c3c62d89f3251859a83c919319f6a8eaef90ad35da47e697abc977e8b7de1e42

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2023, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4839574d3807246a5f6779f2a658f781_virlock_JC.exe
Size

915KB
MD5

4839574d3807246a5f6779f2a658f781
SHA1

7ac16bec3781c185e32189baf01cf4b0c101017e
SHA256

c3c62d89f3251859a83c919319f6a8eaef90ad35da47e697abc977e8b7de1e42
SHA512

87aabb2a51be67b841bfde6d7b9930a116e933aeb1ae2439205ca3520fa3db856c97bb04b8bed68da8506bc6a2ed3cec9cba8a1c120e6a6fe4d6741354f6896a
SSDEEP

12288:srkbeZTah2U2Q2PumWuK7I3gk47/Zb1C3EJ3+BycVcX6XE5+AtB1S++8fDUk4smF:s4CZGH2QHNG4V1CUNFuMHfik/HeN

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Blocklisted process makes network request 4 IoCs

flow	pid	Process
32	1216	cscript.exe
36	1216	cscript.exe
38	1216	cscript.exe
40	1216	cscript.exe

Executes dropped EXE 2 IoCs

pid	Process
1848	VQgEsQEo.exe
4200	ZiQUkQIw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZiQUkQIw.exe = "C:\\ProgramData\\rkYckYkQ\\ZiQUkQIw.exe"	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VQgEsQEo.exe = "C:\\Users\\Admin\\aIckUMUA\\VQgEsQEo.exe"	VQgEsQEo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZiQUkQIw.exe = "C:\\ProgramData\\rkYckYkQ\\ZiQUkQIw.exe"	ZiQUkQIw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VQgEsQEo.exe = "C:\\Users\\Admin\\aIckUMUA\\VQgEsQEo.exe"	4839574d3807246a5f6779f2a658f781_virlock_JC.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	VQgEsQEo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4776	reg.exe
3924	reg.exe
2056	reg.exe
2940	reg.exe
4664	reg.exe
3360	reg.exe
3652	reg.exe
3804	reg.exe
3768	reg.exe
1308	reg.exe
1612	reg.exe
2560	reg.exe
4392	reg.exe
4752	reg.exe
3608	reg.exe
3648	reg.exe
4940	reg.exe
220	reg.exe
2428	reg.exe
1808	reg.exe
3156	reg.exe
2452	reg.exe
1264	reg.exe
5036	reg.exe
2208	reg.exe
3428	reg.exe
2836	reg.exe
5012	reg.exe
2244	reg.exe
1280	reg.exe
3836	reg.exe
1304	reg.exe
4848	reg.exe
4432	reg.exe
1276	reg.exe
2620	reg.exe
4036	reg.exe
3988	reg.exe
3608	reg.exe
3592	reg.exe
4888	reg.exe
1492	reg.exe
888	reg.exe
4216	reg.exe
1212	reg.exe
1664	reg.exe
1120	reg.exe
4264	reg.exe
3740	reg.exe
1212	reg.exe
2184	reg.exe
4292	reg.exe
4376	reg.exe
2560	reg.exe
3048	reg.exe
4488	reg.exe
1536	reg.exe
2008	reg.exe
2148	reg.exe
2688	reg.exe
2524	reg.exe
2124	reg.exe
4856	reg.exe
2624	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
540	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
540	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
540	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
540	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
3620	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
3620	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
3620	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
3620	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
4716	cscript.exe
4716	cscript.exe
4716	cscript.exe
4716	cscript.exe
1664	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
1664	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
1664	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
1664	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
1644	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
1644	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
1644	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
1644	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
4304	reg.exe
4304	reg.exe
4304	reg.exe
4304	reg.exe
3728	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
3728	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
3728	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
3728	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
3768	Conhost.exe
3768	Conhost.exe
3768	Conhost.exe
3768	Conhost.exe
760	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
760	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
760	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
760	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
2216	reg.exe
2216	reg.exe
2216	reg.exe
2216	reg.exe
3996	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
3996	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
3996	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
3996	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
2524	Conhost.exe
2524	Conhost.exe
2524	Conhost.exe
2524	Conhost.exe
2976	Conhost.exe
2976	Conhost.exe
2976	Conhost.exe
2976	Conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1848	VQgEsQEo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe
1848	VQgEsQEo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 1848	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	82
PID 2776 wrote to memory of 1848	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	82
PID 2776 wrote to memory of 1848	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	82
PID 2776 wrote to memory of 4200	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	83
PID 2776 wrote to memory of 4200	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	83
PID 2776 wrote to memory of 4200	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	83
PID 2776 wrote to memory of 4964	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	84
PID 2776 wrote to memory of 4964	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	84
PID 2776 wrote to memory of 4964	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	84
PID 2776 wrote to memory of 3804	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	86
PID 2776 wrote to memory of 3804	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	86
PID 2776 wrote to memory of 3804	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	86
PID 2776 wrote to memory of 3432	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	93
PID 2776 wrote to memory of 3432	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	93
PID 2776 wrote to memory of 3432	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	93
PID 2776 wrote to memory of 760	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	92
PID 2776 wrote to memory of 760	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	92
PID 2776 wrote to memory of 760	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	92
PID 2776 wrote to memory of 376	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	87
PID 2776 wrote to memory of 376	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	87
PID 2776 wrote to memory of 376	2776	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	87
PID 4964 wrote to memory of 4940	4964	cmd.exe	94
PID 4964 wrote to memory of 4940	4964	cmd.exe	94
PID 4964 wrote to memory of 4940	4964	cmd.exe	94
PID 376 wrote to memory of 3032	376	cmd.exe	95
PID 376 wrote to memory of 3032	376	cmd.exe	95
PID 376 wrote to memory of 3032	376	cmd.exe	95
PID 4940 wrote to memory of 2740	4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	96
PID 4940 wrote to memory of 2740	4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	96
PID 4940 wrote to memory of 2740	4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	96
PID 4940 wrote to memory of 4276	4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	98
PID 4940 wrote to memory of 4276	4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	98
PID 4940 wrote to memory of 4276	4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	98
PID 4940 wrote to memory of 2836	4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	101
PID 4940 wrote to memory of 2836	4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	101
PID 4940 wrote to memory of 2836	4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	101
PID 4940 wrote to memory of 512	4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	99
PID 4940 wrote to memory of 512	4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	99
PID 4940 wrote to memory of 512	4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	99
PID 4940 wrote to memory of 4508	4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	103
PID 4940 wrote to memory of 4508	4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	103
PID 4940 wrote to memory of 4508	4940	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	103
PID 2740 wrote to memory of 4228	2740	cmd.exe	106
PID 2740 wrote to memory of 4228	2740	cmd.exe	106
PID 2740 wrote to memory of 4228	2740	cmd.exe	106
PID 4508 wrote to memory of 2104	4508	cmd.exe	107
PID 4508 wrote to memory of 2104	4508	cmd.exe	107
PID 4508 wrote to memory of 2104	4508	cmd.exe	107
PID 4228 wrote to memory of 5028	4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	108
PID 4228 wrote to memory of 5028	4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	108
PID 4228 wrote to memory of 5028	4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	108
PID 5028 wrote to memory of 540	5028	cmd.exe	110
PID 5028 wrote to memory of 540	5028	cmd.exe	110
PID 5028 wrote to memory of 540	5028	cmd.exe	110
PID 4228 wrote to memory of 1600	4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	118
PID 4228 wrote to memory of 1600	4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	118
PID 4228 wrote to memory of 1600	4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	118
PID 4228 wrote to memory of 3972	4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	117
PID 4228 wrote to memory of 3972	4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	117
PID 4228 wrote to memory of 3972	4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	117
PID 4228 wrote to memory of 1832	4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	116
PID 4228 wrote to memory of 1832	4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	116
PID 4228 wrote to memory of 1832	4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	116
PID 4228 wrote to memory of 4112	4228	4839574d3807246a5f6779f2a658f781_virlock_JC.exe	111

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4839574d3807246a5f6779f2a658f781_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\aIckUMUA\VQgEsQEo.exe
  "C:\Users\Admin\aIckUMUA\VQgEsQEo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1848
- C:\ProgramData\rkYckYkQ\ZiQUkQIw.exe
  "C:\ProgramData\rkYckYkQ\ZiQUkQIw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
    C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        8⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        10⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        11⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        12⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        14⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        16⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        17⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        18⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        20⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        21⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        22⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        23⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        24⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        25⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        26⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        28⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        29⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        30⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        31⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        32⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        33⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        34⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        35⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        36⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        37⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        38⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        39⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        40⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        41⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        42⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        44⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        45⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        46⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        47⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        48⤵
        
        PID:4444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        49⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        50⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        51⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        52⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        53⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        54⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        55⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        56⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        57⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        58⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        59⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        60⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        61⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        62⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        63⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        64⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        65⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        66⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        67⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        68⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        69⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        70⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        71⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        72⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        73⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        74⤵
        
        PID:3124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        UAC bypass
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        75⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        76⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        77⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        78⤵
        
        PID:4664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        79⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        80⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        81⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        82⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        83⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        84⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        85⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        86⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        87⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        88⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        89⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        90⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        91⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        92⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        93⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        94⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        95⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        96⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        97⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        98⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        99⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        100⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        101⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        102⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        103⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        104⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        105⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        106⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        107⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        108⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        109⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        110⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        111⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        112⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        113⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        114⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        115⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        116⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        117⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        118⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        119⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        120⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        121⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        122⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        123⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        124⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        125⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        126⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        127⤵
        System policy modification
        
        PID:420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        128⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        129⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        130⤵
        
        PID:4328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        131⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        132⤵
        
        PID:4892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        133⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        134⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        135⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        136⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        137⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        138⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        139⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        140⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        141⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        142⤵
        
        PID:3984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        143⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        144⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        145⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        146⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        147⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        148⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        149⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        150⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        151⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        152⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        153⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        154⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        155⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        156⤵
        
