0a275934bb5f8a5cdb4f58d9f1eeeb93fece7220c7a2c6480583a45f7ef0525b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2023, 18:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
Size

199KB
MD5

0cfe834c6ed3a8a1504a72442e897e14
SHA1

17dfea29a9824283f11c3a11c570595844ea4f59
SHA256

0a275934bb5f8a5cdb4f58d9f1eeeb93fece7220c7a2c6480583a45f7ef0525b
SHA512

11fe21f60ee966168f905c2da6e34f8f827d84230a3af52db364c9cd37417c4413b3dbb93145f967da65902b65825b9bbd3e3c10835d1248b3739dec25e95cb3
SSDEEP

3072:gcam+Kr1b98tM/pLWfZe//INDX89gksXAC6XaMEAzNm+caaXPf/SoRB:q7Kr1sM/S2Iq9gkjCmaMEbTX3qCB

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
4960	awYskEQE.exe
1080	tGwQAAEg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tGwQAAEg.exe = "C:\\ProgramData\\CocUQAIM\\tGwQAAEg.exe"	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\awYskEQE.exe = "C:\\Users\\Admin\\kUQMkogI\\awYskEQE.exe"	awYskEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tGwQAAEg.exe = "C:\\ProgramData\\CocUQAIM\\tGwQAAEg.exe"	tGwQAAEg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\awYskEQE.exe = "C:\\Users\\Admin\\kUQMkogI\\awYskEQE.exe"	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	awYskEQE.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	awYskEQE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4488	reg.exe
3672	reg.exe
1324	reg.exe
3412	reg.exe
4276	reg.exe
3188	reg.exe
1092	reg.exe
2752	reg.exe
3820	reg.exe
2052	reg.exe
4552	reg.exe
4768	reg.exe
4828	reg.exe
3508	reg.exe
5080	reg.exe
4092	reg.exe
1480	reg.exe
3100	reg.exe
3380	reg.exe
500	reg.exe
404	reg.exe
2432	reg.exe
4772	reg.exe
1700	reg.exe
1836	reg.exe
2172	reg.exe
3132	reg.exe
1160	reg.exe
4924	reg.exe
2008	reg.exe
4436	reg.exe
2576	reg.exe
1116	reg.exe
216	reg.exe
4440	reg.exe
4212	reg.exe
3736	reg.exe
4772	reg.exe
352	reg.exe
3224	reg.exe
2972	reg.exe
3768	reg.exe
4920	reg.exe
4308	reg.exe
3632	reg.exe
3412	reg.exe
4772	reg.exe
4436	reg.exe
3024	reg.exe
4656	reg.exe
2768	reg.exe
532	reg.exe
1340	reg.exe
4308	reg.exe
4688	reg.exe
2456	reg.exe
3152	reg.exe
3448	reg.exe
4476	reg.exe
2308	reg.exe
5012	reg.exe
2692	reg.exe
2748	reg.exe
816	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
3804	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
3804	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
3804	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
3804	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2388	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2388	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2388	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2388	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
1824	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
1824	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
1824	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
1824	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2816	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2816	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2816	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2816	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2568	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2568	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2568	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2568	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2000	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2000	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2000	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2000	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
1492	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
1492	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
1492	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
1492	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
4972	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
4972	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
4972	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
4972	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
4352	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
4352	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
4352	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
4352	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2816	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2816	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2816	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2816	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
416	mousocoreworker.exe
416	mousocoreworker.exe
416	mousocoreworker.exe
416	mousocoreworker.exe
2056	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2056	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2056	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
2056	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
1612	reg.exe
1612	reg.exe
1612	reg.exe
1612	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4960	awYskEQE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe
4960	awYskEQE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 4960	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	81
PID 2740 wrote to memory of 4960	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	81
PID 2740 wrote to memory of 4960	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	81
PID 2740 wrote to memory of 1080	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	83
PID 2740 wrote to memory of 1080	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	83
PID 2740 wrote to memory of 1080	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	83
PID 2740 wrote to memory of 5020	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	82
PID 2740 wrote to memory of 5020	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	82
PID 2740 wrote to memory of 5020	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	82
PID 2740 wrote to memory of 3828	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	84
PID 2740 wrote to memory of 3828	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	84
PID 2740 wrote to memory of 3828	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	84
PID 2740 wrote to memory of 2908	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	86
PID 2740 wrote to memory of 2908	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	86
PID 2740 wrote to memory of 2908	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	86
PID 2740 wrote to memory of 416	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	89
PID 2740 wrote to memory of 416	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	89
PID 2740 wrote to memory of 416	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	89
PID 2740 wrote to memory of 1140	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	87
PID 2740 wrote to memory of 1140	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	87
PID 2740 wrote to memory of 1140	2740	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	87
PID 5020 wrote to memory of 2216	5020	cmd.exe	93
PID 5020 wrote to memory of 2216	5020	cmd.exe	93
PID 5020 wrote to memory of 2216	5020	cmd.exe	93
PID 1140 wrote to memory of 1104	1140	cmd.exe	94
PID 1140 wrote to memory of 1104	1140	cmd.exe	94
PID 1140 wrote to memory of 1104	1140	cmd.exe	94
PID 2216 wrote to memory of 3792	2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	95
PID 2216 wrote to memory of 3792	2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	95
PID 2216 wrote to memory of 3792	2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	95
PID 2216 wrote to memory of 1672	2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	104
PID 2216 wrote to memory of 1672	2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	104
PID 2216 wrote to memory of 1672	2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	104
PID 2216 wrote to memory of 1988	2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	103
PID 2216 wrote to memory of 1988	2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	103
PID 2216 wrote to memory of 1988	2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	103
PID 2216 wrote to memory of 1504	2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	102
PID 2216 wrote to memory of 1504	2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	102
PID 2216 wrote to memory of 1504	2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	102
PID 2216 wrote to memory of 4552	2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	97
PID 2216 wrote to memory of 4552	2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	97
PID 2216 wrote to memory of 4552	2216	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	97
PID 3792 wrote to memory of 4488	3792	cmd.exe	106
PID 3792 wrote to memory of 4488	3792	cmd.exe	106
PID 3792 wrote to memory of 4488	3792	cmd.exe	106
PID 4552 wrote to memory of 928	4552	cmd.exe	107
PID 4552 wrote to memory of 928	4552	cmd.exe	107
PID 4552 wrote to memory of 928	4552	cmd.exe	107
PID 4488 wrote to memory of 4312	4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	108
PID 4488 wrote to memory of 4312	4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	108
PID 4488 wrote to memory of 4312	4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	108
PID 4488 wrote to memory of 4828	4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	113
PID 4488 wrote to memory of 4828	4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	113
PID 4488 wrote to memory of 4828	4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	113
PID 4488 wrote to memory of 5048	4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	112
PID 4488 wrote to memory of 5048	4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	112
PID 4488 wrote to memory of 5048	4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	112
PID 4488 wrote to memory of 3412	4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	111
PID 4488 wrote to memory of 3412	4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	111
PID 4488 wrote to memory of 3412	4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	111
PID 4488 wrote to memory of 1776	4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	110
PID 4488 wrote to memory of 1776	4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	110
PID 4488 wrote to memory of 1776	4488	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe	110
PID 1776 wrote to memory of 1144	1776	cmd.exe	119

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe

C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
"C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\kUQMkogI\awYskEQE.exe
  "C:\Users\Admin\kUQMkogI\awYskEQE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
    C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3792
    - - C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        6⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        8⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        10⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        12⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        13⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        14⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        16⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        18⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        20⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        22⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        24⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        26⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        27⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        28⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        30⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        31⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        32⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        33⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        34⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        35⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        36⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        37⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        38⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        39⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        40⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        41⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        42⤵
        
        PID:4624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        43⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        44⤵
        
        PID:3392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        45⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        46⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        47⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        48⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        49⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        50⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        51⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        52⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        53⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        54⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        55⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        56⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        57⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        58⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        59⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        60⤵
        UAC bypass
        System policy modification
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        61⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        62⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        63⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        64⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        65⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        66⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        67⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        68⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        69⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        70⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        71⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        72⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        73⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        74⤵
        
        PID:3596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        75⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        76⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        77⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        78⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        79⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        80⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        81⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        82⤵
        
        PID:3340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        83⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        84⤵
        
        PID:1656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        85⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        86⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        87⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        88⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        89⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        90⤵
        
        PID:4948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        91⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        92⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        93⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        94⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        95⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        96⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        97⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        98⤵
        
        PID:4452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        99⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        100⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        101⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        102⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        103⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        104⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        105⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        106⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        107⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        108⤵
        System policy modification
        
        PID:2808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        109⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        110⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        111⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        112⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        113⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        114⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        115⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        116⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        117⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        118⤵
        
        PID:3024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        119⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        120⤵
        
        PID:3388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        121⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        122⤵
        
        PID:3548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        123⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        124⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        125⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        126⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        127⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        128⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        129⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        130⤵
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        131⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        132⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        133⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        134⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        135⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        136⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        137⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        138⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        139⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        140⤵
        
        PID:876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        141⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        143⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        144⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        145⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        146⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        147⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        148⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        149⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        150⤵
        
        PID:3748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        151⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        152⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        153⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        154⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        155⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        156⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        157⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        158⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        159⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        160⤵
        
        PID:5084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        161⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        162⤵
        
        PID:4120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        163⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        164⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        165⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        166⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        167⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        168⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        169⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        170⤵
        
        PID:4048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        171⤵
        System policy modification
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        172⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        173⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        174⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        175⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        176⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        177⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        178⤵
        UAC bypass
        System policy modification
        
        PID:2136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        179⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        180⤵
        UAC bypass
        System policy modification
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        181⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        182⤵
        
