4fabe317cff018c16946442cbb5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

Filesize
188KB

MD5
d622727274f3b075ece54ca39f28272a

SHA1
57aed2f63f37d34f598483b7dea100d3acd3ea80

SHA256
9555a0c9c10cf0e8ed51f5e57e0547f5ed38902cbc1899513719293576d6719c

SHA512
9940517a536b9cf37af962f6e22024e6078fdb11a036dfd4e34f436dbb48bdd92b77ac9c3473cc5a9c68ba2c2816dbfe5ea9955d8dfd0878a4344de9e72485ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
199KB

MD5
b24b970ca3e20935492c022eed5e538c

SHA1
b9c7719789b9b28a475a56a62fdba470fc153925

SHA256
ce169b7595f70c9ab2d01d01de971fb09bf50f26d59b526c1a7983f599b573d2

SHA512
57883cdb7521a2e2c320e84956bb0da61fce4b7fc13dc9358c76f3022ffb947d6b29dc75756f115faa294d44e9c2bdc41fba0bafaee285b48ed5f96e0d62f7ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

Filesize
195KB

MD5
7bc2c6d4b393ac5bda13dbcfa555d600

SHA1
0d0484aad18ec67b573ba26997d1af6eb5db5f09

SHA256
107548834b354f172237d937f736ac748e8c6ac492c3827a61d2e8feca8db95d

SHA512
7548ea2557a68cdc7070ceda54ad396a681c98db3787d6b3cd3c70b21beefd88000c0c87e548c310e32a8e03d14957538641f54359f4c47a959e4ff2dfd4a129

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

Filesize
202KB

MD5
d20d7d7cd744ec8cf8d911bbed263b33

SHA1
b52614e9d2623e6616eac443068d49231c38737d

SHA256
c9cab14d19b1a91e3b18f24bf05375de76d71af40d9ec0c82cda7481cdbd28dc

SHA512
96b4548bb3bc19202482357f46f8d1e4b82d61826b0251e70898149212976f3f83b2eb9d1ffec9913aa9f75b06397c6b98d614fdd387d57871bc0123173392e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQEQ.exe

Filesize
255KB

MD5
d4753a57d4dd95eff28ce9d8c2b24c76

SHA1
62afaf53e445f02dbb9afebd284fd4c582e9f707

SHA256
01a987480a71bdeb40b96c3830738d9d525b3574386eac0f162383b2ad815e56

SHA512
dcf47f39903f3ff79c6881576b6e21c0644c07904a6289968ab23628c82ddc39d44f91cc3d7c094a4285daa91df6bfc67666bb4775c0da122dddd3a6db64acd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkYY.exe

Filesize
198KB

MD5
e8a26ed1edef916cf13aca10dbbd6592

SHA1
e9cea598242f55d4e27b77f4dd43ce98b67a1811

SHA256
8bd80b1c966d2e5b3f9c3ac21a9b301bf2c25777f31d7640981f7f41c4f1ba8e

SHA512
4d7d40cb2d7332313ea8624ef9ea4df917acc950911d32e2064c21f02cb8864caa60bc2c19f83c55710717423de795309cd5c0a7fef7deb0699a70e3a6825681

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bowk.exe

Filesize
203KB

MD5
e3cfff6df6931bd278436ba9438e6d70

SHA1
11824d120c9b29f99bf7fab1063dff1ab09962b9

SHA256
926c76b47e31917ea7c34d9cef71807208624b50291a963ffe9ba29ebe43ba82

SHA512
2d117c51b7ea82ed87bed928ce4a282fcf2c78842d965d7970c4fa95d9b747dd2f8aab8a206fdfaecf70216af1654c268bf224fc4e2ab64321018192425143a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwwY.exe

Filesize
218KB

MD5
d6b32abfd63a19701fd795db9cca6b02

SHA1
882c8f9d62d9715d6b4f0cbf14dd646ecb1a6bb6

SHA256
80396802926c924daa7d2aad4f55a9c16a1ac263089baf6c03d2879a14cc55ae

SHA512
948ccd7f6f236081bddc41baa5c2c11a76db8a9ddf0d0346ee893cc70bdbfac04b641d59f255ce3585617341cd84aba9aa2682c52234b4690059b3b66c7559c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIYA.exe

Filesize
613KB

MD5
5bf4a0b69ace950ae18367fce6768a6b

SHA1
226e8bab8d24003fc9640e83b655296422b38cff

SHA256
bc43b4cc2833b3dc85254e7ae377167acaa7feb34db5924ece28a406eb5ef820

SHA512
5e6df01dba013a3e70c5f33d2d104289f08244d560c9065882697b6341ee3a305a5e92d3edd475da62914178047d3636d46f70d59d5be0ce8ec14c8f210d9e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CKYIcIww.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CKYIcIww.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwoe.exe

Filesize
5.2MB

MD5
8ec32a36eab00f51a229f2bb21c4aff8

SHA1
d8aed72093943293b91e18383ae349681c6950df

SHA256
71c3cf96de54363dbb33466b89dcca61d5b859901066c0c65a685a71f5c51dc5

SHA512
61b475c8e74bda9e7cf8ffe01e28368ce1c6d70acddc6fb9f64e967c96ad3797f41da3112ff5555a155c4be1332953985f008a2fa95d2c480de5543cb61736ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwsU.exe

Filesize
216KB

MD5
81f2aed1a63d3fdfb0b55181827c3cd1

SHA1
33b457686641fcab0da0470e5153c1e3dc0a6f98

SHA256
4f511562d13674275d1ed5fa9544971a9b24e6da07583b1ea1005cede79eaf2f

SHA512
9648f2b2b072394b56f89728aab9ad93851b750b530e48bfe28f5b9f05fb1aaea5d5ab15e96f9786db66ae33713f8e0f7920b5114a7896728dc8b34d1bcdc760

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgEU.exe

Filesize
195KB

MD5
9a5714889f167ad31893b446fc0b2594

SHA1
91d785890aada7de1a2ccacae0ef739cf8acd49e

SHA256
5c39c246349f62c4d0ee07f9f1778704d8db8b4bcd6cb49a6fff93ea7393aef8

SHA512
423f412a0cb95cb11c7836c802b4452c3f7631a34159641483d29f5f843c41cdd25994e8a64dc2b3489b624afda370d1e628926fb00ac4a0ad3f7957345380af

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkAk.exe

Filesize
191KB

MD5
237d14d3d90c71cc89b337b7c9e70210

SHA1
acffef36d2c6158c6f6447d8f867f556b588642a

SHA256
0bb6c2dd3c02fb2151964fabbd6bfe404c0ad04146ec8c9d88803c98109d8375

SHA512
cd06f80eeeac696cf2098d4c47a51dfd2fa8d5ffc466a775737b514deea819fc15bf276cd13c70140ffca6c7ac4dda1c73d48b8b8e175624da2aef4ff445c309

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIQA.exe

Filesize
206KB

MD5
68a9077457abe02c40d7c7ec22127615

SHA1
ae31a9eb1fbb8e0f3800f09d608ebf8293a71530

SHA256
7593f0b56253665ad79a0d27c7f2a8db220667960b27deff941369403df98c89

SHA512
0ce6bd72cedfea131554b4772a66c0a137b63eea740419ad45484793b957eebf8497431500c09ea17c3d47a987558cd5a1970511f5e64722ff836025b83fe802