        PID:3652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        157⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        158⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        159⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        160⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        161⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        162⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        163⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        164⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        165⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        166⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        167⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        168⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        169⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        170⤵
        
        PID:4328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        171⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        172⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        173⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        174⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        175⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        176⤵
        
        PID:4516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        177⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        178⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        179⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        180⤵
        System policy modification
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        181⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        182⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        183⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        184⤵
        
        PID:1060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        185⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        186⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        187⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        188⤵
        
        PID:628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        189⤵
        System policy modification
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        190⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        191⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        192⤵
        
        PID:1384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        UAC bypass
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        193⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        194⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        195⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        196⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        197⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        199⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        200⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        201⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        202⤵
        UAC bypass
        System policy modification
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        203⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        204⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        205⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        206⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        207⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        208⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        209⤵
        UAC bypass
        System policy modification
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        210⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        211⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        212⤵
        
        PID:4300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        213⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        214⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        215⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        216⤵
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        217⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        218⤵
        
        PID:2344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        219⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        220⤵
        System policy modification
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        221⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        222⤵
        
        PID:220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        223⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        224⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        225⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        226⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        227⤵
        UAC bypass
        System policy modification
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        228⤵
        
        PID:2168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        229⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        230⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        231⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        232⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        233⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        234⤵
        System policy modification
        
        PID:3424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        235⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        236⤵
        
        PID:4312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        237⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        238⤵
        UAC bypass
        System policy modification
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        239⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        240⤵
        UAC bypass
        System policy modification
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        241⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        242⤵
        
        PID:2736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        243⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        244⤵
        
        PID:3300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        UAC bypass
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        245⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        246⤵
        
        PID:384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        247⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        248⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        249⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        250⤵
        
        PID:4680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC
        251⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC"
        252⤵
        
        PID:2688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgcIsEEY.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        252⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMoYAwYE.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        250⤵
        
        PID:2036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        System policy modification
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies registry key
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQwQQgMs.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        248⤵
        
        PID:4136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        UAC bypass
        
        PID:4944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        UAC bypass
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSQwgEoM.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        246⤵
        System policy modification
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:1552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:4752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pocIUggQ.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        244⤵
        
        PID:2204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiIgMcgo.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        242⤵
        
        PID:1492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        UAC bypass
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:8
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:2524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaAcoAkY.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        240⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        Blocklisted process makes network request
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        UAC bypass
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:3984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYosQIAM.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        238⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:4944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOEkcIcw.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        236⤵
        System policy modification
        
        PID:4244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        UAC bypass
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:1280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        UAC bypass
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwUkccco.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        234⤵
        System policy modification
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        Modifies registry key
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        Modifies registry key
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:3840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGgUcQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        232⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        Modifies registry key
        
        PID:2624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        UAC bypass
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcsIQcwM.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        230⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        Modifies registry key
        
        PID:1304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:3652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        UAC bypass
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:4852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUAgooQE.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        228⤵
        UAC bypass
        System policy modification
        
        PID:4516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        UAC bypass
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmgQQUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        226⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgEgskos.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        224⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RagEwEsU.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        222⤵
        
        PID:2152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        System policy modification
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyoAcQkY.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        220⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:5096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwMAkswI.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        218⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmMggEgY.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        216⤵
        
        PID:1116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        UAC bypass
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vewIkUkw.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        214⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies registry key
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgsogYQI.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        212⤵
        
        PID:1700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        System policy modification
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies registry key
        
        PID:3924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsMskEQk.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        210⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWcwcYgo.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        208⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        UAC bypass
        System policy modification
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:2560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGwAwwws.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        206⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUsoAEIA.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        204⤵
        
        PID:2124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAQsMYQs.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        202⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:3552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIYocsQk.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        200⤵
        
        PID:1808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        UAC bypass
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCogAQEA.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        198⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIwYgsMs.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        196⤵
        
        PID:4852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkgUEYkI.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        194⤵
        
        PID:1664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuQIYIAo.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        192⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYIQMgMI.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        190⤵
        
        PID:2040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psEYkAUM.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        188⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:3332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmkMQEIg.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        186⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYMkAowA.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        Modifies registry key
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUQEIoQU.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        182⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmQYQQoo.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        180⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiggosEA.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        178⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:1488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOAMoIIc.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        176⤵
        System policy modification
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        Modifies registry key
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IocIoYMI.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        174⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCQYgAow.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        172⤵
        
        PID:2168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:3836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcccMwQY.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        170⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        UAC bypass
        System policy modification
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEcYEggs.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        168⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:1664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqcskcMg.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        166⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies registry key
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwgoEUcc.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        164⤵
        System policy modification
        
        PID:4772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqUYkYkY.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        162⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikUowosA.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        160⤵
        
        PID:3348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        UAC bypass
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        Modifies registry key
        
        PID:1280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        UAC bypass
        Modifies registry key
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asMAsQAI.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        158⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkoUAMcg.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        156⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buEkIsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        154⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies registry key
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOcQggQE.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        152⤵
        
        PID:2912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        System policy modification
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMgYoMYM.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        150⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuAsQwcs.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        148⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqgwEEIM.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        146⤵
        System policy modification
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoMcIocw.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        144⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgYEsYgY.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        142⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies registry key
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmYUkoMM.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        140⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:3572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQYwAUUE.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        138⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgkYQcQE.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        136⤵
        UAC bypass
        System policy modification
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqsMcIkI.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        134⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:4432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWUgIAQU.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        132⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        Modifies registry key
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqYIwIcs.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        130⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkgUwwIw.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        128⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCowoccE.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        126⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        Modifies registry key
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYMYMAEY.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        124⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIEwkcAs.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        122⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        System policy modification
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMkkYUYw.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        120⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGQwYgok.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        118⤵
        System policy modification
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        Modifies registry key
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        UAC bypass
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies registry key
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MugsoIAs.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        116⤵
        
        PID:1716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ResgMIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        114⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:3148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkQQMsAA.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        112⤵
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyoocYkc.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        110⤵
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:4312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMEoUIAg.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        108⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwQEMYoA.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        106⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQkkYkYk.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        104⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgMsQoUg.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        102⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmAUUcIM.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        100⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAkwQwcc.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        98⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQgMwkYY.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        96⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUEwUUEk.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        94⤵
        System policy modification
        
        PID:4752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        Modifies registry key
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgUYUkUI.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeYMQccQ.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        90⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaogEoIo.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        88⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        UAC bypass
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSsAMAco.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        86⤵
        System policy modification
        
        PID:440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        Modifies registry key
        
        PID:3740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOsMYsko.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        84⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        UAC bypass
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgQQQEUk.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        82⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qysIocsM.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        80⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies registry key
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSogkcMc.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        78⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QksYwQkk.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        76⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgwccswM.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        74⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kokMkgsk.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        72⤵
        
        PID:4964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmQoIMUI.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        70⤵
        
        PID:932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        UAC bypass
        System policy modification
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWQYUgEM.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        68⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIgsYAoI.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        66⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        Modifies registry key
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAYckQsc.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        64⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:1924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSQMogoQ.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        62⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        UAC bypass
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAwMQgcU.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        60⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWwUAQQE.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        58⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkIkIIMw.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        56⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksoMQwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        54⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUUQAwsU.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        52⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tckkcAko.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        50⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:5072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEUgosYY.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQMEUIMI.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        46⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEokEwMY.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        44⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        Modifies registry key
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMIUoIYk.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        42⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoAsAcgw.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        40⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcwMcgYk.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        38⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkkUcMEc.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        36⤵
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsooMUEk.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        34⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGEIMwIo.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        32⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        Modifies registry key
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSEIoscg.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        30⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        UAC bypass
        System policy modification
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKEIAAQg.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        28⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUEUAUcI.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        26⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqMkEwsA.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        24⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neAkYQAw.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        22⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIQwcQIU.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        20⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYwsEkAk.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        18⤵
        
        PID:2184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icYssYcU.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        16⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOggcEIg.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        14⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcsYQUok.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        12⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoMkkAQo.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        10⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAAgIUMg.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        8⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQcQcEYk.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
        6⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3980
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1832
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3972
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1600
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4276
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:512
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyQcYosY.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4508
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2104
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owcwswgE.bat" "C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3032
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:760
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3432

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4408

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
315KB

MD5
e77862562b77c5595825de211e3721ff

SHA1
e475e8ad0ed12fddb375409c4453d635a955a89c

SHA256
f4e298e03fbfd5d58216aa718b9f9a5860fb1c2625268f078ea462259f7093f3

SHA512
97d4a3a1697a41267f51e227683a667d7ca1793cb7a1fe9a6231bb2aab78453809864fe235a16889a201905425a489b75b45eff8f0681c98ee8b6cbc14ab80dc

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
226KB

MD5
03b639c89ffa0e7ffef3e83173db4e00

SHA1
58519971bb236b86aa1eda51bf7684feee3ca58e

SHA256
e00ef7186bdf3b5fbfcd53c9e38634920220152d9b35021f339b7fd2bac38eb5

SHA512
5c943829d3d426d7787b2db0fc49681bb3f20569907ec9e948d5044b7127f11f7d9d57dd16977c273da0cef413c76bf5a7f707c8c20b667e7d532bb2e299b021

Download Submit
C:\ProgramData\rkYckYkQ\ZiQUkQIw.exe

Filesize
188KB

MD5
c8dcfca18ff034bd5769aa55392a4bef

SHA1
52011a8bb24a50f79e77c7af286a6410739241ff

SHA256
e2824ef5f04a7b3ecc3af65c097a44214bb536ed6109fd3d2fae1b5324e02f8e

SHA512
18c2b448cef18890bdc8785247310a6df22eb45318af3d260b44bca6c86fef27074cea18fae5158ff64afcc39d444d7764dd32bd1afaa1338d01844de6b2f680

Download Submit
C:\ProgramData\rkYckYkQ\ZiQUkQIw.exe

Filesize
188KB

MD5
c8dcfca18ff034bd5769aa55392a4bef

SHA1
52011a8bb24a50f79e77c7af286a6410739241ff

SHA256
e2824ef5f04a7b3ecc3af65c097a44214bb536ed6109fd3d2fae1b5324e02f8e

SHA512
18c2b448cef18890bdc8785247310a6df22eb45318af3d260b44bca6c86fef27074cea18fae5158ff64afcc39d444d7764dd32bd1afaa1338d01844de6b2f680