        PID:1672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        183⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        184⤵
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        UAC bypass
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        185⤵
        System policy modification
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        186⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        187⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        188⤵
        
        PID:1480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        189⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        190⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        191⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        192⤵
        UAC bypass
        System policy modification
        
        PID:3808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        193⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        194⤵
        UAC bypass
        System policy modification
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        UAC bypass
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        195⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        196⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        197⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        198⤵
        
        PID:1776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC
        199⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC"
        200⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsoIEoAA.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        200⤵
        
        PID:1304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        Modifies registry key
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaMcwQgs.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        198⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:3376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        UAC bypass
        Modifies registry key
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cusoIIcQ.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:3640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMcIoIUs.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        194⤵
        
        PID:220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        UAC bypass
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:1092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        Modifies registry key
        
        PID:1324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKUcMEkY.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        192⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImIAEcAA.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:4224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkQYAAcY.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        188⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAcUYgkE.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        186⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        UAC bypass
        System policy modification
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWsIsowY.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        184⤵
        
        PID:4024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        UAC bypass
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:2748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:3584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        UAC bypass
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcIMoQgM.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        182⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iesUgQEk.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        180⤵
        
        PID:4720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        UAC bypass
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        UAC bypass
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:2028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dggYUoMU.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        178⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKUIgAkw.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        176⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        Modifies registry key
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies registry key
        
        PID:3768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YooswAAY.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        174⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:5084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CaosgMoQ.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        172⤵
        
        PID:4280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuMIIoYs.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        170⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        Modifies registry key
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuYccIIc.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        168⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        170⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies registry key
        
        PID:4772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        Modifies registry key
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWAgUYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        166⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        UAC bypass
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAEksUEU.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        164⤵
        UAC bypass
        System policy modification
        
        PID:1160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcAcUgoA.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        162⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:1604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:2008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqEwcwMM.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        160⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        Modifies registry key
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        Modifies registry key
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwscQYwM.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        158⤵
        
        PID:2172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:2576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQMwsAEI.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        156⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMsIAYgM.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        154⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgcUckIo.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        152⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        Modifies registry key
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies registry key
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyYswsEA.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        150⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        UAC bypass
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQEgEcUI.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        148⤵
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:3736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        UAC bypass
        
        PID:776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VysUwcQw.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        146⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmUgYssY.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        144⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIwEQIoU.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        142⤵
        
        PID:4840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        System policy modification
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIMYYQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies registry key
        
        PID:4656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        Modifies registry key
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGMgMgUI.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        138⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        UAC bypass
        
        PID:972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        UAC bypass
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\figIkQYE.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        136⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQMQUMkg.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        134⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuMgMoYw.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        132⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIQkYkQQ.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        130⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:2912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        UAC bypass
        
        PID:4276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yikQsMAI.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        128⤵
        
        PID:3664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        Modifies registry key
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwYkwQMU.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        126⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUIYckYM.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        124⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQIMMMkU.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        122⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        Modifies registry key
        
        PID:4440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmQUsIoE.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        120⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWoIIwoM.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        118⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEwwwUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        116⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsUYQAwE.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        114⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:1092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWocYkUU.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        112⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egoIEQss.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKYkwEQI.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        108⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMsgAQQk.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        106⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kookQoIo.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        104⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWAsAwcQ.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        102⤵
        
        PID:2984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:4308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuIYYUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        100⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psMwUAQo.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        98⤵
        
        PID:4352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmcAsAsI.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        96⤵
        
        PID:2888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKYAgcUk.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        94⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        UAC bypass
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSYYsUAs.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        92⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGIMMMoY.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        90⤵
        
        PID:2456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMgoMgoE.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        88⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:4420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgEkcEgc.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        86⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        Modifies registry key
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkUYkIcU.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        84⤵
        
        PID:3672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\issMwUAM.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        82⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqcAIQIg.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        80⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkkMocwY.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        78⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEAsEIMo.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        76⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryQYsosM.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        74⤵
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sogsQscA.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        72⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmoUUsoc.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        70⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCAgYYog.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        68⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOEsEAgY.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        66⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GuMUsAgE.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        64⤵
        
        PID:2984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwAggEks.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        62⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgAQUwsA.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        60⤵
        
        PID:2744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgEkkgUY.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        58⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQoQkscY.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        56⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        Modifies registry key
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:1724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqMwEMEg.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        54⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        UAC bypass
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgMkIsos.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        52⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awAsMsQk.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        50⤵
        
        PID:4924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqgMooco.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        48⤵
        
        PID:2916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        UAC bypass
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWUsMMIw.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        46⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEYwIcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        44⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:3820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGIwsUIE.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        42⤵
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUYkYoEU.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        40⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgEQEkoI.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        38⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diggoMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        36⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYkMwMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        34⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        Modifies registry key
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgcooQEM.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        32⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VusMMAwY.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        30⤵
        UAC bypass
        System policy modification
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIcMcYwE.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        28⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        UAC bypass
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUUcEIAU.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        26⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwAscAcU.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        24⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xocEoIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        22⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmUkogQQ.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        20⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MiwQosks.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        18⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWwsEskk.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        16⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgwoMkMc.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        14⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqskUgcw.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        12⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMcQoEMY.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        10⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEUAMQEY.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        8⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:1876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUYMcEIM.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1144
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:3412
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:5048
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmQsMUEA.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:928
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1672
- C:\ProgramData\CocUQAIM\tGwQAAEg.exe
  "C:\ProgramData\CocUQAIM\tGwQAAEg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1080
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3828
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYsooQAg.bat" "C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1104
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:416

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4708

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv eofFc4f73UWSVKN1BniQQg.0.2
1⤵
PID:228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CocUQAIM\tGwQAAEg.exe

Filesize
185KB

MD5
7449d95ca9db265c977ad363665a65c1

SHA1
f1a7226d9ea4f6e50e0d0393e511ba384a18b2b3

SHA256
11e4709138346bdb9b211996dc27bcafb68c3dbf958168edb3ea9e8d6f381f37

SHA512
bade2d348b8f96d93565797326a0b67bf6cd206d472a66e60869b5c53b361b7a422b7bd4074efa5b98003afade8f8116a13389ebae424d2a7b3ef6f047694b3b

Download Submit
C:\ProgramData\CocUQAIM\tGwQAAEg.exe

Filesize
185KB

MD5
7449d95ca9db265c977ad363665a65c1

SHA1
f1a7226d9ea4f6e50e0d0393e511ba384a18b2b3

SHA256
11e4709138346bdb9b211996dc27bcafb68c3dbf958168edb3ea9e8d6f381f37

SHA512
bade2d348b8f96d93565797326a0b67bf6cd206d472a66e60869b5c53b361b7a422b7bd4074efa5b98003afade8f8116a13389ebae424d2a7b3ef6f047694b3b

Download Submit
C:\ProgramData\CocUQAIM\tGwQAAEg.inf

Filesize
4B

MD5
63a244c6424a8ded85a0670c342c340b

SHA1
d6058dda764d7c9d9a5faea302962d284982739c

SHA256
ea58be78162205c09965b58d325f0bf568792c616df781284845784472fc6e43

SHA512
3f784f24108ab60de4547beba7616b4234e17aed8f155c1b9371beeaed3d6723ab0a61244241d23965b3c31fe56b11819add0f0e181052df8b97a25b00259e8b

Download Submit
C:\ProgramData\CocUQAIM\tGwQAAEg.inf

Filesize
4B

MD5
a1689eb5babfcc3f1d54dc853d1fa07f

SHA1
5a6840a1e2a1f2dd6d4e2ce69cd07f3643d0f892

SHA256
6219ff252d697f9f9e5879b5eeb8023f63cc471f6ff199008530018405417ca4

SHA512
95f1e7488c629c9807d0fee2aaf655cc38ea69685558e2a1becb08c13a09cd70ea42ce43812db22fd33c26ea99e08e00cb08e5390705a62d273d4c6d929b09b1

Download Submit
C:\ProgramData\CocUQAIM\tGwQAAEg.inf

Filesize
4B

MD5
3a59a0504c28e7877d59606374eca0f7

SHA1
3660de7515100a9a193904035121a83e946613cc

SHA256
2a6c3cc439e7af80b3f4c9b2b385a55e57f38bd5a4c3f04d65e9cd9faffd4030

SHA512
749a3585f49e7ec76db60735f7cb8a1dd5f3d8645e3dd1a56415d12458013382a04945b0d344dd957be303a0eda6832fa96ea9a7410fd3025707a3a614458c38

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
312KB

MD5
52e750cbcd72fbd765683b0338da57f4

SHA1
7f0ae4ba0b5cd80069c7caa466f1d2966431b6c3

SHA256
fcfb055f3bec82409a0e9e9f4ead61152995303e0d5175d99c134eda0df0041c

SHA512
f22e9136a780e35a6a2bdd4e626ede50d57340b95f968903f1c161f5d3ebe76ab15a6b86721ced28992dbb618f93bee42999771c89ce5fc4d29d0ee5b217d392

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
235KB

MD5
700ad7686fed21c6c22f9ef633b604cb

SHA1
8d0532faedfde8979cf116bda8dfd17db1b97d22

SHA256
bc06720672f36682ff3a48565858af39a8617ee7c1e1fffe0d920637bdca5f9b

SHA512
8f98c4f8933e9694db446438bcfb880b19dff2294676c7c791f3ecab6d6854441f3a0f831ac1681def8183b864c766e2a74ab3c6ab24ece771d475211094ba0c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
207KB