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsAM.exe

Filesize
711KB

MD5
c8b2aab836e02696be83fadbce016b04

SHA1
47707cbd3fce4b18c627bdd3cabe2d67a5b016c3

SHA256
312ea5ca9e553da1a6f764b0f7a07f73aa0336267e703a1e11f0410df8293650

SHA512
fcb33b8b07261eab4c40b3f6c0f603e27f94e5ae80c3e1523d952fbd2926eb90fdb29870492dfd4866ece1b1c0356e3e32e2c41728cf8f91f47dbba2d58b4d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwUu.exe

Filesize
193KB

MD5
1899d967958da467bc55495fc4a808e2

SHA1
9c5edd95ee82efbe5de18840c2603b6e9a3d053c

SHA256
034ba81c95e0a17fd277b9721d28f22aa5f9e82c6612729698cafbc89a696707

SHA512
5edbbe13bdc082e6d0e50b173c12ed4d9584efadde6b39e5580bb44f78f4ba47056d7d0bd3550ecdaadc7ed1d494d6e9ebe87ef5b09a1b8d7267efb8b60b6391

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIUu.exe

Filesize
187KB

MD5
08577ff5158bd40388dcca844283b9df

SHA1
4f4ecfb65caa731eab6b1aa60d5599016cd68eb4

SHA256
35c6864c781d9b3c78b2b62637261c43ad140418585dfa7c4709b7f7bc244072

SHA512
793436c992e13cd5e8ab96be4f9ad99c26eb790a36e6df2f805b874d28ca79d5583e454c04fe373d05326b99b412ee6d75370d5a7642b9442babd493288b2c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMMS.exe

Filesize
185KB

MD5
ae80b3566f3f6ad672fe69a12b3f7bb3

SHA1
718ba3cd53ba30cf51cb0d3d3271e4fda9c05634

SHA256
3cf43dee6f8015b9a4c8e47c6edb299cd0022b2dc197a254095dbd9320448340

SHA512
e3a4507d9f567dfd3d492129744989d38af1028d87a4f74001fbff2e3f35673601108748aa2fd2ecb19f10f4eef1b6c19cee2133c361c594e1a7d3ecb26e90e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\JwUg.exe

Filesize
219KB

MD5
d2a2054e8daabc6b78675c36c05714be

SHA1
f23d227c80b723cdf8a59e95353cd3bea989dc53

SHA256
cd21c6fa9f117ce3659020e54322ef1047bb7a9cf46d74f910f493a4d00d0b18

SHA512
f2d76eaaf637442113774050f3ac95d95fad6b8609bb4f55960c2713b11c6d92fa8bdff17c5c8a5238a487c0a21ea6b07684e0cde6c772f693192bf22a851742

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMAkIgYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQcq.exe

Filesize
214KB

MD5
bf6afd9725afe217be6ebc8ec35ceb6e

SHA1
0c3de7e87f163785cd04c79a051cfe87700cd67c

SHA256
3a29da2dcb2c27a42095ee44f8cb6ac2b058d7de0092c8fdeedcf7df89767fa2

SHA512
1190c775289d9cef9be1db2ad2d0282d13a7a98ba93da56c9696407f0dfc13acd1f02d49ab796957d7935370e210d4106d802f4c0d405548ccdc04399a9dbd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUoe.exe

Filesize
186KB

MD5
baac7b8e57fe6edccfed8406c2dae125

SHA1
807ad0cb5b12e5f7b08dcd36a3e1c4376a60c7ca

SHA256
e0719bdbbfb1cddbd6a6f176d512976514d4a26468e4b80595549129b2af1f8a

SHA512
aab0b6b677c4e74400c4e6c557b4d43c844a6b55a2e15aaa2bc173ce91be6c52bd2ea9d0cf4d1fd1c6b18f1a5670e8802e04dbc8f85c8c964199d6c129e4e06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgQU.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KokgUkwk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsQi.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEAQ.exe

Filesize
211KB

MD5
6fb44bd29c43045ae6f8b3c7418b2823

SHA1
c7b62ab7946efa8a4b42200b15f3aa517904320e

SHA256
b0a1ff5d76810960eb1b650eed1489db649cbde5bfed46f7aaf5bbe35ca2044b

SHA512
b89bdafd876a9373054ca2d8e8a2ecb8afcfd3329dd2bb45c65784378f53d3dd3979dc00ba223c58964aecfd5f6fbdc570ac529bfb32606017af3fc9f8a74b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQi.exe

Filesize
224KB

MD5
8032bf9b8691104c55e7650168c5c45b

SHA1
790c1f47ab2530debc96741c2dee0e7ef30583d4

SHA256
c4cab5ce5ca6139573303e0735b92cdcb15f4e271384182139b9c2e0dfe141ce

SHA512
0956c38d94177e4b7f6af1cdea16054c3ebc28d090441482c28868d31e347f32006d5f3a396fbc18328d70e92ad3ea78a9c76823f5744da73e9c08d30c63bcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMgcYokM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYgYscUc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYws.exe

Filesize
720KB

MD5
29ad0d7a5dea1825d27d69881dd7c9a6

SHA1
501ef8fa5cd2022752ad271b925177fbef783a4f

SHA256
f5cdee0296298b1427f6dbf9a3aa49b75b50a4b13f282c4475e873f48d54f0fb

SHA512
9b853aaae704128d08c5702ba13b7c38d20eeb7a66250fbc9536d7af29aae9757e4255abbba6613384430f8fc11581ecc3a564a86cf414e34398fdaa5f34696e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoEU.exe

Filesize
193KB

MD5
77d44db22fa05ed08d2ca0986320c895

SHA1
6c60c92d64f8f0a2381d424c570427c1b9a240fa

SHA256
9adfbdf03427d5deb72ffc2765f4ad4a00f8b0ba33008816e8184115a287a9c4

SHA512
70609099532628b51acb27eb0fe2130403b868265d13362f1e2c97e5bf3c02c874263e13f111dab502f96afaca1e042aba799193720c9ac278b0072551d82775

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsEc.exe

Filesize
186KB

MD5
74833e2266185247131acabb471ebaea

SHA1
936eb57295d2ee1f5359e787cd2db5186f010ccb

SHA256
504f8f7f871567734291fe006d356eb178031188aea51bff7259a984772cecba

SHA512
c6ca3c943d099a7a09af36c57d5aee178fd5cb204946d91ddbbeda952b5bf09137b95547b81133b50a19c7c54af82348e13caeaee498f747daf8437d32e23333

Download Submit
C:\Users\Admin\AppData\Local\Temp\MswG.exe

Filesize
189KB

MD5
2b6d90f15284c9760bff3846e5f46479

SHA1
3c9f938ada7356d3f7f478dc1ed1cbd2ccb5aef6

SHA256
79e332051e797e67e9a34bdfd578b6b3be6691719e4a31f5acfd2c26da9983d9

SHA512
1c12e7ba5a5642dfeaedcab58fe871645513bb462343012ade2a9e8c01d2921a50f9286b75ba96964d0801eb7443e27ddb9a00f54ae65999d240634e2395745b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIYAggsc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIca.exe

Filesize
201KB

MD5
6f716d3da563855a8e22ef2f8fea57bb

SHA1
d57773c5b3566652748d4ddbf267cd5fce3a710c

SHA256
3cc839e345ac88ba0deeda54ac3ed17773fc52f356322c2b08a89f22f84affe6

SHA512
4fe952f19fbf4666b3148715ac2ec16e2969a5c1df3755a7477c7337c9b44e41b717927e9f674a5ee2c3ac95b5693e0cf356a99bd14b48fb8b7fa610f3ab2c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwIw.exe