Download Submit
C:\ProgramData\rkYckYkQ\ZiQUkQIw.inf

Filesize
4B

MD5
70cf52704d857a03818892688f277c54

SHA1
eebda0351671a37fb4b9e25cb27243a7dc1d3dce

SHA256
50c5069bfba9f7ddcedd189ad0264e7a58328b9732a45e1103eb288d91094341

SHA512
814c82d203adb97c31016049f8162c68534903225e97c15aa3052d159b59ce86dc6937ee40647eab115648a53d8e94d1cbaf4a096b3c5b1e6d4954e48bcf0242

Download Submit
C:\ProgramData\rkYckYkQ\ZiQUkQIw.inf

Filesize
4B

MD5
c59aba3976c55b59e4778102da33a9e4

SHA1
7de429ecbe292fbe1ee29ef59c4f464f88731671

SHA256
8cd6b51f8acffa4c2e4e736ad882eacf764adc29a7b39fca708c23cce5d4eb52

SHA512
da8518a5618eb8c072969a32aa3d24c8ae6df176409b407b1389316ab7eb22536cdcebe19d3e168562d8942247e56e2eee8ea68c8c7ef6c8dc4f3f3c43b6e709

Download Submit
C:\ProgramData\rkYckYkQ\ZiQUkQIw.inf

Filesize
4B

MD5
ebe9c846b8a22ad4a18fdd760d26926c

SHA1
bd51814fca74706aa8ddabb1b5b684bdc02e3b10

SHA256
9abb0199ce0e59186fca6b006bd78e8d6cd9106cdf75e8a3b77abfdc525c9121

SHA512
a03c56b9e7bf3bf9f116df43cea050c799ebaacbf791b596c2253d9a35dc0dcc58491fc1836fc3e1e9cdd18ec037c7ff01490290bef2a0bd2a766d2709bbe813

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

Filesize
196KB

MD5
fce2dfd637176ddb8b571832238f72d0

SHA1
79ef82634cd7072705544c68f09ee2d88b42253a

SHA256
b142b98742e92182a1ae2baf29fcf355b0c24c143c8f4297b5f29b8a681e45ec

SHA512
39990f05d3a068a1f656bdabc142fa228cb33eb8edc1888886fa4dc57809917561bda2225851b8e4a136869b673f3fb921f3f90166dfc2928ed2131de275bc13

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4839574d3807246a5f6779f2a658f781_virlock_JC

Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIgw.exe

Filesize
183KB

MD5
333312ebd452129ad9d5ae65ecb0c943

SHA1
5d365d0bf420569a1c7ea03e912801bfbc19e263

SHA256
4421e917ebb319d6825fb9e3b8c1539c3c4c0c2735a2b64ef8548c8982a1c004

SHA512
2a24f363910520d80e51ee546b8bf5ea688b22cd89ee48b26d937df312d405564516f41ee4c2770bad0eb8146619805cf8c167a387786b34b71989cbb4a1c310

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsYq.exe

Filesize
649KB

MD5
1e9574dcd13f3a3f954a5508456185c3

SHA1
93b6b022e91e99b3cdca5cf8775204fd51cce5aa

SHA256
5d425801f592883dabcd3c37d4c676dffe1ab79d241824b2166536b77ed183e9

SHA512
5d2522635baa63fe809babe0c4c19d23824bea2b3c32ecaf27c934705c8e8eaa14b4e4b606eef60ebce8cc01d09bcbec617ee046f5de2fea83045643a167c6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEcS.exe

Filesize
196KB

MD5
9e05c2ae2be8e0f421720a9e532df5c1

SHA1
fba527e8170e4bfd850b86db6990a9edb7fac0b8

SHA256
f029cc5888848399fe947c970fb67170aa493af2d1bcb44eaeb2b04548572f0d

SHA512
8db64b097d516c87b19d9730647115055494643611c4017acb3768473f616d81e07ab4dae3da3d316a44cd7db294269568283b7a5c7bb13427bec6c851ab5c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUEUAUcI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYIy.exe

Filesize
188KB

MD5
5bb61efaa3ea1824d93bd13238fce1f5

SHA1
8618a381426e6f6558cd35f2cac7feef69dadaf1

SHA256
685fd9ca9c2100e3fdd44f56a5cd56dcd35ada3fb7e6c15f0f749835dd1b1b55

SHA512
a0c92c1e3622af74c1a912dfc975f3ea00828ec97818171b3cd49b374fb491591a6c9963e386b69171fa35a94a998b47613d3468f79259a870b9a095b3e1aba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcEs.exe

Filesize
197KB

MD5
283987afa0938d3d66c7285d40454fdb

SHA1
d8287817750bf447ef58532d728ad55361965768

SHA256
14cdfa335f4467d78da95a1071732984e58d10f14e472ebf2f04039043499451

SHA512
39bdec934da22b7593bafa99b5f327eb6c997484ec9756cdec7fef85450e77f24697f33ae5a91f1627596ecc74c8314214975236741dfded1dceaa3a816a2907

Download Submit
C:\Users\Admin\AppData\Local\Temp\DsooMUEk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYAu.exe

Filesize
185KB

MD5
4e59908408a4948711a9e84c881ed092

SHA1
a1687136382216d2ed3d8eccd029d19d4ed900e0

SHA256
53dc954324c8f1c026aff2eb26cd9f35f93e91b6cc695ff5bb8f4e28c6daa72a

SHA512
25e25b07ce091dd846e8b94786a691aad0ec263acf737e780177f446ac53524c46401bae2747ead20dbc84bf6372985c0b91e197b6a7694fb7929165b1180030

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekws.exe

Filesize
204KB

MD5
5165d170c7a25bc4cccec6689430c85b

SHA1
5ea118a78e8e10aef7723d7600ca8b5dca46bf3e

SHA256
2dc3e7a028b0f6533c7b660b90a4d9bec7d3fa2b210de6e3935885185cb453ca

SHA512
4645040cd474557ea25baf87bfabceb0b06effe6b507aab0fce842e184b8586f52a488c17c9de631a6f5d8a8ea743797907959bc78e9503875a93b7b36967903

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ewkg.exe

Filesize
197KB

MD5
b68cce6fdb1f733c92ae7aeecddf9952

SHA1
713c6799d6cebf22788963b19d6f5ae9e49e52a7

SHA256
2ea0572efe68a838ffcb83152584c4bda7f4b162d35ad1cd1affd8f2a9add651

SHA512
c3e34fb7a3bf96f35cc4131762ae8ca1e62a3fd3b03a038bf71ecf047e130951395455b276d1720157569ac3aac14ae53284b6d368f0488cc191dc6f5989d29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMcS.exe

Filesize
602KB

MD5
d3e78a7175fb6be91a9a3a215292db0c

SHA1
36ef4790eb2578c2545db1d9765996c22efc6ecf

SHA256
93690c82a09b78d926b9447b7de81a9178626d07145c2303f7c48e966a999799

SHA512
f79b96fe4b28063c47ca37adfa325021604c0df9a4e4987390af43a77c0b7f4a0608898bfbf90c58c36c311840f0bebf0ad6a877fb9a24b3db226468aeb4900e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYYG.exe

Filesize
232KB

MD5
dcfbda7364e8f5a2056d9d4c803c341d

SHA1
9448d0f235f3b1ac984a53fde3c7e063523bcc6f

SHA256
0397f03eadaa44ad0a9cdf97c6c02a06a915f1294856708f308e3133015c642c

SHA512
f37aafbaf08145c1098f79a39ed94470d8f8dc315a48e73ada9194b52d87a840bd04d91d268d2e3ad4472faa8e207c80798ee002aedccb98e857560dd991cb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fcsa.exe

Filesize
875KB

MD5
4df1692017106f29e963d1469a3091e6

SHA1
4b2c3ec85d833821acf21b2bb7f69bc9a42c0217

SHA256
7bf87611574855be2dcb8b2667891659e8767ac47660fa11a9405907e1fa44e3

SHA512
fb6b55b9bf8275d9e66b60d5d633cfeffc18ea76fc767f8c1b4146a79cb93a9a51ef670f1c4b1d4d18218adee1e23a4323a80cc73ed3ff4224693a6f958463be

Download Submit
C:\Users\Admin\AppData\Local\Temp\FqMkEwsA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoMkkAQo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAMg.exe

Filesize
195KB

MD5
4b06cfe91dcb1b71dfc9177cd5771038

SHA1
69bd9287a4af08995cfcb6c753f6a5cb5f854264

SHA256
bb30a7e2c00eb1b1b8fb7dc24f53abb32067f4d62c6f9f6c668b40b6575df75c

SHA512
2a9cec3d7a7bf1d5675c7a68dd8d2dd939f653ae35783c6092a2cd5563fc4fd28b78d6b7895f2d8e8094127d90d9a9af287510623ff4df6fb7c0b05832734ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGEIMwIo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQYw.exe

Filesize
676KB

MD5
2a55f2f0d3ccf53bfdbecc80a06c08f7

SHA1
57611e2bfa8feaa8efe35dcc78945365bdb78fb7

SHA256
a640f0ac81ab6f7cdad69972087325a1aaed395b69a94849a950806f3806376b

SHA512
efb5f1a373f406cba05c0a7018f609ed506b431fcfab87c92b1b490d48c4130ea95da4e204a1d698a17c792259e4fe41a23c1aa644aa112ac1c247f3d398c351

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYsg.exe

Filesize
208KB

MD5
6e4c36ae8fd81bb74e9017278d7f721c

SHA1
a814e6ef7808a7c3a783972bcb86bed261607f66

SHA256
ad6b33686f815211c86b1baca099afc5353c47751d6baf7c194677a18be4bc71

SHA512
7be9d4aeeddb4da2743645a2fd98977282b2dae382b0b064ea525f44ab017230a4e98b695dd5701f506496cf6845f6253616dcd23803c6696a68f83f8999ea1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgMU.exe