MD5
4d6c085bc7813ee3d9618aeae04feb2b

SHA1
e55ae76f53c40b3ba137c0f43b321b5d72828344

SHA256
ce9d65d4cb8cea8847a33cce9a7d2fd8c814b84a01b5410e53cf74815b3843ae

SHA512
3929db23385f71c14336afdcb14114ada8e9cc6249f3fec47d49607b8c4c53b7c061ca9414f3073fd018ceba4883f6c17356ff249b9f1aa57b06b93d22f6e8df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
189KB

MD5
939787d24c07928d6a2e6d5756625c0a

SHA1
3371369c828fdd492da864259ffd8ef8dfae0700

SHA256
0349a4fc640132c8fb41862129f9cf3758af964cf91abb097757a42b5f3ff07c

SHA512
75232d67cd01f65ffde6d8c0d30c30bab5a715419f9ce9196492881ec077591b7893b571b5026cb9d328779bbc77f4fa4431ed508dfac7ca24e396b8053f80ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

Filesize
209KB

MD5
18b95ebd73c848601406640573eb02c6

SHA1
65fa77fe28e56f2c87ed6d32ed2078e3092c61a4

SHA256
0b44ed646d6803407dcd6a31f781da6a04699537933d442b1d3e0a8e3c623a2c

SHA512
ae638b9f9bc4a768bb97a649b6a422e4fd2b5a67bd5e1eaae97e46cee072b6ed8d1af22ec9707574b694fdf63e1620c24ae5ead5a580277583768516c3fe9823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

Filesize
206KB

MD5
69dee8cd63f69dd272af3940e8af84e3

SHA1
79118984bc73cb918dd702f84d1a07706fd265f6

SHA256
d5fa954d1a6e9cb7a8ed5e57fc1c47ba437f8d36ddedfd93d0ad9ddbad48a473

SHA512
a441aca63f65608d9436dfb097522f145b26a41297a601f5224c0477d5a98d91455f757345ecb2029464c38adb96041ea8a2540ad6b1267a8c45377956401bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfe834c6ed3a8a1504a72442e897e14_virlock_JC

Filesize
1KB

MD5
170555a84120985bef1afa430a90c465

SHA1
aa3652093aafc935d3d65b65954d59c9ba198b16

SHA256
0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4

SHA512
cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwUA.exe

Filesize
203KB

MD5
93b1c12ccb5ecc093cdd73e3da83710f

SHA1
e81cd9d7c82108a8afae69f3a6f78e2b5fb03ba3

SHA256
9c20cd70553ebeffaefa731f05b9ecccb6e967d208f10badb5768e0475ae926c

SHA512
3448f191ec5ccf5861962483ac9a222768dafecd72ea35d61a04abf3cf8b435c99741412260a9d8e62b9803cc4efd166eafa6d86690b2020563043a287a32178

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIIg.exe

Filesize
196KB

MD5
e68d5e29d9aecfdaa17ba7634c0435bb

SHA1
1d029d2738b6187ef4908f4e4965c58975c575bf

SHA256
a9db1e286e489e149389642ece5ea8e4cd6cc93d1b449d6f9149c96cf3a9dead

SHA512
1887cc8fc2c7bd7b42bca4d3bf0212848534cb4c06256b2182cba199ee07da29cd391a4458d69ead80d4f1c24fb97334fc7c2a0c3928b6fd43f6d9b5c9f035d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYsk.exe

Filesize
196KB

MD5
dc1f0fc6ed809e0393fa1c4ce01425ea

SHA1
0a79499c7df3ac2df2673be02b0532cff738c3d1

SHA256
a75e622996e3e24f094ff699488f035c5178b680810c429deebeff4111cab5b2

SHA512
5ef0b55635ec8e14fa6cb94c251bbab9298e788e0ffa5d80d7a24bf071542d27fcee81c2d3c5757ebd3f1349ab569cb93637fe691519bb56e838b1349590cbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoYG.exe

Filesize
205KB

MD5
58042ed3d9ebab6a77a3209b3f3042c2

SHA1
876059a71f99a8ebbd431da1c8c3d5a4d9b717d8

SHA256
f7c21ca7e9c2a2c7865fc016264b540303cbc03a6e46da1a97cdb83345cb7c47

SHA512
cb11e087069a5d2e7c281e99fe4146ac75a9483047590f9015084ac525e12fd57c0d0ee56b5606dbf17d723b458495594ea221030532ad9479e9a138118f5a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boge.exe

Filesize
192KB

MD5
37b7a2248177e9d9386a236b3b2e1d98

SHA1
d45fc8dd6ccdc7ed91c2ed99a4ae0c02e6464989

SHA256
6d7b4ddc5ef86bd27832043b7fe4d9cd8d1c15007c75b9683e8911a85212a7b7

SHA512
f7d53ec795b91507e1eecb85c66ac3acbcb466b5782b01097d95987a3cec387f1f43f4c02f36381dfbb2a06dd506c003023fc5af008deb1e37b0b4153397acc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUYY.exe

Filesize
193KB

MD5
aadef30c7c8f133ef32b6e9a3823db73

SHA1
8392d33ba0cc19c3f9fd1f282b46f46893dffcde

SHA256
9b6e47c83feb5639c2443ccecad6cc93b78df9c57ea97b40dad6abcafaf2c2a4

SHA512
5efa08a60149ec3a22fb9d02d845f0208799f2af86c27919e5a138cd6af91e6bebc50d8a7775803e1e133a499d5d1bdaeab775b24e703b2011bb595a8019e941

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cswe.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYkS.exe

Filesize
204KB

MD5
438af39f973599d1a7975e451bdb83a6

SHA1
340e1dd25ee35b7787c41a6b18a6330cdeb0eae4

SHA256
8fc5f281aaf4394cb27ac415897ebcd3c745c961a25762b1bef0db215bd0af86

SHA512
c058fbebfcfb06851a0c8d786771e28a3ccd662437d2275c85c182b01afc54af40d6998855e074613b0f59c3c4c95944cf4103dbbd8d4037e997fd6a231448b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwwE.exe

Filesize
200KB

MD5
6c140b5a6a8e3333f377b91bc54ee45d

SHA1
df8a64d8cdbea1882101364116a00c9b7b2425e0

SHA256
dbcf36d1966975188eff3d9d28b431aff8cea1a4e3ebd489ab1259bfd29104d0

SHA512
bb7af787e9dbe3ce3a7c3343725eaba5a1c9a4c85562d9f2ab285700c2330bc75ef7ab7edad6089a1d9134766abc92eea9f0e6d1203e3c181c7a203975476fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIsw.exe

Filesize
212KB

MD5
b0abee2372853bb8c2a657f5aee79d89

SHA1
9eb7d3c8488c0d831bf10a10e78b17abd97c5594

SHA256
be5d69037f543869ff7467d720fd366ae2546ec96b6bcae8770525a9065ce441

SHA512
aba38ee1250c22dc5d5f343a7ecc87339385549c61fb89d28468940a13a457bf97ae4f4e08d46efa880479fa2ff81e497ff64a6757424990e3eda11e634bbd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQUk.exe

Filesize
545KB

MD5
1fac538ec4ca9b15f6b9debe2e62258c

SHA1
ef5603ff06f0466a833d2dd0ce6895bc69983007

SHA256
00b4225dfbaa2be1134c25b650b35bcef4fc7c8a42f7cec532d84233b7d5a68a

SHA512
2de8d202c360d2e07193e4bb3f04bfe618185a7e6eeeb856c92599947609b5f34e85f31f44717f5d739c30e5e39ad599ca546dc34622e0cf4a376eb745572aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecca.exe

Filesize
826KB

MD5
19a606216ea50ea2e4238739431c463f

SHA1
5b4fc14487862c1f09244bd734403b3f5e620cb6

SHA256
ed81d7bf73767d1ec52ad5677e4f4f4157175c115b61e8cedfdc863fc28426c4

SHA512
713b057fd50d7bcb51b23a741827c5fe18c169ee321cffd073d204a1226076bd9dc36930c1a20d7d2053a93f4ab5ad7fd33c33967e4b19de381bbc0953fba16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwsS.exe

Filesize
210KB

MD5
52e26fee5b5d3c35712e035c4456c6c6

SHA1
303111c87588a8a23d85b1ffcf4cef50147fb0f1

SHA256
d96a3b9897d329e34af6a9293fa374bfb2163b8371d28e7fe012ea009ca2c50b

SHA512
1244333366bebc706e6fcc4b7f8bc9434a088b84d101041242b892a1a15dfec93180d27798a03543990c7e7509bb1088769651efe221750dd94ae96dfe586d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\FWwsEskk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HoMe.exe

Filesize
206KB

MD5
dc8d83af45360f6ea154710d6cd3c53c

SHA1
54af7f96ea370992199e8fbc1ade15a607441367

SHA256
ebf7086c828116589cee704ae9f21e48c0c8f166609f5c30a065df85472a46fc

SHA512
11c46dd6762eb8c84a5a103013122b9dfda15c786af20638c601b8e92f3d05dad8fe4414d4a052f8960538ce3f6e5ae20e7987e39b6117f603a4358c0caac89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIES.exe

Filesize
188KB

MD5
f26145aba6a20019b2fa8f2388e385fa

SHA1
9b64b8149d66b2dd3c4d94d05618981216d5a1ad

SHA256
373d499fcce2703621bfd8f1a2cda4beef7150a251703178bcf9c9c56b97bfe6

SHA512
81a7463e6a92b53a587e7ec659d8966e8be0d2b6e5821560761fff111a9311f60a2807da62c157585c1bc38284c4ed2745460aac76eac1cb813520be8716a9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIYO.exe