Filesize
313KB

MD5
4eec184801c2680b118cb90ac2d232a0

SHA1
34cee6186d8e5e9526f8da2b65958e6339be7b57

SHA256
b0461e125677dd292f301a1d60255cbf37335d1832f363309a54fdc6370d7a7b

SHA512
365a1058ac6f6423cecad54079abcf10d4faa89d870e7f2f9e5d2e63a8c02e960495aa79f7e20dc3933cb72a0e613b581f84210fb34ede5ddf40aebbeec96e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ocgi.exe

Filesize
206KB

MD5
8259b6bcd3723dfb2c96f2a2ed9c83f3

SHA1
8361f80a4cff4ba603b84e14e691e2c5d828ba0e

SHA256
d530d42105e93549972c919daa117a86c5effdd6884fb88cea3317a682092248

SHA512
3dd549fa6492abc603be859652b6d5130acd4d46b7bde07ea1568c7069423a59458a83010cda937def14e0e7950ed02ddeca7566aa32d46ea8af89d6fd99c07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwQC.exe

Filesize
196KB

MD5
b7c77dc8f67ba14dc30dc252fa9818fb

SHA1
830b0ee19a222838f2a52464ae8ad233a41b3915

SHA256
d793d2ef1885359befbb147db35254d0e387a26c2d83ab2ac17f2ad8b2a7f28d

SHA512
e12c1ce0258ff7edf064e75ae12041271b68e4e62629787734c6c65d841e710e5ac9c8889f08fdd0b115d0ab3442d04c45ab41eec796c54e99a7feffbea96768

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAUU.exe

Filesize
648KB

MD5
10f9f57be458855004bd6ea48112c212

SHA1
5b1b7c371619b1b2d2b9334a718fd136666ea57b

SHA256
50e1f129e876599b7549eeb12ff8f8d1cd1848aa6ca6d97228a0cf7d0b0b108b

SHA512
f76c3f387cfb82a1701af893688130850ffaafdb8f04e12b44b143a3b6318582794e460ffd2f07ec7ed85254726050d0ae2956dc7d2d91b8d31b47469c65b8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcYc.exe

Filesize
204KB

MD5
4b4e1fc53f6aa9e62fb8d3e37f633ed8

SHA1
2ebd91059d362cf9c506c202a4f390568203c602

SHA256
643c60972142e8ccefc5d5918b15900093abd05407f77c43327164eaba97b98c

SHA512
f43b7031fa29e2f6d976ae8828d74c180252a003b3b490c274236e1493d6dbe92fc57111c2e554c2f2a89dca25825390e5c483032938768815ed465ca5de7631

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEEo.exe

Filesize
438KB

MD5
3b4f2126e52fdd3371380b3cd4143609

SHA1
96ff90549d3c232940f01d26a54c614e744cb0b0

SHA256
5e0539ae0c2e2f869b71314882c8c09dc424ed9de628453183c4bdfc3c9e4e4f

SHA512
cc4f67d837c82c1e45ddad2b70404a36d9561dfb88bf190f4108b35af9ffafdaa5a8636df4b1004bd800dd628e6e95b78bf1be67e45c1c6a25d248d3350e848d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwQQ.exe

Filesize
436KB

MD5
42314054ded7a8eac7718120cf0776d7

SHA1
ad4ff5146c546ffa99e2751a9e120638eccf0370

SHA256
66392ad49848926ba867a43b34e37e8b2bce1c9198329329a1afcf7378fdf4f7

SHA512
baf6cb4627d1b5a4696fa1d938471e945b6a6d493759c7d4aefb14b69f00ed9dbe9b3b38d23a5325b7bed21b7a1b8642fcc385774e2e535b295d9af277453acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScYE.exe

Filesize
200KB

MD5
330537c7776880a2f5e3e2dbaaf17ec2

SHA1
e754b0f713fd6528ad4ad90631d0074f100d1989

SHA256
0f6ebb7dc4dd68c5b8361c4e1d935885b4f0f2af914bbbd0a6ef07c9f8255b3f

SHA512
0b5d0464be1a8e058566c18b85504d1ef65e57deb226106eba8e6e01e4744332d271be333b11f3b662decc88d0d1ed4749dc01e8a99c677b93d2282e63674553

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgMC.exe

Filesize
207KB

MD5
aabd73181a9e000b82da7b742fcc8daa

SHA1
922fde8f5a12c6d6756aca50bbd7ece5fa970fe8

SHA256
696b0e68e644cac2656219875c76633815b4e609fff391344265f58a21085ac0

SHA512
f095ebf716a34df53d18547afd1023ad9ab309ebc689367f8a2112b630c2a4612a6e84224c7cd9b34746d9b8b7ac8b1f6bb8f34c04d40fadf1129eca3d778e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\SuEQIsAM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwIa.exe

Filesize
203KB

MD5
8ef55042bca1ca29a512ac0bebf329d0

SHA1
0cd08516f212c9dc9f8940a860fec98c9320b5b1

SHA256
1bce789a48e0bc9aec606eb329ed0b026b8f2ac32ba39c8600c03a60ec8e96bf

SHA512
a2a6aaacf67507667cc2680deb653ae068233eea3b1f5ce4db39f294adf39b377efb3976b8b3dbc0ff0b9a8a8c3c1163d6e332ce89b949e36e5544f1b7c85ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TYcM.exe

Filesize
183KB

MD5
405858d1df8247a214552a60cc543623

SHA1
ea825d2266eea35af4ed8bec9c3d10b51f76b65e

SHA256
7ec5f1a31fef3aa4fe9856cb8be31c7c9209030d012f7c565e70a1bce092c712

SHA512
9580d650dacfbbf1c237c9296a5c603f0c05ca28a71827565d21d4e1c1bf205015bc1e7d0bcbd39de75591066b327b2fdeaa0496693d4a52c5edd85c2ff279f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgQG.exe

Filesize
5.9MB

MD5
8b24837534d09868e95cf1e2718c4bdf

SHA1
3e7eff9aef9630039c7ac6571d609fdb3df4372f

SHA256
dc7324e2d06d0e6a4dede44a67c6297bddafc7387828e8f3a9ad477ae734e78e

SHA512
0894718c94849b5e9032e7def7d46edb06fd961a671585ed0b0be37035cd1d6981e342d306b493ffeac723a47590c19099d53c639dc8f6a45ebb522b2036754c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgkU.exe

Filesize
224KB

MD5
67fb03739ba2d5d37fd53a1da271a338

SHA1
535b9bc648026b9871e5d701845d0c5a19937015

SHA256
4a12caebe6bb24ef2b95808a63dd03772a3dece1580caf0fe6f4ffd7c9a8c6c0

SHA512
9003a1c20b639ddc649db8ed0e52aedf9e77625601ad421269ecbed7ea3a520873f499cb67dc874ee8dd92412f908d543cba69984228a4801fb608d879737b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAUY.exe

Filesize
182KB

MD5
7ae28da2ea7d81ad4c9d8025c9491cbc

SHA1
a71a947fda51b0a1d45cbbc9f314721bca4ab923

SHA256
26ff573e98ac92506a4b5d4319f8e20f8b348058cec30114eaf56cbb61eb00a0

SHA512
1b05a996fd4114f58fa0c39b06ccee90c315410ec4f63a263d06bc9e456826b30b902f6cda650f1d59c80598a72d665e2275572c4cb52983c5e6c3b0b5631a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIog.exe