Filesize
216KB

MD5
ef339833cb32c49195cc62c4ca66b0b3

SHA1
c4d62efe81a9867319856dd16ac22c8986bbe3f2

SHA256
28af218350aa1cc50e7b2637a7899b6880fd9017739a520a51f7f88efbfb3c19

SHA512
d60ddac087f1458c7bf0ff102f2b2fde94bc016c58860d6a41937862c6ca0f42efb25f1e65f95dd763a3cf00d33c5d53555cbdd0bfd20e2c4d0e8abe7b3ad8cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAgw.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIcs.exe

Filesize
313KB

MD5
f59be39779596fd29e9424e9e30ad7df

SHA1
cff5fe679ec9287b157c4331280fcc5f3d8bc24d

SHA256
d44d8633f9ba587126b76ec9e4ff2a79317028e5a199d1fefa89517165ca4de4

SHA512
fba803527589a38496df42ce004e38642a308debf0c5d15299d156aacac2f52cfb23cbcd77f4a2f5ab3952fd6df4841f7b5353de687b18214e91b7aa24bbfc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMUq.exe

Filesize
194KB

MD5
be2b58fcb891752b26c8feb87a4528ed

SHA1
f554daf20d91203aee0ec3731fb7446f272b9552

SHA256
e473a52d7882479a089f360292f7f97e2cf84659092029b836b632d14ea0931d

SHA512
5eda9d8a9cb0b93fd82a58aa8d0230f87b1d14a0e93782c28946a495c43f7d5bf5ac7af79a8ab32062039c067540c200848330faab396947322c45e7fd2ac3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYYm.exe

Filesize
1.8MB

MD5
264ec4fd8404830675b3f9119fe624ef

SHA1
c5910889a9ff76f914d70ee030c678268bc1aa77

SHA256
242327df87df5a4336c1535f5e7376e4f4a90cac1b6f833aaf9e4700c322173e

SHA512
bd32dbae919fadf866cbe1b1631f06f2be7608f0dc25512d0ec71c88349c8461d841f3e77550b70f0e26b280896db32312b411b484fe7f24dd32f6c24720e2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkkUcMEc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JgAM.exe

Filesize
805KB

MD5
03b92c6cc515a8f737c96dac343aa820

SHA1
4d3ea7cdbfb514570bc6aed35274670ab70d3298

SHA256
2b1878b3b3b71f455fd806ae824a7e5f5bc0f7e84fe3c3a4afb817df3b920cb4

SHA512
f45987055c492709e1454fccfdfcb045b75a76e4188298e21629aa23669fac6308669c9bc3e8ac8b8967d072d2a97a1e7b408ed516766b77c1679809820985e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEQY.exe

Filesize
423KB

MD5
118d0ce893e3fe1c3621dec98cd98615

SHA1
e44203c1c05707e6f5f3c01786480b49d1db592d

SHA256
4f5dc99ac196b96eb4fd6e4361fc16c1301ba23f8c47f17c69b79c17cd7506e1

SHA512
d1b127d8f4eb22ed7cb7aa16257c17b0c16d7cbb3529f5570bb342fe4cb07fefedf35993c0b8063faafd4acb4977ceffc49adcf9453cf941c6683e52655841f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUAg.exe

Filesize
188KB

MD5
e8594dbf4f54ee37f7cb3bfa5b8f50a1

SHA1
b6505f954def14c0592a79424f16c9d091734539

SHA256
a86b6728d6af98cb65f4e9dbba6c788478a258fda744b40306ad584bd02bf56b

SHA512
6f0ec5fd2b4b07982fb7af68b519215b8b1bbede98f018e9773f678ee9c57b140bf85ec8857f3c6ab00d0be5bafcd4e53e742af16558496ab00f885bbc459ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAww.exe

Filesize
189KB

MD5
3788a9914455b5e0881fbef4624802f7

SHA1
b0070e0fc4f16e316da7e50fbe7d916a476b9572

SHA256
ac5e0e98bdd56a2267f66164fe44ab743ea15fc503640f515cc2554a432bceb7

SHA512
8d1f7fcba0230e70c43f23a0cc9918f7a4c893ff7aa86fa6f2254c43d2aa19142dd24a40085e573e4529ad4c4c26c48b5e55cf6698e0f18d918e7fa4ab75c452

Download Submit
C:\Users\Admin\AppData\Local\Temp\LKEIAAQg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MOggcEIg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQEA.exe

Filesize
211KB

MD5
3c1f2bb51d7c3b85b612eda40a533bcb

SHA1
19f079e18f5b5bae6bcf61608c01e930cc98c761

SHA256
2bc71451956f5ff7f2f40196f9e6c773e263f08198936fc34381adfc9bb627d9

SHA512
91ca3edb1bc7670e1c8aa4145a5286c3f5d98401eff4a8709b4c80fcdecfd5e56484ccaea90c81e72ac3e26efa44d900edeb69dfe4725fe3c037a74ba2cf220e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsYa.exe

Filesize
202KB

MD5
a996203d742665e6b98ddd63b2a7fa0f

SHA1
15515e209c2fb458c3a6f377c0a7d5d358c5a67f

SHA256
8879d0f96989fe02fbdc7d9b35b4b4135dea79f2a0453b01ccf9f3c0d88970f1

SHA512
044798650381104268dc149de6e8409f0b4b8024f5c6cec1a4859042c2b8c4f8f840f7616fb96877a20bf15291c9dad82b2fcb4a72e24d85bd09519a66f340a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQEo.exe

Filesize
200KB

MD5
03f603d5132a4ddf8248e149f4ab3d1a

SHA1
f34e01a74e30b3b6147826f802eb8b306401d403

SHA256
1a606acf9e579b0ed50036d9278252d773647d3aeeaf519723a68ed2aeeb3ed6

SHA512
e504bf08dda9a363a5a552ca357a8a60e9d76284df7643b8a8e16bb85c36a8892adffc80427504ec520ca837735668304e660475b23e7bc959d4f08a06114a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NcsYQUok.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pggc.exe

Filesize
191KB

MD5
e5d845583e39297ba1079053d7f50c19

SHA1
0374eabfdfb8331df8fb14b2a9d33f3f6bb5ebc1

SHA256
df781d365c53eb8b6f6f066d1e73e746deb4a5b8cb87719addb4a07c622d6fb8

SHA512
f779fb6145249f15007199005d67694e2bca51b4cb6a7944fd77d7f51ccdc9aebecc522c7a27091b10e07139f7c589d9e26664cce5b78f1e3b54bcf1c8b08765

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pgoq.exe

Filesize
192KB

MD5
7a82d35ebbc60538a4be3e8f4ea8e95f

SHA1
4670aa80d812b331e5ef1c75a843790f496d3f15

SHA256
603f7936f8c32c94c5b3dbac2c2c5d56db06e14900cd422376c1137bfa28baa8

SHA512
993aed51e2a498036065a0cacce6fb0675b5ea942c13365878d1ec48df5e40792e1af901bf7722769ffe2559a8f45269ae8f3f573c1747686a6221674f479533

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAAgIUMg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAMY.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYoo.exe

Filesize
760KB

MD5
ed4c7561c36201248bc3c670c623e77e

SHA1
457c7609bcf8705471ed1f3e1b8708eb263133dc

SHA256
6e3c19eaf525bbea6d5240f11e1fb3101f24686ba7bf4b200b363ec0ca352152

SHA512
18ec648429b9a34462d05cfbf48966fd4dd141a6de1ff2fb950dd547233116cadde351c7de33891854d03cd6099cf5f6b6e50f6e2b3c2e35f0b3478351487db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQoK.exe

Filesize
670KB

MD5
74757e210c44e645d757a672db376eef

SHA1
2f05d569f46bd6d4badebebf9dfc237f5fa61ba3

SHA256
59e2f27458d16402735f48315f233b1d7480914418844c3986fe5b05511211ec

SHA512
812ee50e66d08b24cb761e29c47ca4767c79b6baf17e43ac0fdf8c502d06bc047be5cd7f55f07429c7dcfed121e335b9d7fd0ee034e07eb569944f0f7e9378b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYgE.exe

Filesize
552KB

MD5
204e6d6e9513401b4c396fd6d95e90d3

SHA1
ade5821b5e2b52bad2f389f0c5cd93e6b4da4642

SHA256
5be44f988ce070e8f2bf9b908e0a421165135258abd8b8ed841c67c3afcc3f71

SHA512
b804844033ac4df9e26ba573736aa82d8892c2c43eee0f8ead73cc8f7b9f9c00c5de5900d6a38bda1fbd5901d5f7837221402620f1507914a6a9b591a0de6f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwcU.exe

Filesize
5.2MB

MD5
28818fcbc82973c6251eff195de932c4

SHA1
35a8543e96702151d4b53e38e38ab4388a56430c

SHA256
c066122307d37ca1915460a4d75e7cf74957e1c27d250c3450177e317856aa7b

SHA512
7b69c5b57a118d52ad0bd8fffe4686903dd9ad598486747a8af96e88720cc9a85c58bb69998b648d59d163e24fb24452bc89af81dd51c963e9f08206a0775bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEsK.exe

Filesize
204KB

MD5
b65ab5ff38fc6a451b47bde2961c930f

SHA1
3a423d03cf459b9f32c5f5789fa6c20f46d9d3e6

SHA256
85090a5300af9e71cbbcd095055c82cf73b2049e1f15ff16f0edf3c11d2cc14f

SHA512
6e97958b28371058f62856a0622e750c9644fd2256a590078c6149d266102df11b9288b71e320f18f92e82d6c0b638a23b50ee2c0f93b997188994a37c5e13a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgIs.exe