Filesize
5.9MB

MD5
59232055d2cb48edc024a74815ba79d1

SHA1
a2e2ec69f0eafc12c1e8d43b527d9387f991acaa

SHA256
a28297876703e25e182f5b8ee4228c700e081eee13fee591714877da075117ab

SHA512
ae3eb428a60abeee57c19799192b3d97757778a7d6dc76259655224006479bb548a1e8636c3584718ab83227fcac6df4c91951f99ec6a5bfa807fb571041acac

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYAs.exe

Filesize
501KB

MD5
d5558cb6f03e7364084a6c129d88a769

SHA1
d1dc28f54731e27cc01935ccedafa08eb786a808

SHA256
c5cdb082e469843acecdb3bb5e0a9f8f4cfb4afe3cbdfe9a0e1172f6d30ab93e

SHA512
435bca8247654aab4dde0af7047f603baf6db0856b641e3ab60a44a3b46d5f1e8c5c5cc1ee22e5d1a3c6fcb58c9414ce3b7f3f70ba81d6d3e7f0e285ae479c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYkMwMcQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcUK.exe

Filesize
189KB

MD5
9cb1c7fbeac431cc447ede4c2b3ed8fb

SHA1
35f526f4b571024bdbcda29a10a066a5becec23c

SHA256
6648879ef55ab7b03561e3dfe30143c8bee75ba55dd9c0d1fae737f697ab9338

SHA512
b71cda0c8648273aef03a3bebd43074c45eeb5c9894708affe5e2e9eb4af54333ed13aa5aec673b9f99f317d79a7a3bc63dd023b023cffbc31df94a86636c4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgwoMkMc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoYS.exe

Filesize
184KB

MD5
2fe454769be79eabbc6549ee3fc9fe34

SHA1
448c7972bf0cc873d69879ffb441557ff8e3b21f

SHA256
48b5a819cedfe5eae4fe86244fc3801d8a926b304301de31d151891f586728e8

SHA512
eab685df56991bba4dd3c0607a17fb848bb0ab1374d070dcd6f404510bd94e29ce78b129772f804109d64e28dc9c9f8c3346c6834bfb6e04474e0957b98764c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwoW.exe

Filesize
338KB

MD5
33bb1aaec241faefb6cb52adab32af5d

SHA1
33ec33831c04fafe71c7fdb6f27a72d23b72b5ed

SHA256
c210166cf4efe71568a6d62dae54cd84a3e9796f95301cd7ecce54a0ce416272

SHA512
8df1434086e85567e36d66f65a42c32939ad3722cefe316aed43bdd0859bb692dce2c371b39d84b8634a797403d9fcd0566ccad09a0c65dcce82f9c436a057ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIUs.exe

Filesize
635KB

MD5
0945315e96132e92f0fc24a9cf197572

SHA1
f76a2a1291e37d6d955aa766dba2fa093d6baac6

SHA256
a11e23a3d01c0437dbfe61926833b740de48de659b6e41af2b0a83ac80fbc9ac

SHA512
4eeff51b2dd8840667da390af83dcf1e1ecf4cd25edadfb725ffa9e5a048364a581132762fe0d496bd4147f6336a8eb46be31b98366b47db0a0d758e97d2d05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MiwQosks.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEkG.exe

Filesize
232KB

MD5
63a284c90ce47ec54f4b0d6259c28640

SHA1
3b66741864cbe21afc6e3753fb339edbbc6218ac

SHA256
5c1fb8a4beb0c00e9d67f94f06930eb81af948616e42af4390094d75bb0a5701

SHA512
9ea5e19a3203e1058541967b625ac7198bb35fefc9e83088e337b0b8395c860f9d66271c6358ef9e579bb038eba650f4e5ca656f1fa529653711a7bcf491c066

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIkI.exe

Filesize
441KB

MD5
ee756e107de93df4b5d7e961c4935e10

SHA1
858b6a272c13350c4c40bb8bf94d65bb1d5018a3

SHA256
0ac4ed5fe385e0dd70a03aff4497f90a49e715ff27590f5fdf2d003136011e31

SHA512
23c2f0cd8fc38846eb8049de5b8dffd9649fce3925313d6de46ec14ff9e05911e6fbb243bdf1acdd5f62c2971145a6d071a2800f480bdd6c74194817a4bb1618

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ncoc.exe

Filesize
193KB

MD5
439839a75122ff8c6bcce2d422f19a01

SHA1
c4f126c691654026d501b684dd8434de8147b984

SHA256
93324fdf8ebac07e4c1b6e6ebe253df519cd89907ffd543fd0b6738ee0d683d8

SHA512
6327a06f1f76d56344c5c5895a2cabc2260b10d19fe32c6b66732ae6a00c3d35e9f8abdd65cd61a2088ce09e6b0d80a85896b08c68a97399b0c387a0a3891464

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAAc.exe

Filesize
230KB

MD5
ade70dd849ed2886ed1ecb5ed6c487f9

SHA1
0d0b239ae92a5e9d53a1f2ec929b88bcfff40218

SHA256
a23fc9ebf44601348b8956d0fc97796ac95ea90438f2256f4e3e5409e536e9b2

SHA512
7805d6afcfff14be97e4da1fe2245a91769f78d8eef4a0c3f9b4a1f4f13a54b9c40bbe3c561adbabd17ea4ed5b40a275b7a6ac97f1b03da2442a6184072d771e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgEW.exe

Filesize
386KB

MD5
cc85c38b401a85a97fc6a51130bf4fb8

SHA1
8bf14479452006e357f63254cdb6123f7b5793f6

SHA256
3a4e400271a5301a78dcf5151d7ac01f4658842abfffe3943603005da7cb8fe5

SHA512
980c161a4965635095bcb673e8a5199e852ff2f2eb209657bf3109eec6a06b313c27664fbf334d9bcc2ace935a4f993c4f95984fe5539c0d91d64f45d2852bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OqskUgcw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQwU.exe

Filesize
1.6MB

MD5
fec586a2de114755f51acc569d2fde29

SHA1
f44be56bae27385c6429109b597bd73fe779c44d

SHA256
cd6540ee570691d5fbd098285dea41b1eaf89a377bc974a6afa1408665b1ce3d

SHA512
9cd38340339485a427aaa2550d67ece2d2ac7eaf8b397519161d547e0f622796a4ddab6129592233ffd0b1c587ce6b15718ad5bfd87e7988b8da5fcfb1897fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYwa.exe

Filesize
196KB

MD5
895c0a92c1729f34a7ee089ade57cde2

SHA1
883aeefa037608d96e955f5a64b408798884e8f9

SHA256
1b62a66547172a28e4c3a301b69227901211968cbd4ddc55534d9cb9f8da917c

SHA512
954bf2f39eb8563aa733e790af63c357d1f879f2afc36219eb34888db263268b823a0a40db4e287df7f41c92d4ecc225f9cfff0aa26420f7ed4e395dffef667e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcEA.exe

Filesize
215KB

MD5
ebd7b97826db5658dbd7e6ee52ad8b10

SHA1
a2a160b5b6eb01f787036e1864a3c8abb7a4c0b6

SHA256
96a7d736c8c57af1b25567c2d58095df87d0e3a79b7ba05aa75053de69fea19c

SHA512
e30b72558bbf246b8baafae9b0594477b2cd3608f7fce5ef3bd4432f4626797fbde68ca1dd284a55738eac1c406918b5e0e26185d21736bee520a4c3c7a6b021

Download Submit
C:\Users\Admin\AppData\Local\Temp\PskO.exe

Filesize
199KB

MD5
3ac06b472f7ba0524573646d6ca47ee8

SHA1
bec16a34954a34ab8803db057e83969f8785ef24

SHA256
18d97c54a21e3dda99a0281f739592c2ad9f3eecdbe4c578f595f041813c7aa9

SHA512
839d4a140bfcce9a0cea8f9642c9f8aa2f6b4084c70c1c4426dbc6f15724ec51547d11c38928a8fc244fa1a9508b437fef40dcdf6078866d86d0f454fee2a897

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIAQ.exe

Filesize
198KB

MD5
6eb33b55c3b526e7582240ef795dd7ac

SHA1
8f470b6a46195a00d657cbeb9fbbbf58465e4487

SHA256
05aa14ca95d43abc05ad94f8e8e38d48ef275aefff2c0c30638b94a1be0a6a55

SHA512
53d48224f860c4e6381728bf7ba732f76ed626d3a873d52959fb81f158ec3f5fbf66dd8f585f8bc8f4f417e8d8d699d121deb17bfc31bdf34451169841a72784

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQky.exe

Filesize
192KB

MD5
4ffd8e733b4d66f53d1118c312deacc5

SHA1
423d42905bb7eae589b82110bae3efd8e342f5d7

SHA256
1b586eeead098ce2d1eb19291e680b868558543c1f00203e213c2528a04e461c

SHA512
6b77195354626c7991ca373782ff9fe0602aee9577e4781f040394a8abd952e2821b0ee633587e1ae5071eea9f6caa668b617629d18d79568749ff89b707a96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwAa.exe

Filesize
207KB

MD5
c3cb12cc54e6b12711cbf1ad23f27610

SHA1
731b4a60c5bccaeac4e2f2db1afbe4f0da8710c7

SHA256
afd49b1e7793075b1ad2238da9d04f852e8aba0c68402f67b53c433daf1b97d0

SHA512
e76bea7bb18e0dc627e3903a7f40246059626b2130d449c892c5bbce0c1be0145521cde4d5f625000dd0515e137427b8ff24d9b97325701e89a431a1ede13602

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScIg.exe

Filesize
202KB

MD5
9b83c9ee7805fdd2397e1294fdb33dd6

SHA1
1bb3597e47b126d2218adc8c84235cd43ee2cfa1

SHA256
3d81fefd97fac8a374b1f9636c5da1edd9a3904a794ff7781607376730e2fa47

SHA512
875ee9964832d7a4b00250a3b61ae91a92f9770e36d3234d501a6a29cbf7284502d65da1a53a4cbfc8a7b8582c6f90a704acb3237d6b47344b8a82c15d9cd011