Filesize
192KB

MD5
a2ff0fabe7b41748de653a164eae287b

SHA1
7120a7a36a2df20f73e0cef2449864a1c8e1654e

SHA256
e26daa7452e0f7cdf9e4c51c1914f68a76373eefd098e0782262e47c92e52917

SHA512
c09db7d00f8bb287cb66b38cc66125f0dc9a3329273667fb9d91ddc5819169d2aa0494c7f5b665a99c83d00e6c5feb6d845ff4eb15b9a891bb8f0035ad3c3472

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uggo.exe

Filesize
761KB

MD5
b3ff7d86c04d9d326c09bc5f29754b90

SHA1
52d494be681c130d339655a36a339fde4d030218

SHA256
638103886e8ac9be0489e052457e886908451dd28ca306c6c19917cd79cef418

SHA512
7765efaf9e415b49fbad4f665d38f6e1d0e4ac6b5da7422730a92e3265d191fa6480e97f6ada2eb85d07410ec43b02f54908d7799444e3b5028ad2faec0bfcd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQgy.exe

Filesize
184KB

MD5
58ede869a8e252e5d7ba9a944ba5ca76

SHA1
e5419cf8e963af89cc38c71867164a0e5cc4e010

SHA256
7d0eaa76702f4abde7901a830bc99258e0d11f7ca1dc1f6ce6478b60d59f0297

SHA512
35521a1aa770a82d7d8958d104176d2849b11428453ab1e689f124f50e8866ecf50239a8b735c4143a7f156c7df1c69476883b3ba951ef1452fa57c190377b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUoa.exe

Filesize
204KB

MD5
fb74d43482a36c00250093ea1fe8ddb6

SHA1
c1594fdb7a2b7ba4c05f32773ff3e618b397a9e3

SHA256
5af9ad518be9dec079de98c722861e395e602e1acab8a952c8b5d151adb1cb12

SHA512
9b345abc1dac75a032426ef72aa4af7c199ad56e8bf917edc010a5e0e447279f71705778a988e5733c75759543c6e8c5431e2f281151392994dd78992e98cc29

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYEk.exe

Filesize
246KB

MD5
ff8d4103b1a3f47f1c5a2b9c296c8e6b

SHA1
6d3995f396f1257b0c7a6149e7ae2811fb49b921

SHA256
657a957fe19d9012254e953be815ce00b807569a7f3902ccf5e410e08d81d6a9

SHA512
ede5cae284f71f0d0696d652b574143c4e6717f1575b165dc51388bebe0ffb6bdc80beccac781fd4d0b5656126a5d82daa49ee0e073530b35765d188e933f0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vkke.exe

Filesize
193KB

MD5
3f6ab4826caec8c0dfa4605d16ae00c1

SHA1
6822a66de335f893f476759b4351f94418ea24b3

SHA256
5ae6853b346467c9aa45a704779ca34c38d48651c71834327af8d4a3013b5414

SHA512
a7168300cac8ac410826271bf977927571795eb5945a4333c7411a79ac18ab552179e8a0f9961b58c0af273a028c71e7160fb16ceac222f29a368b3151cbde1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIoE.exe

Filesize
724KB

MD5
7a1b74b53edf7daa3cd6d9c49aafd516

SHA1
1a0ec113ee896b9d8e1b2f77d7013858408f9111

SHA256
79d9252f5bc95550ed378e74a215789e9325136e3254cd519b89631778f75221

SHA512
bf84f8e759d696956ad3987a64fd2bee01c783f1ac37f5370e03f1e428b689d3856dceb5543e10f7f5c40a69ed073c6ca24e2093fb92df921a170a847a6795a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQwm.exe

Filesize
566KB

MD5
36fcceb80ed9f0d8e589ecfb018be05f

SHA1
b16d20f61ddead5b7995a1e061fd4b662abf1f19

SHA256
34c3402f34e38107d0d551e8f169dcf6daa51372e540d58968c39a9df28ece46

SHA512
a6783bf17bb6353092f6c98c9dd95c82d210b1a186dd9b1adcbed24c40df727871313ea462203475927f298b58a173f0c2ee72ac8dd7b935df666d5f763ce6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgEG.exe

Filesize
728KB

MD5
74fdaf4e948c6fa3b725601cb4033bcb

SHA1
31c1f706a355fe00a6a7650ba0d5874f1b0bff0b

SHA256
697436e65f7978cb65642a4d58d91cd32ca31a4ce7d5ecbed1934d67bcfeff22

SHA512
6db0ea64c1541e2fd97ade7ccd350b7d9ed4627d8bc6e6a0a5fe8e1cd745c9a23f29a1e29c789e739f9d6ffa138696361c4596aa814ad786881d092027bda22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xkcq.exe

Filesize
728KB

MD5
e9781760e6716c26d9b35ccad0e65ec1

SHA1
b3e58c302f785d9986f6ad5f9061ca5f583d99b0

SHA256
83b0422bbfb570ceca1f39e2caeeacff4d5c0c99e13130938ff264dee2e58b2e

SHA512
959ced893c121df23929239b25d974a52b8efa3f0363a147a8ea43e6d33ca868ed4761de26d345259d137f879a6330a4f9641800467de0dbcfcbd0d27607c994

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIkU.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIok.exe

Filesize
182KB

MD5
cdb4389790307498273665512b9f657e

SHA1
500749c42f08685ef55df8fb0f469219ef4c4a54

SHA256
25ab201befe194cb8c1b3166b9329041dae085a4f7159f675475bdfa174f9b31

SHA512
d309f42136f34228218f31d383e10a92f53ad9f19c9be59fcfcced534dee644e0801e2d2a9fba5344d71078199794768804c3125172f87dedd285f158863f479

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkMU.exe

Filesize
444KB

MD5
af28d28e22c82b347221020affb2b414

SHA1
54c9fbdc0b9ccd0c70e83736fc48c7c66ee39730

SHA256
359b922e3cb9002b7f6f1c934cc946181835644463f225a0d48782453c34c154

SHA512
69410f67e19d19cbe545dca19dc20757d363f1fa7660add54e183b84d5012aead1cc901842e473b7fb4704dc30b05029bda4b7db52f0506405f838409d373668

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ysgk.exe

Filesize
203KB

MD5
0104ef42c98d967061d32e1e5fe8bad6

SHA1
67f115ca0d07f6ca6a12ce57fbc608219c547cc9

SHA256
9afcbf96915a99ed3b74c4112585131caec0e6ccfe43300c5a33d06ee0c357dd

SHA512
20edafb40efa982799b0c3e96ee349db62c38792242fc17b45d3f797ba9e3e07b39f4c82cfa13c4cdc7e03f348c66b45c39cb0b3b85f732ab69bf1ca1260bcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YswG.exe

Filesize
319KB

MD5
4283daed0aa0546431a7b060174e81c9

SHA1
8ec2b5016795227b92e087df4d1074902f0f499a

SHA256
1798cda9aa9b85d3c3688b2940524a79775398c7c7e2b66a042a31710348c2f8

SHA512
e33458ae93824396779c40a301675b8287dc7bef4287f64da3e7f46ecc094aeadcd37cb3613afe91fc7b22615681964b6e7274848ad18158f758e2a7137bb29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyEgsoQU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAEY.exe

Filesize
192KB

MD5
3b6e2ddaada1ca59acc00c2223cd2075

SHA1
da34c6c2ef6e76a1bae6e00ace2b637b455842d6

SHA256
223ddc026d8d3ff063298d985b88cf2aa1ed93aaf284f9534dff996f86c88b90

SHA512
3b93c306bd542548d162176214997906dbcef1813a96af0e221aff0d9691f04b05a7e1ee9812e5bdc71f35b88cab23c454c7ec9d7519ac80ed5978dc4786a653