Filesize
802KB

MD5
5d1129749fdb20fdaa30a09027251d66

SHA1
2f56c624dfe588928ddf2c8f7d1131f122f47724

SHA256
5be79298d1f9426e8ef2fa199be597adf7a391b8a77d3154fb0465ff4d9e0589

SHA512
a70de6805f645909acaf096348e4b53a41e636b17a1311ff6d9145613b6f537628b93acf68bfb39f913bd38d584719fba2b5ae0168499ca6f6d305377b39a8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsMi.exe

Filesize
643KB

MD5
f147fd3e6abaaa53b09078d3ba5648af

SHA1
ffce14aacc82d214e1991e98a360a567bf78bd30

SHA256
2efa55121d9e05fd1f1a1afe12f37b75b77f14bf316b8179a53d05068f2f5501

SHA512
8b5ed983939f80a6486c848c955a263201df23f4ee16330669d0c8140c6aa53c51c2eba3d46f0802076f978afe1a5629c05a280ad378f5ac03fd7ff7f1a4bf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAkY.exe

Filesize
193KB

MD5
8bc124a5ddc6178a8e5b2fd12bccc3a3

SHA1
6dc0fdd04afba6d350a88c7c56ca6e12065e7766

SHA256
b11d38ba2420371e196a1737d68188dc58945b825278432957d1e5c6a9e8a416

SHA512
0c628a6b2ea71c1c2b6250d5c64fd3d0bc5fcb673f3b3196ea2292dce6c9d50f3c684c3843258ef39050d680d7f9d00931cb420b2f5d7424aa244ad128183192

Download Submit
C:\Users\Admin\AppData\Local\Temp\TYoe.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgMO.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uwwk.exe

Filesize
225KB

MD5
798f81da89ad649c3e1650ca40883961

SHA1
b149bb95137fbff152f90a6ce52692f684bc4d61

SHA256
28345d36f9a8ba86bdefbcf0a03d135c766438359ab799226ae2ffb4bfe3cc6f

SHA512
51cab21041b33e5256b9beb654d1844dc357650a49af9a6c2760ede84031dae57e5be174a59dd4aefb644ecefb17cf53846c4b3db2501df44da0a2b0b9e5eec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQMi.exe

Filesize
1.1MB

MD5
08e0a010398d3785d43bf9156d81badf

SHA1
caa543e778cda4e7c43ac2ab99223a68e00359f9

SHA256
0d26dbb62303a904598daace6b07eb754b05fbd9db482b88bdf7db6070e817ca

SHA512
2b754fb4d9f32de670fdd98e9c10badd86496c01478d7033937b64e52da320782cf119df5bcf03c23969feeb445d911d3e4bf97008f263ce60dcedc502bcfd1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vwcu.exe

Filesize
208KB

MD5
7f7edd9939dbe8f668d378c75ad07715

SHA1
12a05f9a0c58a7beb0771e7c3818a029cc3f20e3

SHA256
91826298862101380f5e1a01bf8d93d25da7e97bc7048536c4593cf3892c2df3

SHA512
71a3d8b191bf27b0e062df5350c4cffbbdf6770eb391d116eca70d1833cd75c1767fbcb38f6c52fcb53a987e48825bbbad9a7061b462e0cdaeab38c6d8e04583

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEQq.exe

Filesize
647KB

MD5
b9c1d64ada7964bf810e7f8e1daacbb1

SHA1
b759926719560ef67e6a2fa7f31eff7103dc0837

SHA256
4b57d8de7dff778f6bec00403458c4ba3071fc23fefe35fe14f50ab66f359023

SHA512
5e0e20fb63fa6eccdedb709ceb61fad0f8010ffc3547c1e0de047f07cd9a2859baa307d3455b5da8952613494ecaeba45ecc7ec0a004d8c0b9b5ca61f27dbcfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgAG.exe

Filesize
214KB

MD5
c402cf89d4e822e858641fc641b03170

SHA1
c29ecaa273acd715d33e2e94202079355f397e4c

SHA256
46fe2bfdd3b331d593c6c70a6a904880471a6311523a0488d2cbda48ea631981

SHA512
943b8286a4392b94d38d58839963e9112019039df191c099e452e361a078b9e0a0e55d4b414961ea151bce6edb19bbf90268cf19c89357f95a01f14797b76756

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIQE.exe

Filesize
188KB

MD5
9947b6739a649747a65fd4e043431156

SHA1
d135bd560325cd7ea489e67857b32e003f9c0630

SHA256
7d570af326b8a5fb20b59889bf7a716c1a3573315494fb2c9dd95ad8c3a5c413

SHA512
8fa0c8c28991b382235de18e1fc0b8266b48c8cf76b371901ade1457da794649b2a9e1aabc2bbc219ee2519f2e2e048fcc5c9d294f18cb06a0adb00a17f885d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQga.exe

Filesize
218KB

MD5
8794301ffb4b6adc602d85df6828bbd0

SHA1
3edc86fab78e8b6b0423dcec7bc76a47c6d44b91

SHA256
9af2f28415c6565fc82d8063023b6d425b026fd8ad6daa29cad6e8a9a7fbce93

SHA512
5ecf080dfc36dca5a3b95ef95f88b97dd304bb4401bf9fcf80a070c3f8a835e3440fdd821c7de50ab2e51800216546cbd85cba5f5c510c87b3531450dc6ef339

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUUs.exe

Filesize
231KB

MD5
5bad61a4eedd593b252124f450712382

SHA1
58699829e1e035b05225c468aab091e00d5b568f

SHA256
bb16e3902d712bd708dee29797f995e2389925d81e780ee3e15ac431bae518ed

SHA512
3be87ac551a28bb0d533fb3110e317d1a7ed6b5e7672c9e6e5a4bd792b0d81a1e8964ab46e1ea640967237321b417ea87c703f523d92a12e27d2c5d0660f6482

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcQu.exe

Filesize
195KB

MD5
c424419bb7947000da414790cd74a633

SHA1
d2c2c07b5c0681a766ffb172cda13c259d4f28d2

SHA256
d54f3d670028e7894634fdf716b4bdc822d5bba608c1212ea829ecc37fd146dd

SHA512
3642e60c107ae2930d1e522691e4d8bcf8d1bd7997bd1ff78844ba5440de431e5bfc961dc65a3c9bea2b1bb5d172f725476ea25b182148bf01276e7ade6edc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkMc.exe

Filesize
182KB

MD5
ef805f3353b5c38550b3475fd150564e

SHA1
6d94b11345b99e32695001b6c1e862b025f50a38

SHA256
b918a9fb62c0d12045933272df25722820a8db1da90d8014ddcd777997b5112f

SHA512
8e553eed6126a074be5e459fdc4a31eb34800102ed3b086c79e9bb1eacffe304e73836b627aa8ab937f0a880fc61388f2a25a254a756f4b9dce437dc5cf476d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YssE.exe

Filesize
251KB

MD5
3b17776a214ae514fdb2820f5dd54536

SHA1
cb9929bbdca9b1a297601fea05990bc2dd6b1e0e

SHA256
55a016fdf996083b9dfbc1f53fd0e9ea96978e932bbea76affb2ac12610f556f

SHA512
e4bd3492deb45116250734290413f880cd2c784b572feae733a4a9d8a0785d5880839e92a40883bd8b28cb835ae0a15211131a1ce54ca81ec97e7bb2a8d069eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIQwcQIU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQUY.exe

Filesize
207KB

MD5
4eb454a836ec659e3d06e754c5b219d8

SHA1
be44d368956506dfd43b5938f541bb8416aa4851

SHA256
5db73be55e130f89682c9a85d090f7b3e561c73cd4cca14af82f6f038bfd0c8b

SHA512
cefff98fe00f67891045bad23794151b6edc074750e953c975dcdcc7f02c912a6f93aadad9a1963409b6c2cea3a87fd9b9a3038842dddc31e736aa002907fc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUwA.exe

Filesize
186KB

MD5
fc75948a595d9e30c1aaa21e7c525b9e

SHA1
acbfa5b397e632c41b7731dc86978e2e9dfbd5a7

SHA256
c82e32687e601164768db0ac68cc08457e1b95b1010cf8e7763a6c9532e52d91

SHA512
9086315dce7d8dc71f7828b9e16ac3a1c20d272df5c00a8f5aeae1e82569e254e06b8522b75838419202eb7938f4d81d781848efb7fd8d2eff58d0fab363305e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkMg.exe

Filesize
205KB

MD5
8f736f077efe268afe7447b89a2d9d5c

SHA1
8eed3f526228f74c515dc3f41ed37b7701b00e92

SHA256
2a41bb362fe1665223e140186588818328d794d542304b0e6bb49b31f3fb8dd6

SHA512
6d22d1ef1f087e89bc0d52ca610cc8ea1b8956850bc16e1ac08785babc1c1a527de39a802361a4fb552a954ed7b656b90eaf7b862d79bdb9f349a1d2e7bd72b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsIC.exe

Filesize
189KB

MD5
b1c78386c108504af928a3523618a219

SHA1
5374224b54defb9beefd29a72941a986dea8a78f

SHA256
653ae8c5c23d504bffd3c1acdbf5d3b52e204002fae44b10295a9025d2176204

SHA512
667c1529360142f955d4df39d3cb6d8c26e2865af5dee05bebef74208dab35d9188d0fed60ebd6580a75c3ee7cea0aaf88f734cf149236fc382549b607fbe433

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMom.exe

Filesize
230KB

MD5
848d6595cdc34b702b4504427af64452

SHA1
db182881f9ed170df2d753317a02a9827b48df44

SHA256
d97b9d7b5a69afdfe8c9714aeb425dcf8d1a18230a423d502c36d9b19a5a532e

SHA512
fd7e2b26841f2257f15037c499bba3bfbc0a1c6f5326b4c09a83331f9418f9f3204f19effd0204106ba8bb1e2deab054380e024f2b1e61c87a624456525e5ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYAs.exe

Filesize
237KB

MD5
a23bd36625acab8d2f5978e32237085a

SHA1
1374fb6042f59f27f40d0a11f20d37c5c2335fa4

SHA256
7bf3a7f4328b18ac630986a27ba96b21c70ff31172a8b86b35693277424742d9

SHA512
ab8b0be36fceb01917bec8c777183b5e9e42423cdfd4c2df620a708b8c0cc8214dd3f8e375fcc6810c55b609aaa44eccd45d79d97b22aa2030648013892a75b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYgE.exe