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skkc.exe

Filesize
185KB

MD5
2476a9c69021dadbf15a712e71e4f352

SHA1
9b678e18559787bd0d9e588055436a3e58ea6b0e

SHA256
a85b93104d01c8ae1638feb71443fce6526bbceb8b1fdfb679964f0c7b335fef

SHA512
2e1fea056302f9b2f8d0ed12b5cb789714c90e38f08a6da403f5807cae68830e5f7a9dbeb87b04d3e09a0f893e17818f2a00a584cce3263d3b79c925de971276

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sows.exe

Filesize
769KB

MD5
f0faab4d8c652c75ad028355c14128e8

SHA1
89ebc61ef58087ab0900c3e3385c5c7bba5e4e7f

SHA256
f2b752228d1464c55d99b2695f95dbb15630344ebe8c7ecb67fbec62b36633b0

SHA512
c806336ee0ba74eddf478bff4d6169ad2f8ae367035674658bcdcfdaf97a244f39de6e60c389a8a94d9dbb9191c0ac6e2e780f94d092c8ae34d4170b6c4bb113

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tgsu.exe

Filesize
5.9MB

MD5
06ba0ca11ddd878c742015656ac6939e

SHA1
f1e9498aabd2020cb4314c0b97277d8987ca01cf

SHA256
0a3d7e9d81a47c252fc1352888407919b122f97e056e13eaa2aa9035338d9303

SHA512
fe660fcded21ea947e067a068317569b94c9d58f9068b334639a968f1bbc4114f1ff8742709950068886cb3488dcfbd69fa75b1f6a16d324af3c9bdd6ebd280a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToEA.exe

Filesize
203KB

MD5
82a652fc3cec141ecb6a82b0c747211b

SHA1
aa6a74af4991948e6cb18ec502bb4633abc031ec

SHA256
181c160c9b7ea191c03ce28c087e80366493e3f3a06bb56c57e4edc4258f58d9

SHA512
af2ee34efc4c5578b7f3278eb25869f44231c4afe2040bbbdff0d0f5a917352c68ea012ea1b1488143ab59e034ae55fa472752a04466c0e50705db3711cb4a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsgY.exe

Filesize
206KB

MD5
f8444ff18803a661916b792f7d852b54

SHA1
d92621c3c4011081641e8b6604d17bea13e95338

SHA256
8af280800a434d3018ac89d8dbe5301839eb7be62864158efb7e21f547066e0c

SHA512
4ceee7a38dbb836ad23097ee9b4c414e0ea29509d0e19c9242e4de508654e30c449b07a05cdd27c876e908e6e37bce745e31813a4f3be887cc79cb01ba2be3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIgg.exe

Filesize
199KB

MD5
1fdd296d599f505e08d68cca6c9da72b

SHA1
f5fc22416b8b78b6fa5cd10307824fa9a96ee3fa

SHA256
d0a9902e329e514cbc7435a7726ef68a5159fa60e1e3c9adc00335bdde7546f0

SHA512
18153c0b78b3857235c1522570cb9b427b83ecd08535b308616a652b68dd7c65b89a28f5232f42588c919a064a93995a86c56fa57269059c5d491efe3e75b677

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYMq.exe

Filesize
201KB

MD5
10098315532de7b009e5ff301a015404

SHA1
dc8294529f42e5362a8e8a33d11bd0fa2d08aec0

SHA256
13bc104db11737523eb8b57fe88bc3108133436029505bb2bdb46aabda792f82

SHA512
9d264a9dffc1c920395946054130a522c96f92d548f6eca56a9f8d289846b752f03ff049413f212de35ffef2e697d1346a63b9ff3177db80df5090daa402cde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYQg.exe

Filesize
203KB

MD5
ddc1429f86b58817caed88b9ce627ab1

SHA1
265d627aee219c0837f044e272c409bed701e982

SHA256
306fbe2ea2aa8b1a28dfd283dfa1814730ec6029b483ca72dc1bdd6a14af046c

SHA512
ee80a154c9a977de08d926bbbd92a892e491ff549c5132517438ede743ae3e1e8aee3413ea9c80790620a668dadda051e477419f8029b82b823e822712ab2fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\VswY.exe

Filesize
234KB

MD5
ce88c56c6b0cbbc45f20c4fbc760a839

SHA1
32253fa3951ae1a3ea8751ea0a3ba0aae283817a

SHA256
2e5e7db367b8ae3617c14f963e3dce71682137519228572206d87dd8b8a302d9

SHA512
8755c25f60625bd6dd9e75455007b784ed2518d5593e3f6a7fc9214671560d83e0360a49e422cb5759af4b50e26ef8ccbcf314ad1bb0150b10927dd0709ba61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VusMMAwY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vwga.exe

Filesize
225KB

MD5
69af20b36c5cd5ac65bdd0ae425cce08

SHA1
a05cce03fdf702b824be96656e44a6d6ac58723c

SHA256
f92cf55e01fce7f979b98199180ba01bd36c93b3d726d72ebd3d42b219fac052

SHA512
15e4babd3b7a4b52e6ef6007059cf110261e0a11c7342f64ea5f713775ac724f49cedb091b2c5c5ff666879c80e512f2b3dfd342998a99d7533f72470373010b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYUq.exe

Filesize
194KB

MD5
6fc84bdb343e668ac61081823312c377

SHA1
2d66e914aa9e1d92b439d44be7211ef5a0282fcd

SHA256
b00b8a3d625fef514f1bf7c7a608b6ce5e3956a3051f99858e17b49ec666f4dd

SHA512
993244ff14aa5e2b0392bafc39418f17245d82acf0ed8ab5da3258eda8173e4b6b56da5d9202dbb8a62ae8f2265cc6177e1ac7fb95b4ef3961b0fdf79529a84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wkkg.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEYG.exe

Filesize
652KB

MD5
29c03fcc50aa7257b4f4fc0e3d6c013c

SHA1
4f5b0aa64c39927a0833e3c442aa7c09e082884c

SHA256
72ac69343d338c3cb40f7317e52365487e509d4488d82a900208105022cbe2b8

SHA512
4b6a68294121e1aa86b120162a05a302ead32bb10103374a404ad616b7c4c1eff20f586e4ad662ca336a1f2c672a9b528d0e85f5fc1e0ad3acbb61f4c3862886

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUYMcEIM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUYMcEIM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcMi.exe

Filesize
424KB

MD5
932f5ed41ca3836873e8469e284aea66

SHA1
a2961c5bd605a7f850e09ac0a35f44eccda48fe8

SHA256
5b924ff91aa61b264a116c816a9209a65356de89dd73aae00b1b464a6c8fdf8f

SHA512
b09d63408c1a04de8e49b98745cc58de37ff8036403ba6557b16294f60737dc8effc5163a0f8e6b353ff256038fe2d90221dee8881862e8c5ba6daa7fc8a7c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYsooQAg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yocm.exe

Filesize
187KB

MD5
41e40124b0dc3a2286589817b968175b

SHA1
2e20c6cd7fd90d8da7961d60976082ff132aa877

SHA256
82af38add491f9487969bd0944bd79d2aa9eb400f8567dc232901589301ac8fb

SHA512
31e3d1bebe393657867d2a8f61d5597805601581bd6cd71a9f3a6b77f44ab71b8efcad17e780ca63dedbcc56dcd8939ad0a330fe9e9d7bd47d3c8cc22dfbf35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEMq.exe

Filesize
194KB

MD5
bc0a316f1ff94c4a9fdcdbac621c6094

SHA1
5a9d877c4a59c2640d61ed12d989c3bdf76c2089

SHA256
df52ea58dd17af472b94e79f0b000eaf7165fdc11f2296edc4034204e8534988

SHA512
db998d061be6966c44ae09b9e5ea5de6c395aef7b91b87cd3e600047d4c906cc9dcb57cb3cbc673466f468efd899d36ce2c96b346f9c8d429d07575f710a524a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAUG.exe

Filesize
646KB

MD5
692f92de2afadf427eee58f7e2b00e5f

SHA1
5c02a68bbcb14fa9f01b89d392443886810d4a3a

SHA256
18fcb5611d4e86753e770c1cc6a8e04de76b976bb9b332e04d8355e2257b8d87

SHA512
69c85106fb4394786a674f2961e4d8253d25170f0f988f42f7f69af815fcfb56e7109fa28b0e1e2585fcc097eac601736355370887d7ea5b7b29c474581b7024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAgI.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMsK.exe

Filesize
211KB

MD5
623ecb39996f000c53fa4cc262b2b166

SHA1
766f55353254eda075117b0b2a5ffe581d5b8e02

SHA256
93cbd9e228359c94744b408ff071548f507471319a2633b531e82b3c9f5b75a1

SHA512
97ec32176d0da45edfda9f6db08db216e11f2b2a1b1c70261a486c631b7fa0259257f65b7a566ff7e8c17f5ce545f5244f4c28b73f78012c5baa0b5ad5d6c7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUEg.exe

Filesize
198KB

MD5
ca37fbd2b753c2f6d48c50a66fbdf64b

SHA1
b1f3f9539ca8af055fe6775d2e0274e919b72f31

SHA256
4c55899ae2c505d8bb915bb216d54d784e7432f6da6e7fa4ddea16d3f4d50864

SHA512
210fd9b77f1d34acfe876057d58e7504cfb5c052ad6a3f9f8447c498113cd2dbbfa0d447a51c9fdc5e7e18cf194914721b8c3fd537add29af67f74abf171b25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEoK.exe