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAoS.exe

Filesize
181KB

MD5
3ef1efb521ea9137183a6de3e79e0b06

SHA1
c23e461eaf12270a7b1be9dbe24d20d40d2ec9ee

SHA256
d1d71c39c26a6751134bae0927bd29f30b67abfa6d8b36a9fdb625c71f0b54ae

SHA512
cd2bdfabd0f4944011cc9869d5f7d1cb5c3015138486b9bd383e1ea2f6c7f0acf5ef81d642a6511d5598884b8c725645981a8d990e66d216fb4863fdb1f4d6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aGUEwAoE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMEo.exe

Filesize
220KB

MD5
6fd178c29a67c14fd84a6f5e3dd4ab09

SHA1
a0d33f4f0d3c3819a8552b6c0c55b93d0748d86b

SHA256
1478c7ea12bd51d44d21ed7a4c42df621dcbc0f3e683608fd2b370d0056e04ed

SHA512
5dbf6efd58d27a11865e41a3efc4918492506543e08861e8cc2155e97f30c28fd1b1a4d9f4d2d52aee8bc560c5b96a868621f5c3b8c2dbd2e82fd45d7c8675fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bAUg.exe

Filesize
189KB

MD5
ddc8ce3e9ac5e8da24f9c5a97d5620af

SHA1
5938c95db01b4dda9ece6b8bd9e53c729a9b3205

SHA256
52667406a1ff5d26be0fdc5713ace9fc045efb4c1d729c56399c25c3d4c33090

SHA512
02058a9307e3c5daf22e449e5505d8b2427d3f0c978da42bb2f25573175d5ed153c2ecad8a47b4b23696390f8ff8df0ec1ab88ead9309689a67cd35c8eeca2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIka.exe

Filesize
318KB

MD5
212ec87bc3e955edaf20b450607a02fb

SHA1
9f9841d95aed6dba045f6fcfd924a3d67c0459f4

SHA256
abedc3c1d03a4255a1ca483cdd0507fd06f7ad1c4ed644d10cdfb73d45c4054b

SHA512
2ae5dffb01576167f8f97112d6e04789083fe20881519c1a615c7d1b28c69d9c7a88d32fb4bc9e0672027554dd4a9753fdaf9bfef474cd86bab2945b314caf32

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMYi.exe

Filesize
188KB

MD5
837c410cb2904f79cb8cffd6f5454f27

SHA1
34cfe9710350c6ab774b799b13a3fe018b6bea53

SHA256
6d89cce5745b0a5fd32badea4aa5854e38e6de0b79aabff7125aa0a9e7e37cc4

SHA512
36e67b5b9810871e2f2b67482add625f38bec2fadc7ee347ec2c0d8eaf1079a2251b3a6b3545f4a792995ae221f6f760d42092c6a7163de46549051a6d794c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMkW.exe

Filesize
185KB

MD5
6b1247d9839d14cb1662479b595d2d1e

SHA1
9b20d7c5a11892548fc7d96fea59964756bcdad9

SHA256
1035f569f3f89244ce5b148ad45ffa462ff2e01614cc33187c3ae07816e52cca

SHA512
9ea724343f192145de726337783a522558997ed7e9ec0fb56152beff2c6640f81e862eb7f1596cddd90eacddf55c3524d1604d16e88e5b685c786fd195f8105a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYoS.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcoQ.exe

Filesize
405KB

MD5
54c0e5d53d7353ef87152a43eaadbb28

SHA1
d3de4b5a212a1599670614490da3aa7fe8764f3d

SHA256
60639146b3cc17ce9164c3838a43631f023798f23f55a49c8cf71dfeb00a716d

SHA512
1d6b791b7e71859d2f18d3b034fc6b748af15cb634ade4802f9b38018cbc99cd7f18196e6fad027114cdb98763ccccd0f67c8113c04da436c735110579d50618

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKEUUsow.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUQO.exe

Filesize
199KB

MD5
415c1cbe48869fea5c9113dfc1e96c41

SHA1
4fbb1086cf494e441c5cbe7335f34819e52e6918

SHA256
4df57a2c77ebd86d1634809b5765230f0502b0750afa42f239f78b611e3101d3

SHA512
ca1ffefc975b0b2d63c9a867cbdbd5bbeb8b2ec741eb3763fe3ec93eaa01783dccce2905c4d0c48bdd316eaf224accea921bdafd48b164a9c499b975b447b2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIku.exe

Filesize
384KB

MD5
32db50630368ed2fb1e410ec30f670da

SHA1
894f7786ccb1fc8e1d081eafd6d0b96d25d39e85

SHA256
52029a9d2f40874cc2547bed329b3721d0e653081d6e67d7428ce27832a16473

SHA512
7d59723dc2082cabcdba55f81fc68f24c2d28c5330c8e8e38a834c2340ecaf93bcd9bdbc5b334b138615bd31d2e57eec14d3e1710d7e8ebf542ed4b8c4c13742

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYkK.exe

Filesize
767KB

MD5
c7574b3c7797e46ed9cdbb99542c14f5

SHA1
57c0d47d2c7d1b72bb5683b74e714a0269e523c7

SHA256
317409c3ffbb38210265ffcc712a1aa248d746fc9b5f5a058dd0eb81e32326b3

SHA512
c1cd87e5c6060e48e5da1f9c4f275f094b7581411cd3f9c9cc8158c2680ad242ba8e3446f5f01f69e82ebda34cb4f5a7765ea0ff705fabb2ce4a867b4d3c8850

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUEw.exe

Filesize
652KB

MD5
df7d3609a54785862cd1a9fc6f10a4f9

SHA1
224bf943644ce39b0a30b84716f45b679342c0d0

SHA256
dfce29a0c0855c2686df8928f46c9d781dd7428f2a899e7a7e5efda3595f2513

SHA512
ce36fad4ffade498c61ff85e6ced02719080f7ff7267983a28139b12bd004cd2b109fe6c0b94f52c1150b070dcedeb4075e081eef3905d0acd233b1830274667

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1be1572ed245d5e2eb8afafe803451_virlock_JC

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwoa.exe

Filesize
638KB

MD5
b584c40e2f6d53bde5ecfc0ec002b921

SHA1
5c76ad5527f2eab88cb1b5497f1d5bceff975e86

SHA256
ab150a4ce04670ee4ac1231212d2766cfb62111d92529c0d0c3ebc0afe27d36a

SHA512
fa0dddf1a24088f02e92c6fc55712bbc0c88b2edfbf29f2e72e89e866c7848366bcc1e6d4f0bf19a55b01d9ccf4180d8af5325b1164bb1ef115360913dda53ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQsG.exe

Filesize
518KB

MD5
71c7decc60c855565cd9c3a239b7721d

SHA1
20993b26696a8690d51e1a4b576674139ee8df83

SHA256
1d8411a124b2bf12b7a41f0f4dacc798e82ad0f89db5b69076a790cf16136faa

SHA512
2b9c81ea41eeb7945e487bc2c4d3414de13762b7d158c462ba23ce12c63f0c8152c865b3774112c80b71117488e253d49c10dabd40cd262632a18940759934d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAMc.exe

Filesize
404KB

MD5
f38077d9fd6f4168b919e4fae10bf49e

SHA1
6dd2b82277dde99cf3fe857571eda33eb148b09a

SHA256
eefe1a074b6859f365955f907d080f26d011d646f02155b9a78f17fe64f85f23

SHA512
675e84ce37e2f3adbe7cecc87aaeca745825a2b320367ebbbf37c58995380c1e3ff0f4a807e17d158eddd1960108021d55e64c6ec70ca4e639d62d66a4f494ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcUS.exe