Filesize
689KB

MD5
e73d89853d4c011970c0a59644afd831

SHA1
2f61bf21c82c345ac51d03f90e8f33cd63f7001d

SHA256
05d02dd9f9fca0c6f7c632796669fbb743f41ffb6c28d15ce9722302e7c67894

SHA512
ed944acba9c71ce7b8bbf443be3ece806f299a4a429c9bcec875422bd0341d30fb66f6cd972e1a2b243b55943aa1d99ac51ff917aec036e1ed3dcf4716168df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMQY.exe

Filesize
196KB

MD5
fd806be321883cbc8db2b5b383e47ce1

SHA1
1811da7aa65ee52fe0c1e7b43504326919e91f78

SHA256
326a1af938fca850d6883b09a3159020be91f4bb317b8995fd666fe03c35b1d6

SHA512
b0f9637f0a7173ef4c33f3a8c2241813aef24da6fa485a812bf8159c46a5693033ab39d53bf5692c6fb0ac813133c6d43cd3dc66cfb8a79ea692c9489b085112

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYYA.exe

Filesize
189KB

MD5
a4fd1aadadf424930b9b238169ec3c7c

SHA1
050679388403e1bbba5ffcbcb3f5ec887cde52cf

SHA256
80bd01515e8649f64124c7694b45e7337c14cfe9bbb938e383f0ac1e85acf0d7

SHA512
1046572d70fa1e96f897d10b2fbbe847cb4319e7e398a077c38c0fb35646c50d922f88c7f619802fd278cb9a7fd59ac99f05e308fd7a2b360f29c8f0d147fddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewYW.exe

Filesize
775KB

MD5
a8af16a2142abd01b7294317dee4fbbf

SHA1
68d003a5c09f08c84a8001f9b2dc7bda25ad8139

SHA256
36d3d72a8045443711ff2138c316c2b9248d6f666146e1b35a598b9c22489025

SHA512
0c65971fc75248b9e3f3e171f8217d5fb43d56a820063eaf33dcfd24c58d045630730ee911df8908053f403236b3fdc748d189c63c4fa5ac2033a68d6173ffdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAEa.exe

Filesize
952KB

MD5
e8fcef9874f89005d48f1ecb97583d8b

SHA1
f5c79894e9e1cd60cf6af46794556af76e2e13df

SHA256
7c2135d4e04b5cd75285668e8f295e93ecc87eb5ede1855ca8862c3423b9d5d1

SHA512
44b0f70ea5a889ef7172c3ab090d4242fa2e9b527596cd4e92b4e6f61697214ff74b0752b2ff246b095d545bfa28a0b9a9baceb8bd1398b0c22c0f842718dfa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMAo.exe

Filesize
189KB

MD5
75bf909d7593685007edcbced923b2a4

SHA1
fab936ceecca36ac9aa5fbc050ee3e5b95bc3c64

SHA256
02237665b5f38bf71d623a6b79be033244578feb0dde1ec21ae6b5a66886cd17

SHA512
b8fb0ff28e9c14b2cd5dd7e9a0841a468d8d37b83d5804abd50c98ea5aabe8c095210238eefbadb882e56fea831b768c32d4c41dab107d44f2ef18dba1dd71a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMQY.exe

Filesize
202KB

MD5
3d33adba823bf3362ec140e0b67cc8a3

SHA1
4ebdd35f43af7879111a9170cb8d4a4322609477

SHA256
fb2f767244a9a614f200f9a9b264a22db4e560c01352f12a91644d75d8f33b53

SHA512
b45e46f75a1ecd27db4290b44e13981bebb3c2084e72e174a34c46123525a4fbb885bf0344b967af54db231fb9ce5367706938555e773bfd089d111bcabc5f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQIC.exe

Filesize
1014KB

MD5
e172caa7fcdee1cd8c10284e6f5c647a

SHA1
b45f39b4fd39926c5c7f845200839760d5e8a4e0

SHA256
25cc5d50afc52863402645c12182685ae57e3f01af4592f273efe6ad7af807e3

SHA512
bcf256ec925b294cfbeabb7e20c8cf4f60df9434fb0aee6ec4829ac012afebb167d5f57a326b9f204e7ec66d40fd1cc415b78388fda7ebe980da4ba0897dae39

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsQy.exe

Filesize
199KB

MD5
3b3cd330edf290c1bf56fb7faa06dd74

SHA1
6701ad7bf44318b6e21107eb3de7f2938789bb1d

SHA256
e0c3738ab061f2fc415a78c3ce8d943f6f0e8573b39cf448663d67665dab5d1d

SHA512
655c95cfe2e9ff92f19e893be63447b0c57fea46b531faf70fc15c4575351dd940cac11d7136532beece5d6a6cd9dd47b9e1038767ad6648f612d62d4223701e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAoy.exe

Filesize
209KB

MD5
69333e2c42aeca11167bf8407983763d

SHA1
35f08d1272cc73808e1a85e0f15bb5408c861ee1

SHA256
ab9d7fccd3289f48a70c93b586bffe4683dfaba3f031aa1b1a41319a0a792ee7

SHA512
a88dba4ddb0a54f4482732d9e3cf9822a3576ec438693a3178f624de64d605686e0802f64c63f8436210c3813e52b00621a6d897ee4dfd60abf4ced55b39ab53

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIwK.exe

Filesize
201KB

MD5
a55b447b05d0d6cac418c86443fec134

SHA1
b38dca7b806637a1c515d4c0c774a06ab554b38e

SHA256
9d68378a45417ee402e9846e14f993d7d5a0dee0274c99394385230da8169fc6

SHA512
a7cb290ded8c5157c130adf6fb416bf725e1369f77caaee7064329162810ca15d10585c551de4ebfd149712e6b491ec30202397b5ff04da5d6dfd5798d3ec105

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgQS.exe

Filesize
397KB

MD5
a096538ceffb364079031b322ffb0661

SHA1
8bb6bad44e4d26bd2616acaa24924c93d536f4a7

SHA256
302edc43a9335f14738827d72371e8399e95be4644f58fdf3324f970e392d5e4

SHA512
dd36395947c0199ad849235caebac1a0c6697e54ff79ca16243b5f55ddc71e90377b588f3ea85a92d6c6c6c4680c1fe4d9ffbf978e4bd2d4f392ccf3794b2a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkci.exe

Filesize
849KB

MD5
4d35e7f458aa8bd1455ce5f1ff631b7c

SHA1
1342f2ffbe7490938bf33a0d3ea225a3ccb77933

SHA256
8cc7f1b5d77d4ca909d329ea84b85f6bdedeb7bd7f06eeec30a39ba9ce2082de

SHA512
6711eff2e99c0c2b0319c02520beab08166dd596548aabacca6a3667bff778e905870178f01bf1b8f533b26fceb2cc8d9233338499cf8c87dee35ba90b0f0dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsYY.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\hskA.exe

Filesize
502KB

MD5
59656bf48a95fc5cf308300c15c38ac5

SHA1
71ad7962ca5eeec590ac696e5f8a2680c599c147

SHA256
f7a20e7742e45f3297aff872377ae5e30266e8fcdfc61aa7aaa5d2c9ec7b4609

SHA512
0db571d175094441d84c0dd4f93bbc2f73b298bd485dc423ca1c627f822ea78a4229840577ceb4165b1fd7a75ed27cd3611756efca952fbee3af5a4c8b22dfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIsC.exe

Filesize
183KB

MD5
304633ef3ca527481eafc9da84058a4e

SHA1
22ebea3376e81a470c81afed859b535dcd791fa1

SHA256
a0e40e764d1a7a9d66b111d26d7fd9a8148ab797f67ea57e5b491b3ee333c966

SHA512
36957e8d118f5d665a984ce1450980065e3d7838ff6e092e70bd102dd824e78ef5ea7258668ecb8d9d4c82f22e5bf49cd9d8b91a70b9f87e1209a9a27556ffc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQMS.exe

Filesize
986KB

MD5
b20ae383e30f8fcf7fcab0173e9494b6

SHA1
632671b9867f6367c8024b0364641811b8ab9332

SHA256
5e3ccf716111d7b672cf482bd3b46570ec3692593f12f9980e41a0ea998f52cb

SHA512
d9dbef07dfb396d91feb0dafe18c6ecc634cd6bd45dab1fef683bb2d76cf7955f1282e1dcafea0d19bfe19c51ef2c08b3261f89ee474c0d34588517664847132

Download Submit
C:\Users\Admin\AppData\Local\Temp\icYssYcU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwUA.exe

Filesize
206KB

MD5
aa8579fc337f8c7bf53a6c55d915f46d

SHA1
4e63ee567f21274e9b8d0d34e935f3f0abdc2dfc

SHA256
5ae8ef458c69deac46aa3f942acfa594f8cd291ec9574a11de707359eb85c782

SHA512
73ed79316394e9bad9851a782cd1c022a0f097b094d35ab7dc248b3bebff36a8548cb0b0f9989132a5b66583a41b8954b7abf4b2f83ce18c14cc2dbdc6f4a304

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUEU.exe

Filesize
194KB

MD5
f974c6097ddf3c0c22b549a4d39afc1e

SHA1
443063a7442e79efd029c9f4b72b2124d0a31e44

SHA256
56493f0dd158ca96394f16d9fbf868efd1d80b8c417d68d53e4eb0ae1635f723

SHA512
43f523d3a95b25deae82fc02ec40f80dfe4e6389d9845040c9f7d862feb3173fd2344d7f618d247a4fe5d203a9aeb5bcac9e371fb3e2759703bd2e88cec98e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUIy.exe

Filesize
191KB

MD5
92ca9ccb4a9e91176cde12f99510eacc

SHA1
ef515889e45528a3861bde8a63af21097b4c027d

SHA256
7e896177a175e077b21c28c8b1f0d5127985cc82b384d6ec069c0cddf27f9f87

SHA512
4e3e9ef012813db218f0e7249d5d146275b12d5570cfb8681b0b21ca4666fd3d54da1f401a20c41afb4628c52951853c06c3b9cf03eca03188b23b307388b61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYUU.exe