Filesize
2.3MB

MD5
77f4a4df962192bdf19ee4bbb99fdf3e

SHA1
8e6b4c65cf3249f516cccab688e853372869bc38

SHA256
a5458a517c945f6a20bd5d7b4eee1ca2c868cbeb060f02f5253dc17e8f90a361

SHA512
dec4e897a1499c07758edec6344ab11f2aee320279be59abb481e3ac003681ded4860136db4f089ea0c79326993bbe592c213d74dcd8b7181ece46cf8ae1e848

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQEa.exe

Filesize
197KB

MD5
32e7c566762fedea9c7324ece4b707b3

SHA1
bc598a8f1f32c7e0d75ce411a627e31def9080ca

SHA256
f80680e7a6bfdeed7d53e164aa06a6bc332cb17af051ac3d1d6a220af1b1585e

SHA512
c009fb3b580091324e629d4b4582f8372226786fcb7b45cb739f2b8d1ca06c0db8a27d676e464e9083a472616d93eb3a94b6ab34b0ee0bdd25a989517c26688b

Download Submit
C:\Users\Admin\AppData\Local\Temp\coIg.exe

Filesize
5.2MB

MD5
15b85abd68372fc1d0c2a22ce83b5765

SHA1
78d2e1eafa715595ec38e88c92301bae1c348496

SHA256
68492347549ceae806270b418629e442fa9d2da7bea7c66fab06696f2e772a10

SHA512
eff7f7e7cc5dd27831aaca5963b99d7cd519b42795fe15874883ac80c12696f85561c62c1cedecbc2de4771ca81379c5ee1fcd2bd46edf6db9eecc38a20aec36

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQIW.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUUcEIAU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\diggoMsQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIMY.exe

Filesize
199KB

MD5
ab963d9a41c31f804d7feec52b8419cf

SHA1
ec75f21918320c4f8e54e5364ad5763b140b4ecf

SHA256
593e66124ee680515d3792b0dcfbc80f6aab8e6178fb3172e47727bda625d64f

SHA512
14ff791d1b9383b56662495ed817a82d5026140c08a50e82ff102446eaf1059a4dbe5f4183869a9df54c898fd410f01202329df9c56d9126ccbb1c85ab7138b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIQw.exe

Filesize
197KB

MD5
9b246a55aed28db21e567b4721389244

SHA1
28549ec49cf1054e360ab84c6e3b261b694c36e2

SHA256
b2c001c1ba8259daae2946fe0c1711041f93f1d6f09f810fb68bd8e9015f27b8

SHA512
1e9ef7ea5729d0a6baa095f1a635a5a0f36b1015d87b0a8ea840522915bee3733aeb23722af838d96ec95b758a18080f438d2683d38e427697e096b1f8938eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMQW.exe

Filesize
258KB

MD5
f37532fa46e5e6cd04ff914c5524e2e5

SHA1
159d30377a667f96751e23975bb175191fcf6cca

SHA256
012d8de03ef49fc9fdaa4ef838b7893a14017add722ce11a31fef2931d059a2b

SHA512
880538ad2cc0deeb8c187a5cc8934e6d45f9f8427408478424b37c64808bb4a05473371c257d5be84cf91d475f3d68271a9a8e83d669f4164adfb3c115fd45ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQII.exe

Filesize
200KB

MD5
60c250306ee048c80dc3c8e0b753e0b2

SHA1
61467246a390bdad3e7fdf52b2c5df9816bb6ade

SHA256
84a7e62bfe466fbacc091c7ca8f200b42a22e8af531fbec1038499034cdaf92a

SHA512
9e6d39719934a9f67b6d2be03ceb09053efb28e6f4ee0aa36f03c5a744beca29b79fdfb6e774006ae48cccba8f42d00603bf3454eec2d65adef190c0b27c8ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQYA.exe

Filesize
320KB

MD5
95513de198b6c01c4fe7bc4fe2d0c480

SHA1
46851daf120d53f0a1533e7dba63a4fc64d5a0ac

SHA256
32875fdde10d0d139cc848a1264c9bdf2ba28a6a20d1feafc3ae1c316f5e574f

SHA512
25a7f5d8166e7d82ad8838765158e9c5832dab99db034da4f0482e265838f4fe248fbdd69d659c652ccb30a359395238b789f80c62eef845bb43700b918d5b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIkw.exe

Filesize
210KB

MD5
ed9dd61182c3c8b8b979bb0a20756b3c

SHA1
769dbd4a73acbe81df81cb3800e904cb853983f1

SHA256
2967648b949949a3e03378e01e6a8bb08c7b967b9221b30b3fde553b0de07785

SHA512
4a47f56dc6bf6c714d820efe7e0ead09b8df0392ef734518fcd2335245c891a0a65873048db713074fe5afc00a7f6c1f3cbe96f60febad0742da3a7a9ad42be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iogu.exe

Filesize
202KB

MD5
e7af46ae8545a0c66413122bbb0d8d1d

SHA1
aa0aea3f7207deea8fd570c8e7de774c16fd941c

SHA256
0a8b9a818a8a1e5c2e6704bb693fa8fb69808912a2323844e54f7714a4359237

SHA512
5e7d4e1d6c1b7e5451bab6e759260c3f60b1c6d161dd3d70fa4ee33c033d6ccb930f9ea6c932972cac4debeedddb5f9b43c5c93d43d9500bfcd9b26c7ef7ccf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgAg.exe

Filesize
189KB

MD5
326f7bbf9bcd87429d2769d3f2d182f7

SHA1
75e74b5af98b3d16f082cf12603d008da664fb54

SHA256
978a8138676a8ad5e624cce6c312b26be244b2bb3a92c6bdbcbfecbea7b91c3d

SHA512
8d68ce37e8667fffa91bce75cc0776cfa3c3a98f6a21f39b9df66324699c6458b883797b0647e4dbfcf57975e0c192a655ca06836eef981ba33b71a120ffb130

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmQsMUEA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYwG.exe

Filesize
194KB

MD5
54571514044d19966726fbf8053763ff

SHA1
4136ace5443a7eee56dfa50d2ad5ddd914cae69d

SHA256
0d7695bff1657cb55b52591bcfe47c5b2ffd04490f99cb3caeac812cb2df80db

SHA512
72eff58b4212bd4bd34ac70a7926661296f01617ee27f30440ce46f97eee28ce9e15d3c044af6b61d2a9e61ec1001e84a39dd836fa32bef2d89f74e693fd2e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcwO.exe

Filesize
192KB

MD5
0234df33aff6b3520fb6d8c26c836694

SHA1
ba34033d995d9e23039fe89b487f9aaf66431d6f

SHA256
afa83bb653f3e1f85a0543f1794d20ac45e909a1a30f1b8f460dd8711830189d

SHA512
b9abf563c8b2650b6dcd687826567cd899ce1e3914d5c8189cec3d16f96edd99990f10a2cf2f232a2d8cee6b81df294ac72a31b2bc5c4f4bc1f7c6fb169c617d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmUkogQQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwAscAcU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUou.exe

Filesize
665KB

MD5
828f773d0edc1ebe2e48f08aad1252ee

SHA1
7a1c252672467f14bc6714664d53c17fb53d4a0d

SHA256
b5a0d6ceffb94b2b459ee954988e31ca469edd65883c91cc14a61394ec1a34f8

SHA512
cc35b6ddbfaeeca51df2c66224e11e279aaa28f7c66331065ec66508fd353b41844bba3227d0d84c16a26b0c2d09d70bd0b32ee390dff9af9ee41908b337867b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lckW.exe

Filesize
324KB

MD5
44039c2301274e56aad0950ee8524d70

SHA1
0c77ce6f255f8c8e1d5024940445e81a8c4933ce

SHA256
073d3de81c2017fa1f74c135134c633df6f906b2a01b438f1390cb1025ee2d0d

SHA512
5294b8ae640d3a3afc46202f0998faab6ba42ae67ffba95ee51ad64ff6c7c7723eb5ac62d04c80f62059394cf1e3d2e3524c4204e88fca30e0e989d6e595bc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEoC.exe

Filesize
203KB

MD5
d19f793d4f6c75dca6298213cf972955

SHA1
e0bac6917961e653167496472168e5ebef3911c5

SHA256
478e7161e94e342155b90316fa4a2aa4956ff95e337092602b300ab73833f62b

SHA512
e39b08ac1e4e84b8371896a3777aafd846a567943895b76ea5d8924435456fd9c496eb1ba86b1e4e952b29285ada5418c6c1d9eed34d1d130b7a891837451433

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkwE.exe

Filesize
196KB

MD5
3ca6d3055442b3e6ec10a7ad88db1ec7

SHA1
46a397299107905f38c4d8c2ef89a56dba99a8e8

SHA256
34f6f9a4a74cd1d8cc15ff9f1c169eb5aab98dce41fd757f42170b5e99338c51

SHA512
f165f4e3a296777daf54550905c52fa73922deb562d1d185583c58f98acd8ee95847f3e7fa43c0de6de959c5a41c09a0a375ed901842e07d886b5668923f1f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMcQoEMY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncoy.exe

Filesize
199KB

MD5
9f2254a2146071f3d0da6705428ebf3a

SHA1
9a75f485377feeba194639641375ef63a1a96894

SHA256
e0a3124aea7d3586fa6c06a0e7f422deaf4b0f8cc2dac842223b60adf1a21fac

SHA512
570dc746592e159e7acf1d1b8070f02fe9468c9ec1ea04e63061c83f2da4d3991d182adce8df3e03d7e75e3b607fcfa6f8e2b11974fa86421836bea68ac341fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIgk.exe