Filesize
809KB

MD5
839e3abca47ac0701d27438cd72aa33e

SHA1
1a562f8e0ab8ccb2511f211fbe1e0f5f30983a14

SHA256
270b1b88fb516b60259f1451c68a923043d6d249b7eacfa28470ba7b783e61a7

SHA512
cf18facff8e93c178146c2c8c044eb96d51d864a294b97d13292fc9d9eaf058d7af5c955f1c26c66629139acbd8e8a566069adb5fc706e94d0a766e35119572e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcUw.exe

Filesize
189KB

MD5
141b148194460e5dc4eefb2100de9a65

SHA1
16119d87aa8cebc6970cae6b0cf37e4a29aef4a4

SHA256
c9829376e8181903ca790e7c02c10a8a7fe810d65a6c7a1706c525982e86633b

SHA512
e86e98d37d166a240a38e2f8a8f5743de2c8af0311ee2a6b4adbd724148f1493faa4f672c9a81a70f3672c7a20843e5963e0d208fb8f4f24ded123a2bb070003

Download Submit
C:\Users\Admin\AppData\Local\Temp\hykwUAMw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQIY.exe

Filesize
207KB

MD5
0eead4ca6b1a98d138b0e6738efa804b

SHA1
6840b83422b8af9a944c5e49d2d88c577974c64c

SHA256
a66ce5da0210adbc22aa5151fc0b3085ecfc6ce39933f036b54a5c329b1da95c

SHA512
53f22892e67aef1ffda2d7e8676d1913085054293a7bfa51c360ec6ce693a9bd82c416c1120e3277ec044739e3bec7eea721cf3c3f2833a43274f1bce028dfdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQUc.exe

Filesize
837KB

MD5
9de56897b92e6e3bf5e436413e06ddc7

SHA1
667b196daf84d5bad1be397134c2c823e1a512cc

SHA256
32bde1507133813e041d3323fbe7d2634907aaa78484f225d7b4fa54886284cb

SHA512
1d670c591e151881fb1d36348c9219fb104869e57c105ba1cbba5ebe1d740a74e3f750bdded1d0f8f8a51bfd430b43f837012f7087bb89f46d35422fd951e95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQgk.exe

Filesize
789KB

MD5
67c2f11abaab2511c1ddd5c356b03757

SHA1
843e6f23ba565326a1a82b24bad79c521a6bf0e0

SHA256
3df02ef89e11c817892f6984d4f0160b52385602c1aa374110b28c086795e8c2

SHA512
cb94e1e29d0c37dc3c138fe2bc50c26d8e36b1396a26fd7873d20f95390b2a9d992ae959a898915fbc1fa7291c872480b05bd5cb05ff661b1f677e53036bce1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jUIy.exe

Filesize
225KB

MD5
d4644e94bcdd06ef0e06376040de5fef

SHA1
e05dde8fef60d86e49209025a54b8dcd046669cb

SHA256
982557fed214406fcef8839e0d4548cc58c9409e264d607e411fde67ab2b6538

SHA512
59a190190715fc69874c01f00252ce21857d9b8a502f721109ec6be7126380e5b05e1f1bf42365c651abf93f531f29ad8da75eefd25c1ccef2dc34e4103a7f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQgC.exe

Filesize
729KB

MD5
aa9661929294606acd376d3fa7f14846

SHA1
51612b44b064b75d88461bc8ecd0e05ecc00238e

SHA256
944737ad2b304531c35b42c44217dafe029e4d4f7cff14a10590cb9cf1e7e778

SHA512
a15d70b12be21a4beffa71aa28881a763858e77f3a50d98fbf71910678c5c16f20168d8d64dd102006796ec50ce518f8e5348054dde3f04d9cd48d93712ad0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYoE.exe

Filesize
745KB

MD5
7ef9d6c5a51426d356a2a46265d6bd5b

SHA1
2a5a9508d5fc3b7ca48d3a95fd68246084fd8d19

SHA256
d9aa3de664dc51d14ea5719f90d3522c0231a692c4d8afd05b9560fde0e5699e

SHA512
f6dd17f8c3a3f09b4de74e290c4bf22c6b86bffef56772d40db45aa970b448c4bed1c344f5f88f294dd5d01e38d0ec3708d0794c776aeace11ac972a463ca81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkMM.exe

Filesize
202KB

MD5
9f42170f3d5abf21d197d8d5f9ed2146

SHA1
c299f9def80cbe2e554353cc69ade97eff67029d

SHA256
6f9c8e7b2e0775d2887e88e0234076cdc79eebde57af5d59bd2788b3bf49bbea

SHA512
c0703ec12c662881a14be634ad09e67cc5f4652e280dfb38abe0142fe9f645cd1b0a195b8ad904f712524e700801d33c431b504501768ed9a6a72a7644dcd890

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEcG.exe

Filesize
192KB

MD5
f827b2744c8f0daa574a44046879a0d3

SHA1
ae4d4193b63b1ac54a2243394e88edd5c63a267a

SHA256
15d344ee25d604a41340697ee0e4b5ab15041e53fcc70d2e3484240fecc81bee

SHA512
f4a8ddd0d5e0ea6e846673a521a196a0d3863e4c7e485d0754c5f9f6b94bbc687c75a298f1c21e49a869877fc61c708db26f30c1cd31996903e2bc1462a0305c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIMS.exe

Filesize
191KB

MD5
3ff17ece1fc8c64037c7200f2c0c6d1e

SHA1
91c05de8c2e729585398e4ad7552688fb07346b3

SHA256
4f7b7a2371846829c1d2f768f5bd017a70fcdeef18de54044b9cb855aac8da09

SHA512
928253c02da577d546d278be4cedcb1e6954bb506fbad1842d5696bd7b970685657a078c505cf166ac857d9c6dea9510d0c4497a943d3c3b00a7d41926656138

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMUG.exe

Filesize
203KB

MD5
a5c59c7c124645b2fdf4337b98a19603

SHA1
70d1221876536bf590476b1498884ebdbea8d78a

SHA256
8d3a282895daeb2c10bc8ac60421fabf1abddf17fadce433fd3844454b2afa0c

SHA512
31a2ee44f0c30b037403bcd68adca4898ab84cc53a85554f394c2a546d20efb83ab5847a6364caa40736f1196ddb9a8536483b38fb159419f18eddfd18821890

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYoU.exe

Filesize
1.8MB

MD5
321c374d1102473f03982db86c8a3609

SHA1
8f27956ce4dd643e08e665121830f3bb19a4baf2

SHA256
e1134eb1b5205df9e72aa25ae7f45e94a4a375f1acb29937e55376a6e0145aea

SHA512
6fe54a09d5af5220c579f9d78fa5c27f9ca6423cf56daf2ef772ab97ee0e0926a1c89cba6132843e3005e139e82f0891af59e6c11c2adebe388e16ffd0484f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKwMMosc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMsQ.exe

Filesize
830KB

MD5
21dba4c5991a632d71fe8fffe8b7b133

SHA1
6eed61406e32559f34ce1ae0eaae7898642a07db

SHA256
9f62dd50d835e8d3b4a0f949c812c89d32e4ab57d83cdc327e024710365e5388

SHA512
86c1efb052b72a332325d19db3dae565d1ecdae00411b3473da84142db9a4c85cd508893a51256e47a2eea08b5c3aa3e1363c3b71dd830d5175033eb11504b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYEO.exe