Filesize
307KB

MD5
be4015ccd1e8fe0623c55d741bb48ee0

SHA1
9610d4778998c1ae5e1d8ee49ee5cbdfc0941591

SHA256
b014316fb2db7fcd61203ca4a011c211506602426aeb527310984e76068740f3

SHA512
c6e213acd0d6f4cef006c4f4faae1bb2047813d6a53098640652e4269255a10a4e30c1194edd48a22a02cd1a0a5ecfdda7919ad7aab6ced820b5f96ce1786026

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYwsEkAk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAEI.exe

Filesize
192KB

MD5
13eb3811c3eea9bc52d8a93c48b91820

SHA1
f50a3313c07fd961c6770bc63da9a4a28d949515

SHA256
1c84b245018722b6ea7d694cbb0e8f97ce111e748cf88b2ad7231e9f1a3dc6f6

SHA512
297137e8a16d3f501405851309bbec0dd8757e697a3f85e6e47047b87c6841382d6a07f1091623c2fd69f983de48ee640b5d3b809326fab8b5680e3ffea4c614

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkIm.exe

Filesize
202KB

MD5
151c180572adb204ace800c1281ad069

SHA1
563df40bb8d7ea661faa2d515d4eb16e32a5a037

SHA256
f17cd1c847d371e3020a1f67c5b9cb7da7761ee18dda960b85585ea5260a523b

SHA512
ea03af0a39d34b81e5b823d8c0b8ce62730e0e04ea220c4391b4da6f4d73aa772b3951999ba2bd5d44d86fe9b42218e406f3cd65a9f2a880656001e05c3dc70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwAU.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAMk.exe

Filesize
813KB

MD5
3059d015b1caac0310597231e325b89e

SHA1
d4b82fe3d6304eaa619bcc1b25b23ca52f50b9f7

SHA256
735b7e4a9834259c74c8206064da6df88d0b10883fa0f75816cd91322b781f05

SHA512
79256c80806d4032eec7c2bc1a9b17009de0bd302665b17892fab8f123982f81c5d98b974822da5124a75eb6af454f68c5d24a053c3d49e6d51d550a5454ad96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEQY.exe

Filesize
207KB

MD5
7959c738d320e33f0620638bcf38c4da

SHA1
5685508a3991406b6dcf893f55c98e5d4773b7b2

SHA256
bc189e7094d141b2805ec089c23400fbe0a952abcdc46722dc3b08cfbedf7a2d

SHA512
136462ad9402725ff71a360c6660f54cc9e062d8f729e4f0ad2e4a39011c2279e8a4c3810ecb21dc2701d1b627510062873c4955bc666ad9d153aac0a69a2707

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQIq.exe

Filesize
204KB

MD5
04bc5f711a66bf46b241e30d97fbab1b

SHA1
d83c8382e433c1daa67a780eef84d6b27b37bc65

SHA256
150c8c1872fc0932532f0e27a87e6880d6ad87e8162bed1dfe67ec883a59668d

SHA512
a898c81b04291a4b579da2452e40ed877c0aa19283f99e61621c331e04de6071b409216c44c3a6be8ddcdbb85be4bd67969b1c8b78e3f6f051e276ed79c2970e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQcQcEYk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQcQcEYk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUsg.exe

Filesize
432KB

MD5
4e1cea894774fdbe8a1d939747bbf448

SHA1
1f86e2013afd02c8d251f793991a84a98fff3b6d

SHA256
7379c439c46dd8dc8009eb41e2092d3ec59c5ff44c017c8da96dea2b81b6a396

SHA512
665a5b40bd9c3074b35094385b1639248adfc58e7796d1ec2ec51a0de2e6f983d625fc4f84084709aac55f82a189b8fb1ac82518e3301fd071f610d544274dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\neAkYQAw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngww.exe

Filesize
204KB

MD5
ae9cbce0d57d12b2dee7282a892f683d

SHA1
f969a2f3a7ae1307b50c5ba7b21b8fa2d4ef1e93

SHA256
4f9c1dc196e0a15a83e01378d65b70e5478489858a74af73d06cb6f25fa9d860

SHA512
7605a93c9222a965944dc158f12afcfc7dcb518f892478e8a7d2bbd1c00b0be1a65ebea8d9037a2509bc4e370247e2b3bb7ebf86f8a54b11c496d1038cc790ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwcq.exe

Filesize
589KB

MD5
99f288679483390b52ae44ee765364b5

SHA1
274b1b248a6d1f452094e204eaf99c80eae1ef1d

SHA256
762b097a59f4fd0def444be9435283fb412d079b1981c7aa379b8b9392664b3b

SHA512
21992cf1a14eb2ac9fcc6d4ed7908591f1465c669d346f8dc65af38b2dd793b5d9fb49365b0001d0c7e4a24e3b75e5f73bbf3a0cb6aa7ec07f018abe94293682

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIUO.exe

Filesize
694KB

MD5
bd7d155e1f36fea0a4cd6497ad36e899

SHA1
477e9709f4c8418d632e0776296360d32f2fd82e

SHA256
6f3065cb9c41dc230207ac79cd4f305dcd15b254f7d17ab9234f425bc28a54e5

SHA512
567af3cad1f4314c091e42405b29e8eee1f232f542ea36f8363307630a1d11ff28b03cc4fe3d81c84da6f1560a128621999f527bd4ed286e7c4e760c2d1ff8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\okcY.exe

Filesize
1.1MB

MD5
76839cbdff1cb95e8e991162e44bf67b

SHA1
cbdda1c6551b511ca04ee3ae14fc162e651d7d57

SHA256
f4074da1ccda0ba0eb4dc79251b78738e15a8aa4a1bc9449ce730c6ce5090594

SHA512
d5bdf11292a444164dc10df9e7de8c45b0e73262d3d1870a1d04acf253958dea50f1b3c7e8e345fdfa2605c73006c6d4870010a81de27a79ca8e81292118dba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\osAw.exe

Filesize
833KB

MD5
3ba73d175dacc4484897deb50a37fe6d

SHA1
8a3ccb1618f5bf7cac11708a8c1bef45ab988bbf

SHA256
4cb6ec1d9b29f720899bd21b6c2f702c07f32751456eb8090263bfa154ea8bd0

SHA512
212d9b9253264d6415b5624754445c5776849edf4e07387b866b9e3afe8c4a531a05d26e4030797578f01693046d90e6d57eafd657b1ce2f26db853d58a95f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\owcwswgE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEkC.exe

Filesize
648KB

MD5
995cdb10083b1543ba007d9fe4071026

SHA1
7ef35c4292b6aff418aed30bc8a305d1f37f22d5

SHA256
a4bec2d77fb05391e9f3ec156a547d5babb46a4648c3daf04364519de92b1aa4

SHA512
db46c2a0ead4fc4f839dd07992d77fe6b4ed6b19495c87186f18021a32d89a80ee2d76b945d7123e3feef953c3ec3fd46035c96f2197a3c57c37c6bff5c63637

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUYs.exe

Filesize
307KB

MD5
6eb90ac7dd40de7b5afbc714abe3fa91

SHA1
e2b86328d5f7d8d3ba8f6b10acf9f92ccac237db

SHA256
b4048f5a6575493cee921d40f373345a88865e2ae6f17e9bbfb7110f0e47fe4c

SHA512
c97f0c5aea1a6509dc72e3cd5029cc9a5fd1a8d7805bf6f87f1c20c05f1ac182428a44dfdb9c263971acd7c88b31e88fdcdf686f1a49e076a3cb64c9eb323fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUsU.exe

Filesize
215KB

MD5
2bbc4a8755117b45b43e2f045bb27ec8

SHA1
10f0fd39e30221f238d92d766952bf9d5e2d9f45

SHA256
2e12323fc146a6b96899a2d6461f4ee33d9868beabf4c65112999bbe6115a0a4

SHA512
e14cf3d71b5e22a0eb632b40e32d3c89e8bdd890ff2d74d9e7f800e54e758c8905762a2290580a6a74b82aef8d73128c918c3e9cd46cbe708db816a5c0b5f01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgce.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\posM.exe

Filesize
403KB

MD5
9337ccd4b1a85fdcf46f8adf5e5bff3f

SHA1
d7a3cfaaa92e2fb04ccc22e6b9d137e42faa4562

SHA256
bc0d1c52367f3817899fbbc9c9f235a8bbbe9f7fccc93b4235757c984f3079ce

SHA512
0650b926da7ab89ff576873e424a8211ab75234ad891d86e41314a8913b9299b8090b65974df8b2b619a1c612f8c576ce11995ff57b7d8c304051bbacc198bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAQA.exe

Filesize
199KB

MD5
5bb3dc25726ee44758a57e5117fcd42a

SHA1
d2a418993d78ae8acd0441c88436bbe377b8e915

SHA256
6a8cf74ba209f4de43c57eb39e77d25889d0158796cc266b0f29c6bc340dd817

SHA512
283ef9e071499cffd4c2dd776d9270f2b7223e3cea83b2335b9e8e332a686bca253316e26a9e8fffc68db226b1b43eec14b662db90f1fb62496421ebfd6261f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIUK.exe

Filesize
614KB

MD5
582088903eab1221d8b6137f5f3b21a2

SHA1
65342dddce694eac5a75a188d3a7fd31ad4fdf9d

SHA256
9e1388056b500734a72032cb04e7c2ea4e1783bb73160ac8342ceae0a9731524

SHA512
f090268a6bbb9a15fa160df024714c9c5abf17dde90aff481387676713cff26a31cf618e4ae2824229caf9402d69725edb8dd28918a34fcefb4af51aa7c8886a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcwa.ico