Filesize
590KB

MD5
660846972b7c46d8a61582eaba2628ff

SHA1
aad37bb553a38a76eac1db1ab3e34015378f62b9

SHA256
33614373989c9395702ffc8e4d99dd640c10035488365d4725d46278c76dcf09

SHA512
c44e737f551151c2798f745c599ded3a886f8183aa0e66a2a07ef4fa4095d40c603c39a0e14e1ee122ddd105da536c3e7c5a2e33faed0f1ce91123c56a4b15ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\okcQ.exe

Filesize
185KB

MD5
c8fe8f1b091ecf4320705aeef1c76978

SHA1
784013f2f6f349efdb376f3783c943b79de1f18b

SHA256
766d896b0301528f23e3c10eb0c2cabbeb5e69e41a540ff6c08d497878056a4d

SHA512
90ac961c7e424db9a89f0d5810aa118e4fe176d045f96653f3cd6f7d5952de5d72335df14c0f96eefae343b2ee45705a378a1856ad8ef11e68fee8e22381f6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAEc.exe

Filesize
322KB

MD5
ed32dfbd99aa31ee04ec59953c6378d6

SHA1
cff1e9eb60295d119fd2aac79c68bf5e1e047006

SHA256
cdb66a6ff52b6623d6c22ef2e9f7893e821193b4d6f04b7e01e95ea0f43245ed

SHA512
9c850d139c03a3dd3fc44f95f02e980d8e14dcd31feba4a1ebecef80460cb085466701127915aad578714736ab944b31bead01d45080fa47409890085a6d5b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEUAMQEY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pIcMcYwE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcIa.exe

Filesize
564KB

MD5
3d331c2fe154ef979ae2dece6b0929de

SHA1
68bc01b6ac0df141b2030d978278e15bdeee7fcc

SHA256
f95d0bc23cd3cf62a3f4370af7fb497f15a6ebac0cc8690f3dac4a38c1c12e7e

SHA512
5d3a273502ebbb66a28d8ad894aba9567a1beabe7105b3ecc5cc786ebfd46467af77b374306e59a9a34c1dfe00cc8f301a9f41381710f577bf8cbb5c307eddb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMYm.exe

Filesize
206KB

MD5
69b92f8dac63d4d2974e51540486c316

SHA1
12c7a920f0e0b5e506addb129bc023ec3674143d

SHA256
a75a7c2714eb11c443004930657a717616594e5e2d372bb4016381d05d4bb56b

SHA512
af50be1413e7d5987bdf690601775ae55c3efdbccfd325b909af1ea5b486bb95063ce045d2b5d3b0510111e176deb476f58c5d1462bd6aee0b2baaf552cf4b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\scAi.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEMA.exe

Filesize
186KB

MD5
dbf7c79e7a4ef4fbe9f3bfa784d69e57

SHA1
f3e07d1d596c0b5a84191a56ccd21bac23874dc9

SHA256
9fcc5ae84cfe23a148ad9abeff52374c1bbee2668a2a0e9d4ba9ab9786d44c2a

SHA512
eec0ac62046ac4f1159d7fd236a49862f4ce38786142b36322b19d5c0b098dba461fea6829048907701ca5c8cb5531139e87eba548e99f8b6771d29660a5a3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEQu.exe

Filesize
191KB

MD5
c37190fc4663360d325322e5493b2d88

SHA1
434582e2780d04bf51de3c7a34e8596b3baeeae8

SHA256
3e09a9b76247a761073c6af3d277e7ccf5b5f014fdad3cade172a3869f1dc187

SHA512
89541bf9e77b9f218d283f02cbaf8503012a0f0f78a815a21a335bc847ada7153eba2af49876eab39fc6144172b47356d0bf930f1754ff26f861e75d1146d56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgEU.exe

Filesize
825KB

MD5
68209f7fda7fe448f950a769353d615d

SHA1
99a5ba54a8d03e9832185353861878761672fb34

SHA256
3c056283b0c2a127ba99268d65e3d5cee6411a6da34893515a8798089954b8df

SHA512
e4f84277ecce7038eaecd16658c0d6372f8cc6750ec94788db84bf2f35ff4fe901e9525ea024bfb7373dba5555cad9bee3ab7042e51a2a3aab0ae86a6264ded8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkQk.exe

Filesize
638KB

MD5
3baa305b4880ce268f8ff69c367dfc14

SHA1
10b1de203448b04a360fc2e95f965799b64fb065

SHA256
185d08dbc615ac4cb50fe40c439e677b9cff3a6caccb0ffc15d78c1c21f2e02c

SHA512
f3557798e7fccae6a60cb61f4d97e0dbe841752287d3a4f59df37fcfcf06e03dee4956c73800b7cb460b6101d0cbff79e43d1cf54503b97bc0e499bea880de9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEAu.exe

Filesize
188KB

MD5
39114d4619f081d98b693a5a2eca7a52

SHA1
65abac7a9714add438483131fad18e35e1d7eb8e

SHA256
3f80a98e7ec4342cfba9607f787f961eaa77d4880e20d6eab3b5f6d844b93b86

SHA512
5d800b3eae0ca71134972f9e29def7f42b0c3df08d26fed22db605ee82bfd574eaf89eb42927015e22666fd81598739f2d162042155b3b43edea6eeb1efa51f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMYc.exe

Filesize
358KB

MD5
312646bb4e3d3fbf0eccc9a98670e9e0

SHA1
e812559e0d55467a98438e04806b4a426d340dc3

SHA256
e88aa7ccbf5d5f92becc949f12e74943462901fe2bbf2c0afd0a01ff9912fde4

SHA512
8d41e9368a277e9f2a9e8cf5bbf31a5cc6eb74f63901cf164189f75d06413d5ff8223b559f3500e8eb98542c5eb337bee01d881c9021aa37a588e5b21be1b9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQYK.exe

Filesize
186KB

MD5
9e0e911f3dfe01d72a0e713801358d63

SHA1
94f10a77b62b7ec4e315e96d01615e0e1a671455

SHA256
8090e2a239903a7cf8b232b8f14eaefdd8c08faa2690e150d22a86d9bf8960c4

SHA512
f9515241a16c98cd807247836a7619bf84403694e8c44212208be22860c7e645b6d3e9ddc71c1ef14bfe5ea57014c50c3077264525107ec1df34b2099b226861

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQsE.exe

Filesize
634KB

MD5
897e0797d8edfba2a1d3d44d1d35903e

SHA1
7f30f9979dcd77f736bc54836763638c9e97f888

SHA256
8a4ad89825e626ad9268353391694abbf572ec94802d8a59e3862c8601c58ebd

SHA512
bf1cae743e83280f5bc697736ad2ca28ff4008e2e9f48820aab7c531367147f4774d3cfe0eb66602c269774ce0e686cf59c33e2d54d0824e43e80f3c17e3f77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgcooQEM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwEc.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xYkO.exe

Filesize
201KB

MD5
0d07e46cb9c98228ee07b47a373d7b61

SHA1
b27f40cf4d1df875943faadc4eb55480a451818a

SHA256
b72a4945333e342647ff8bcf0b8ebf83606791611b30da4a2be3199667cdfd63

SHA512
4e0204fa82890646844255e8967fb42f031d08388620b7b2086cd6b082bf3d66d06944c87aebb1b1c9d91fe86079fc4d318db67b43804da5a794c22d36a0d290

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkIE.exe

Filesize
790KB

MD5
ae00f5105c1777bff1c29687e6e0023a

SHA1
aa7b91a3a2db33baadec4e581647d6a4c8c105cb

SHA256
4b1dfea9626eef60e7c4d2c6d52edd9b4939b8fc20b90b5b31d7e2acaa7e007e

SHA512
01ca6b7c41a0ad52ef0725bdab0787ba071ab63f57caa770979c7c64585ffad9be5dd501bbe92305e88d81cc1ab17a1b7970f3c782a5bf5983114bf6c69dee9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xocEoIwQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xswq.exe

Filesize
198KB

MD5
fe37ec0d4e584be5f93d88037b3ffad7

SHA1
bf93977f82184c8f3846d87e8f8c7ebfa562cc16

SHA256
64fe4ef0f589684eba10fba7e75a1b64aa64fd07a6cdd2362ae33c6169cb7069

SHA512
c713c5031d1d75ef6036ce9ee855b9332f4fb57332f4da2d609ce2312952b52ab13cbd32a3de1fe44f08d99a19dec9e234616beb411d540cfac7703bb6883709

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMEy.exe

Filesize
187KB

MD5
afd7c88f24513357a4fd6a5ef39effc9

SHA1
166c6f20bdd5005e14cdde30a603a4b456647379

SHA256
e72fd5fa31d38c20816c1898b6f4f44a53e9c0d8da3bd337c1053e2f2023e2d8

SHA512
c806dbefaa6db3fc45e2e6871f575695e9b68868cb9d6745b31fd355efe667d6cf663d1a77277bd6f2b171b1de24a9f9bbeca6d4d83332f3bff8981b0332f951

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykMM.exe

Filesize
184KB

MD5
1d12f01e2d2e73545531cb0b4ead03ea

SHA1
712080e95a865b828d76422864a3193d0e5a9853

SHA256
033d915753cec55612b0e0825cfb3d6a579e22495ab985f69c91a6a5902ef8ef

SHA512
986f538887ddfc3b16e6b133295fcb409c69d3976bd8c65aca96f867423211981b3b3971061925fe57a6929ca36d526c50aaceaed9ac2fddc587c0f20f4157da