Filesize
197KB

MD5
5df2ede2e51565911eb26ae89dfdbaf2

SHA1
58a7cf2f616620eb7647aa9634a6b2350907089f

SHA256
016c2688ccccef0b3605af7a20f3b1a16e4d7cc87dc79159b559bbe99a4940ca

SHA512
7640939b994b7c3ae53cb8a875887bc977b21b7c8f9f47d2b18661871b86e74af96bb97675d29d44a617320c5ed7726b1e30f501c63d1d8cda3a96cda63bade4

Download Submit
C:\Users\Admin\AppData\Local\Temp\okEM.exe

Filesize
212KB

MD5
309e6131d66862b34df036d131905721

SHA1
2bfafdafa741f4f0619f10396c448fa5fee7b652

SHA256
6731e7d7fa599e01f714102df825012aef91d9b4e89a5902aa3f338e5f72b313

SHA512
50a8950bc951c87811e5efe15dbefaa28aa5eb7d239be194aa6940ca282c90ce25762a389b12d6e827094cc875a9f8e138dc21678a2e50456463cb6b98207eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\osgc.exe

Filesize
210KB

MD5
daba8f5c6bdb27971944dcc1f5ba3627

SHA1
939aa196267d6a132108e1db85621cd98539883b

SHA256
9e59a164b2bcfeb09d49b767cdc7d5909ad929ebec10d9891fdf225d4bfe3d2c

SHA512
147f9422677fcf7154e0cdefc73acf12ee58be77eb50d488227d10752c7f5e7faa35c2e633c6cfc75475b57387b0bec01b294d70e43c0891989193cdd72c7d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYUq.exe

Filesize
194KB

MD5
237ac1b3a68eb0460db4e81f3b54be7f

SHA1
2e8d494ca1159af6a6380a8a5e3619cedccd2d12

SHA256
f2b768b91bf3d1f1be31514bd890d8be969f494204e4de956140028d9c3dedf3

SHA512
23628ae05c0eacff664a462749c5d60704f85e6ffeae47c017ae382649f40c7909b22d5f2bb8bc1724f35d7921506f97f042dd68d4a1e5e3d28c3cc3677243c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAYwIUwA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUUG.exe

Filesize
193KB

MD5
bca3ac11ad5a6488120df8ae63905d43

SHA1
75e288beeb0faebb2eca40cd8a1f5de673ff05be

SHA256
2166f7a588ead9aaf704af943197d43e7f090f5e1ac3dadda0ffa23e31d5fb05

SHA512
fdefffadfcdb0d9d48c7b5493d0fd2d64dd8feff5ad4d70ad578d2322d9d56fcc6ef7a8003e9c3132013c3fa8ffcc7b78d999feddb5ad53db4a5ccfd7e98b4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qiQwwwUk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAMw.exe

Filesize
753KB

MD5
81fa91155d98191f11753ae72124eaf4

SHA1
10087acb9532757b4b0b4b04c51e6c2ecc76402d

SHA256
6ddeb8f20591409f05f79a3b73612a098dc22ec1fcdda6556ae1336222686192

SHA512
96a99136d669c66b1dfe69544c16146dee49933f7df279a768f4786ac00f702a76d44ec02d52a1d29b6b465e3647fb4f0fd7062ef54a092361526131c3fd2731

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEEs.exe

Filesize
317KB

MD5
95401ad1592a349644d1788351f867da

SHA1
f75808b23b695c1309227ffccaf78fc1661e0e53

SHA256
8ac2709f553e3ae2b891ba6a4ad6541a6098e975523aa95f0bb054dc63174f72

SHA512
3bfaca9cfce5a75073b961ded0934d3a9f75fc76bc4f85fd88c0566d18b5a99e1a289773d593a71e51bf243327ea3c6e2860f1fe7e36858ff8ac39c1cd09140c

Download Submit
C:\Users\Admin\AppData\Local\Temp\siQswYwQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYYc.exe

Filesize
201KB

MD5
fd005ab023cef3f62e5d3adc3cb0d641

SHA1
802fa7ffb3d3cde794a999e6736634cc08fec065

SHA256
fc68c472a2d9c8caeda90d46a393eed43132b8f24f96ff7270c0089116e53a6e

SHA512
4401155af2449169f4bcd60065970fc222c7bd96f2825f680faa15494ed040573bd3b985dd9196099685451c211627f8a1c822484212465d353e5306b1221af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEMY.exe

Filesize
641KB

MD5
34c5904cedf48d99edfa59eb74cf2aba

SHA1
191b222388ee5d1e1cb112fd8d6d926a187b1b3e

SHA256
7c5c8e5829d6199ad31da0241523034f7f3e6520d42dc68897c3dc5adc7a46d4

SHA512
1c433f645abdc19710d0bc0c60eb6eeb0137394fca10d4e26ed63c2da724b2628f093874dc0778a336da5e88d69fa408c33c405acc7d8ed633d981d8982941a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIUG.exe

Filesize
205KB

MD5
89cb4b128879b39ae9debdbd3bfa6445

SHA1
88ec5295608843a051fd0812f367e6e6d390f8ad

SHA256
d58deb837faa23a6c692f3a0f4f5e068fe2e1ddeadb8e7ad870953cc27fdb1ea

SHA512
55732f91991b466a1b256678a956e4ab39cc51d90beb89248552dec4613ca2b113d9740e9eae16cb6ea715df5afcf4617a531dd7b58f3484f7cfe2dfda0998fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\uKssIsAI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUYs.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucwe.exe

Filesize
203KB

MD5
869de969694cfa1421b802cfa175d849

SHA1
16eab14a46538a9a777a1089e0a00154b3ed53aa

SHA256
aab56c2c99915d60acfb49b51c1991be37a7f1663acee30b3c6ac47787b175cd

SHA512
b58a21886464108298e651854f8c5dc6fcb2b64047754d150290093f025a29566e0eaf707bc3634514d311d4a635eb6ce12b1c32a588dd98c550e6ebabcbc4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoMIoQYw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\usIq.exe

Filesize
215KB

MD5
4582fa87d3e0f4c71aa69f70435293c3

SHA1
d321b53159fcc69f7fb8b8f107ef510de4842df6

SHA256
b2a1add4e08c21c9011eafef7cfbe909db6a16005e20a3959fb08d5804732877

SHA512
3a18dc82ff66ebec27379ae6e8390bdaf735becedb8d4a97036ae43bd672a6bfb725200cd4a03073f268c34a64efb3a5d93069b5bc30264412cdc3b52a31f7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUMI.exe

Filesize
478KB

MD5
8d2fb44fe165157142a7d1c55b15b8b4

SHA1
793baf5a3d252be89bc5fd3322e23ab67509159d

SHA256
b240f42ef6bf9a5b975b6e1ed580fbae8a4390a117ee8a0c9d3760b6d4f2af5b

SHA512
dc3b85c6be97d4db0ba1a161eda7af693889d47cd52e57fb9b52d3c964df5d6d52899f1009aa30a89e35967a510168be61d88f1eaaeff9638f51d35e673b55f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUoa.exe

Filesize
644KB

MD5
224b15b7cc458622a0760d4e90a7d1c1

SHA1
60ed2163e8906f2b045b24afea6dc9e1184cbc55

SHA256
16151083f9d6dbe14e463ecf7684b876bb805c5616ebeece59cafda12f7c719f

SHA512
630c810b17c2ec9d67734bc436b9df6154c18dfb74213b9e220141e9bf505f8a26bf1df69a6ee7f4e58e215e2f45e799838ba64066dd8dd5f2df15cc91445063

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAIO.exe

Filesize
196KB

MD5
5febaf7e5f730c7e94f75acb88f8c9c5

SHA1
e95fcf5c06de5d75eab6267caa7843a9dad71c9b

SHA256
13b7b3634f196e0d0f30a9572207469f44309c9aa4752e567226f07513ca5237

SHA512
d8851cf36504e7795f576ef443bd7f9bfb5df1926593a2920b9ed805bea8ba7d6be72b0227ce87dfd3ea6d7e67f43a5105deb7713955a1a73889f56dad6630ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUki.exe

Filesize
188KB

MD5
a68c6cff3f5166dc72c622c7b5da17e1

SHA1
e6cdd830226d0cb8eb0cbaf5cf7aef79edc683e7

SHA256
33df2f0f912024a39a6875c2e2a1f77115837cb84aaed8e863f32186282817af

SHA512
c9f9ee7b758dab5b67477a7e50a67540a0377454dda917683c285ca544b013c22c7027f25de6e491a2013fa00df99e61c5567288693ba9f483aa2e3be8d36747

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiMgUcAU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywoe.exe

Filesize
232KB

MD5
f20affd4c32ccd4f64940f20e4c79104

SHA1
fba79fcf3ce5f2e5f897f0cf3e52c883843678c1

SHA256
6fc94ec6a02f15cf8eec3e0925188e7d7f533d953935125869341c6df72d41c7

SHA512
98ef1fa430ed6cc30e30142d4a908cb6fded2971139082ab7def848f11fbde62b66b348f6c1959c51141bf63535e1ac444cca560a8891236e449f0582d22d8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMES.exe

Filesize
183KB

MD5
0560bec19baaf70a2814d4a5a078cc42

SHA1
3c7cbb01bdf3ce5b8907c19ed1b6abd83ec13990

SHA256
7b719f63beecf5e85036763fcf404b1e4c0771b9bb42400cd69cc338c8b1ce96

SHA512
34309e4cc674615c86fe016b01465d971cf6ad783da02131bee8e3f500f0feae84a3b8ac063e6eaca5c763642d196efc4e2aa134573270f9a53a16bc4268dca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQQO.exe

Filesize
213KB

MD5
bf28fdd7f34fee8a8d65702c629adcea

SHA1
78acf84b74e9d528ea7ade4a46381109d73b58cd

SHA256
7aa42f7ca4f89b73a87a37e276135c3afd122bc613ebe6a40e6e3383f31b5ee0

SHA512
cdb44f6e11702f7343df0b171ad11e825f60b06d3090d3eb1685d4beab6394e4ec8589c4d1ca8c4c0756adbb2667aa3f9f6e993109c26d8dd43129771398dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgEM.exe

Filesize
207KB

MD5
ad6e7e48eb199bc1e1b22a5e2b99c0c8

SHA1
5d36c33d9dcfa9c9bcd2ae5b433b2f1b6c0dfebc

SHA256
243a61f3a9ae8b24c8a651f40fda88974446cd9c4a64c8785880ba0a3df97e26

SHA512
d92bec30aca23876ab7e3c9168a9002f2652d2a5f27da0e922e4ef0f40db1afdf26a8f965005a87caf9676ea25cb82116899887b74790769d740179c5efd35b2

Download Submit
C:\Users\Admin\KoAgYYUE\FUAQMMkQ.exe

Filesize
183KB

MD5
b221a89ace4a2702500ec351379b78e5

SHA1
8beae2483c381dba2ead64b81aa664fad67e9cfa

SHA256
50860c32e21ec60ec1d282827186843e78afb20ff1c1077ec652c0be717f9e9e

SHA512
19762b69adb35cc28c8e2175e7d33372d68dff01c21fe9462b0a4102c5ae4e0d993a8e8732751a877964c9695f39b1ad8c324b7eb36afb64fef528a796c38e07

Download Submit
C:\Users\Admin\KoAgYYUE\FUAQMMkQ.exe

Filesize
183KB

MD5
b221a89ace4a2702500ec351379b78e5

SHA1
8beae2483c381dba2ead64b81aa664fad67e9cfa

SHA256
50860c32e21ec60ec1d282827186843e78afb20ff1c1077ec652c0be717f9e9e

SHA512
19762b69adb35cc28c8e2175e7d33372d68dff01c21fe9462b0a4102c5ae4e0d993a8e8732751a877964c9695f39b1ad8c324b7eb36afb64fef528a796c38e07

Download Submit
C:\Users\Admin\KoAgYYUE\FUAQMMkQ.inf

Filesize
4B

MD5
54d2eb4d8b704f57351acac6fdda6f45

SHA1
b3e6f0dea3fdd688f2535199409ba5283e4992e8

SHA256
cf8a27c5b0e9f63db80805f12e9d9e29a56b044393873d4fd4d908294bf0b1d8

SHA512
373f223229b209dfdf944348cb8eaa51c4f35c023839a8fd2ead1984f306398bf276b1edc1e8dc958b0dc05876d6543dfbb29f842923f249411319c597db71a5

Download Submit
C:\Users\Admin\KoAgYYUE\FUAQMMkQ.inf

Filesize
4B

MD5
54d2eb4d8b704f57351acac6fdda6f45

SHA1
b3e6f0dea3fdd688f2535199409ba5283e4992e8

SHA256
cf8a27c5b0e9f63db80805f12e9d9e29a56b044393873d4fd4d908294bf0b1d8

SHA512
373f223229b209dfdf944348cb8eaa51c4f35c023839a8fd2ead1984f306398bf276b1edc1e8dc958b0dc05876d6543dfbb29f842923f249411319c597db71a5

Download Submit
C:\Users\Admin\KoAgYYUE\FUAQMMkQ.inf

Filesize
4B

MD5
4dde8b1922a2e26ef0c940919059bce7

SHA1
75ce6817ecce9354b320f385acde5e1cbdc4c69b

SHA256
17b9f32062b2bb1e076142665d28efabf6139c1bfeebc5e6d97b079188a35679

SHA512
98fa7fff764d7e883f6464153fcfbe60f549664e7bd787eb3e99aa270ee9313411fc1d9584303ddb6055bcf9591660b0cadf4fabe317cff018c16946442cbb5a

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.9MB

MD5
446aa061df92ae6ff729cf977398f8dd

SHA1
496e091ab20edff3a2432c8ceffabd0159014ab1

SHA256
98f434de1c2e038395826f1900d7cc207ecbb6905927b2c2c98ef8af9d1f26f3

SHA512
5efe887c6171c438c62bb41ca03996ac4267f1981128418bbf35bca1db057d63d5cb63c0d8c3aac454b05038dfc330ba6b040397ed9f73044cc18b18db73e141

Download Submit
memory/644-448-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/792-359-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/792-370-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/868-266-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1452-253-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1452-242-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1488-189-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1580-421-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1580-409-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1640-200-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1640-216-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1708-559-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1708-546-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1796-496-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2508-226-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2508-212-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2908-277-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3016-229-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3016-241-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3152-330-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3280-477-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3280-487-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3536-541-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3604-356-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3604-342-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3664-383-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3740-178-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3756-400-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3820-283-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3820-303-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3896-315-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3920-504-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3920-492-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4124-468-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4124-476-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4152-392-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4152-384-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4168-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-412-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4392-401-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4404-420-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4404-429-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4408-152-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4408-133-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4428-555-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4428-569-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4476-522-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4680-514-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4704-192-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4704-204-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4728-165-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4740-538-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4740-550-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4748-458-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4748-447-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4780-439-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4872-577-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4936-331-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4936-343-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4940-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-530-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/5096-288-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/5096-459-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/5096-467-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download