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMkA.exe

Filesize
188KB

MD5
fe2497096708be174fd54b7a80c5e15f

SHA1
b7ab6aaf825f56541dd2971c014970c4772c3b67

SHA256
de8ba7845702e8a67d3d119424b10b2d8b81204d97bf16493712826aedcc0e69

SHA512
7f3fff220bcf251ff811efa07887efd79c043ef59a2695ffce37db16f6603bc2ef6580d21fce3b6a873e8499c27ef888dbe90f97583d5fdedef8c81688b9f893

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcEM.exe

Filesize
206KB

MD5
49f452ea31918eda4757690a238ea6a3

SHA1
640fc500c697c1c252d7c2e46d1a00d8ad65beef

SHA256
37cbe6eed9d376a337ba2d6af4aecb9e9504c795c2f0677788dd0c3d7bb41931

SHA512
08e60a343945a722030e0e8080b603eb717ac4a36876859be790d31bc437b173d6e22aa726ea6fa1603b195345aa29e691de9ae98be17c66a83cd827f49250c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcgu.exe

Filesize
202KB

MD5
b5aaeb7066235ced0d03e28e301365e8

SHA1
d97b717c73b1c7c7702e26c07c8c18fa151c3767

SHA256
9693b095007cc957ac5a001570c7bdf3427e31a73921bd47d508a6cff0bddd4c

SHA512
84495df4c9b3fe8a0e02acd353ffcd4a083a6a4766118d1ba0ab69aaafb20312ce2a22162b7788743a71e1d82c712478d2500931cdcda35be05a0a6ba1e375c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsci.exe

Filesize
1.8MB

MD5
15ca4a32d36d993f76adc85910ead9ed

SHA1
fd218660b68f2ad6bad8b0a5a5c9c533e8675f3b

SHA256
0698ca3697ab607245e5069b95b331d71540777e9b0ca27d0c7690ed973a3e0b

SHA512
cdeb0fefa5e49a87108189baf611612235b4291bc0e7e5d895d71487ad8d14c738d9f24a3bf2f13a7b4b7a100d08b186467f8966ea37363b64b0a1db9d6714af

Download Submit
C:\Users\Admin\AppData\Local\Temp\zswK.exe

Filesize
403KB

MD5
5e6c4944607e88bd0c3d73c177d917e5

SHA1
7f77ed77ad390d4d8bf0feeeaca1120bf822bbf8

SHA256
ab80c09aa1a024c7ad441e80c8f73c29e41a154ec0f7aa49dac3110c81b90741

SHA512
7d4abf050d1a13511a927af3774fbfd9fe9f03be7878ebc73bb78938537a6a6c271b1a5dfea29d09bd54ec7fb3f6cad95aa85ad7694239503f408351c647ad3c

Download Submit
C:\Users\Admin\Downloads\CompleteInstall.gif.exe

Filesize
462KB

MD5
6845fc9c0914ad65869df88a16cb28ad

SHA1
9829819eaef8ef9a3bb8ff0a40e09c61649ae94f

SHA256
a2c220a4567524863991feb56034ec09644e9ce98ec81fd3aefb5278b6dab7b9

SHA512
89a62661577a0f22487efa2c9e3da0504c742030d007a3f45b230dde315412d8c12ee72d230b9e82d97b72a8c731946af22bbc58bcbe6e5ff66b8fc46e2d8284

Download Submit
C:\Users\Admin\Downloads\ProtectRequest.mp3.exe

Filesize
544KB

MD5
0ff7c10f533516ab660ad4c8220f66bb

SHA1
02973e24f98bc129f111a8c6ce808b770662b291

SHA256
c6ae3902abc211ffd38c6c1a828d43a2ab12ccfa4e8a4fd76845e8de66ff50e5

SHA512
f33888e1868ab1940e2ea5ebe5e7dec6392a7c25d1d95e749fd1e3492813e1093749545db232e71bdca8e14e7ee00665bf72e07448e3dc98e60b4b2b2256a563

Download Submit
C:\Users\Admin\Pictures\ClearMove.jpg.exe

Filesize
349KB

MD5
d9e8642eea96512eab689dc0c2734db2

SHA1
26dcc121ae4df14971bf1771c76f244806b723b0

SHA256
250060d30e2b4cc9ca6d7e7b2143d996229e18846be6696858bd4a48a7aab341

SHA512
73df66f00a348ba52aca467e2ef43163551477a7808db056f5ea3f721b3b4ff037ed6bc893e020138ad96c7a09e86d8696546896c109ca016e361705f8b5fb70

Download Submit
C:\Users\Admin\Pictures\CompareOpen.bmp.exe

Filesize
437KB

MD5
d566e0866fef8c6ca6c3539a8fd9e5a0

SHA1
20bceebb82c12d6220d3798700304d95b9d7faab

SHA256
335bbbe5acb3e319e3648033e4405ad751ed73bd4577e1bb7ad7004b639d0856

SHA512
3f1ae433d94e93f41240585d34130a5b7c02425a11b15864b0fa9ef7c65ffc35957bb0777be714080896b03f8e0428395d37ac8995bd4e56b40973a478fccaf5

Download Submit
C:\Users\Admin\Pictures\MeasureWatch.bmp.exe

Filesize
410KB

MD5
27e7221a75ede2b543390986cc1b9803

SHA1
2bbf318f805d09d672599963f3559f233aafa54b

SHA256
a2cb5d3fa4aa69433b91d8db5ba30a9b1a92f598d4024da95f0b3c104f09b467

SHA512
22b7c06b3f78500d88a20c8e449f43dc859fc9e67eb760d0ebc28f6e4054a784ab7a90cda362127e9fd872da2178b2366375b4857b8426c1cab76ea8ac14215a

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
211KB

MD5
e120f8b2b752a02c31c904c0f2bd2766

SHA1
31c8d2ae082938c0a7ca6bab216bd65c70f13d7d

SHA256
63bb917ba20367a25d88a38d02f5467c0a4c0692b118d289933a112d8f725e76

SHA512
b30ba6e091d32b90edbdaa7568d9fe01db8adfb4200182b3627504aa6d10371eddc7b48a852b98d32118c3a9f25144f0f5e064f262ec7ce7ff98da099b9c9f3e

Download Submit
C:\Users\Admin\Pictures\ReceiveBlock.jpg.exe

Filesize
339KB

MD5
cf69959e74b88db49a8d99ee8cad984a

SHA1
e38f1a717d6dab44cc79566c5b2edaeb1d984c6e

SHA256
30707aec43607b2b996d7a6c601af660d645e85a7938c8dcc78e8cd774982c1c

SHA512
15c8f1ea67abcb1305bbbe9cd72a1bda285d3bcf34a9232e4b397bc538e2641176eaa5a0c3bb9a4d27f6129b28ec24785799baa5a90095e439c39537f1696ac7

Download Submit
C:\Users\Admin\kUQMkogI\awYskEQE.exe

Filesize
189KB

MD5
57d2d59ea94f9007098fba93a638b4e0

SHA1
2ce73eb65b60c4ed527b587771dac27a0a192ba8

SHA256
d5f0a5010b72696414ab67ebf43e0f98c4ceac5c3f03e8bdcb3677f64d7c0f0f

SHA512
77f4e50180849385c26387aaa52914217d203ac68fb92279a4c53b777222237cc07d0fc8da5ec6d8fcd30d4e9c1de7a3d696b78abf662e90c6689fdf9969fc83

Download Submit
C:\Users\Admin\kUQMkogI\awYskEQE.exe

Filesize
189KB

MD5
57d2d59ea94f9007098fba93a638b4e0

SHA1
2ce73eb65b60c4ed527b587771dac27a0a192ba8

SHA256
d5f0a5010b72696414ab67ebf43e0f98c4ceac5c3f03e8bdcb3677f64d7c0f0f

SHA512
77f4e50180849385c26387aaa52914217d203ac68fb92279a4c53b777222237cc07d0fc8da5ec6d8fcd30d4e9c1de7a3d696b78abf662e90c6689fdf9969fc83

Download Submit
C:\Users\Admin\kUQMkogI\awYskEQE.inf

Filesize
4B

MD5
1830f7e589e38155428eb326c876f1c5

SHA1
1e9944d4d0c675fcde2f772bd07d06169eb97e46

SHA256
775315c16456c5e326038cb1921eef6eae5e3cfe496a9276f4a88bf633f9e149

SHA512
988df6626eda7a9e54813eaf4a6e98ee541014596194170e366206da1dafef356560fbd72610246f08fcab3efbfafeb55af776ddf414f23ee2a00467e4caeaac

Download Submit
C:\Users\Admin\kUQMkogI\awYskEQE.inf

Filesize
4B

MD5
a1689eb5babfcc3f1d54dc853d1fa07f

SHA1
5a6840a1e2a1f2dd6d4e2ce69cd07f3643d0f892

SHA256
6219ff252d697f9f9e5879b5eeb8023f63cc471f6ff199008530018405417ca4

SHA512
95f1e7488c629c9807d0fee2aaf655cc38ea69685558e2a1becb08c13a09cd70ea42ce43812db22fd33c26ea99e08e00cb08e5390705a62d273d4c6d929b09b1

Download Submit
C:\Users\Admin\kUQMkogI\awYskEQE.inf

Filesize
4B

MD5
3a59a0504c28e7877d59606374eca0f7

SHA1
3660de7515100a9a193904035121a83e946613cc

SHA256
2a6c3cc439e7af80b3f4c9b2b385a55e57f38bd5a4c3f04d65e9cd9faffd4030

SHA512
749a3585f49e7ec76db60735f7cb8a1dd5f3d8645e3dd1a56415d12458013382a04945b0d344dd957be303a0eda6832fa96ea9a7410fd3025707a3a614458c38

Download Submit
memory/416-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/416-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/568-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-148-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1116-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1116-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1324-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1324-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-614-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-606-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-596-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-138-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4972-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download