Filesize
4KB

MD5
7c132d99dba688b1140f4fc32383b6f4

SHA1
10e032edd1fdaf75133584bd874ab94f9e3708f4

SHA256
991cf545088a00dd8a9710a6825444a4b045f3c1bf75822aeff058f2f37d9191

SHA512
4d00fa636f0e8218a3b590180d33d71587b4683b0b26cd98600dcb39261e87946e2d7bdcfbcd5d2a5f4c50a4c05cd8cf8ac90071ecd80e5e0f3230674320d71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rSEIoscg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgQm.exe

Filesize
5.9MB

MD5
6d212df57fab06237147309edd1a498f

SHA1
b9f4ef523891cf9fb7b73aebb2fd1ed970a45f9f

SHA256
2db294d111fe2251778479732d37f435099f0dd1f47b2f875fca7f75eed26a5c

SHA512
036332341cf24b15d8a5c4a71c631ec2274c0547e961ba23bd0ea9efe68ffc48ee5ffe81f24355c4ccf03cfd539a0610e519ab0fc7087a7460d47310536688f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQIG.exe

Filesize
198KB

MD5
22e26625839cb857278651eecfbc9163

SHA1
d8c67d53728cb8a25f50326311b3ce63715c9c96

SHA256
9630d34be09f11fe40069fd0f4fd9a166f395560be9cb1836a1bc92757700159

SHA512
0bff9bdfa229ab3a17575bfabeae26d4912aee551ece63ae169dbe962020b47e9d0fa1b03f6acd178a7877a224ce5c948f63a864d354360c87141afb92af99b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssQW.exe

Filesize
676KB

MD5
39c68880a94c4fdef6dfe4e91c8683f9

SHA1
efb7c5ae55de62ad39cdfb39065cca2999b4dbf1

SHA256
ab46e9c57fd2e19cf140a6d03934dd794673b4e407ba362833b8828c111ed4c6

SHA512
c249477ceb508fb64a16fe717f574afe03e9f3696253d042ce960cf2ce3f7dfaf429ec3642e6e34d6c19e22c1f3032a797ea0ba457bd0cd1def4ff5c9ec6c7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssgc.exe

Filesize
200KB

MD5
3a0a6c7635f886a828e2621a061e3375

SHA1
c7058c5f3cf52abdd65d5ebc0b31c6c1dd88f0ad

SHA256
e6a9edd8c1e419f065423c8bc6eaa09c5458421f240313c9aadfe7805bbdfda4

SHA512
689840688cccff046e0ee5c63b3db9353c06ce00973d5b8da2a690562a2392e0aff015d1457e2c389a2c5c4b84ffd34b545b4d69401115c004d5e1fd40183047

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAsG.exe

Filesize
192KB

MD5
17bb4d5ad45dfc764611d32433c1d12f

SHA1
3ead1cbed15a2d1f8ed21a0e6a9e770a179ac79a

SHA256
191fae28a517593d890bf2809fc689a4853569b5cb0d3e6839a175f41bcb6b54

SHA512
fc0162ac64525354fa49177a160356333a83633039f85510e210e7a6b084febb3bb244e656c32b4f1fd371f1bbe2e4d5bb52c055901d5e7d0b24903cf3dd4af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgMK.exe

Filesize
770KB

MD5
8907c987cf713181e25bb947671aa19c

SHA1
3102d4bbb0e744b0f453aa3226365d808d6efb00

SHA256
bb8167599151354f539e79242885fb978503ae92e3a27e27b003ebad2f9c3c67

SHA512
656f54eb8bedb03d98aaca9a56b2f4655c20138f8bb9a83b09e1f4b46e475945741998bf2b8681bc81f84e7750321a4172fc8fcc8a8f4e46db53652ffcaccd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\toMu.exe

Filesize
201KB

MD5
f8674e848fd2f20bfa69f4369839d712

SHA1
846996c99b27c98a6f70903cb1365077801f54a5

SHA256
cb68d3f23523db7327759b0b331fae25cc659e79ca86a1e570717942cf2528b8

SHA512
dc54133eadbd9cdb01e9881117e03de1c8767fd38fe1e6b45f32c7da953053a0408d15cdbcc8225770919e0a612f7c4d3d437367c6278a91083cda3e6f964e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwgc.exe

Filesize
203KB

MD5
c0cb1db489bd05da6a060fdae5750802

SHA1
19b86b4d48c95773f894b2ff3002175f09d22fee

SHA256
41753b054ade80698cfa8d261cfcc7ac7739ce12e7f89deed450650fe7002b5a

SHA512
202ce1e7454f04df373df16a9462ae58d6973e71aaff1c3d1208b8bfa19563652625e8bbd96dda8e64430e2c696155759fa76eb9f6941dca31a3d543a0a44be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIkI.exe

Filesize
189KB

MD5
36e1718cf84ee3c16d5b0eea054fdef2

SHA1
9183fc0447677bec3c2e0271af953ac1b8bd9480

SHA256
acb950befadcd862ca5b6a30c6cf7ca6c1dd2ca95bf74463e8265b3852daa894

SHA512
d7afc897a4ea3b9d84fd1e7d7cda1e7cb54233f4089014f08c2960325c15eca07d9b4acf0dfb9aa888dfbdb002f1204f028f694d0f615ffde596c61eb97c5b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMMU.exe

Filesize
201KB

MD5
0188e32d72558e5954d5748982686bfa

SHA1
266258f17bc1b9a1783ad6d3884ac31a91ce5417

SHA256
21e8eaccce8625cf7b603077178ddd449574e1f11864b4817fa9de32cd302fe4

SHA512
0755f373d53d1026a3f2897b9ac8a74856f402dd9b1aa3be06387535fb11cac5c65635463ffad7aed8340c96a121446e5b544958cf359e56722d6cf3953f6ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQIG.exe

Filesize
194KB

MD5
9a0f69cb69fba9ef64874f0500690e85

SHA1
f3654382bbfedfd04ef668000f321e530e23b110

SHA256
d2b160b1376a8ca833bd9ee24b8745b63d244ea7fd26ef09fe141e3b34f9a7d9

SHA512
d7c3c71ae818d07db4cbc5d2c9a79aaf980c51e60771b9562416615de37331c7ac0693c78ec726cd79d96260bc764483046ced347d08e3542321792106c441ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\woIM.exe

Filesize
197KB

MD5
bd3bf4aca740c243fe85e94f89bf7886

SHA1
2d7e41b07e533b2c1c1f6e20ec38737cfec387ad

SHA256
396f94d05245b03ec41a41dc8f58d4f14b7207aa21857df98915a7c3839a3979

SHA512
f9196b0d6d0d1cfeca86c27410f76fa314eb6106ba77cc4b5fb772ea812bd393a2ca7f1adf59112262db41a1a6a874c20ca4ca788623094e60ba8cd50884a1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyQcYosY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsUu.exe

Filesize
510KB

MD5
f14e738933af9e98b28a8fdace7ed668

SHA1
dbab7fc4536ed8362a2436b1736ac7330c2e72f1

SHA256
572e49a7cbdd6bb3a6267acfc61b31873da1f50956cb58833caeeaad5f43c657

SHA512
ea67b33936d332de33f43229a1b8cfd72818e28e4404620887d75a3df1ba8bf0339250040b6b92adc53452784a8c3da96d3655c477ad284f1ad65d5a17007199

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEIA.exe

Filesize
213KB

MD5
35ad2523c437c4b901a832e8dedb576e

SHA1
06a88a0ef31dba7a8b69fef5611b7e6954c7110a

SHA256
1c0e9304781c04aa54dd51130796f67f25626fa63624526c2acd6671e343622c

SHA512
547f698cf23c7052a865a6f4848ab2dc36373cffc7ef296636eb6d7f83ffb74831959065c5b8238d30bce6f7e290f33e271d314cd4f1571d7edd06970b51143a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykYG.exe

Filesize
626KB

MD5
18d499384a86ea2bb9a7b5a1a843c5fb

SHA1
3f0eb69f2940ffe1a617120077ca0c118281a5c4

SHA256
5987f510a4267c71e59fcccfc1e44f61d57a687c61ad1fb117a23789c6db7fa9

SHA512
fed0815a6255f21745cbf654d534df7f514a9b3cc8fb4b01aa850defdc97a74bc074fffd120da12310069ac6d5748f906cbf2dcc86c78b5e6299d6315674c958

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysgU.exe

Filesize
630KB

MD5
aac1940324c50da85300cbafe24f00d7

SHA1
cb79061e5845fd511d185fa8db94f2c5f05eeade

SHA256
fab975724d8985b69f4a345765b0eb13128a1beab82f46e2052d53cbc90acc63

SHA512
f33012514c5f7a8e6607324fa8c43b87a3888d5c63bb54452ecad536227a522e2395d92bf068e9a8a515a9d37bfc1da93c1e85fc98ca56e0e88029f9a9d43524

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUkE.exe

Filesize
186KB

MD5
864387f92930682e385bff32e42cdc52

SHA1
7a0be4bd83f19c87b987ea1e691b18962e6785b2

SHA256
857c01c8e86a806115089024120beeadeb4700b1b26f2f29ecc5345e2c015437

SHA512
45441a588eda4e99018e67e894e6f6724d63095624b1d79ebe038de7ae4dea3021fc493996aad3cd82779d9b4332cabb4edde004ef5a3ad317d91b112e1c075f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYEm.exe

Filesize
202KB

MD5
87a829dce914d8b3fa880e7d2aab3923

SHA1
2803865643bf699793188b874116128c0bec063f

SHA256
3499b5e31b119ad6d837458a41de94abb73f656c52e446905fc50f2a362ec466

SHA512
9c1292081187bf959456a71903cc7ee40224cffaf2e6012910e6fa6a7f913d8d065dce1e657254fa216c1306cc80e12d738d9f60c9b10e1121bbeaae859f00ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYsK.exe

Filesize
203KB

MD5
84317e93cf1b15ee39f690914eb8cc7d

SHA1
2b61e85013631e3a7ec683e8e42e8a01184199a1

SHA256
1c9df470a5b16a01a43e8f93f7cee6eb1f15c7cd1eebf9cb380d3d97ca41e620

SHA512
175129b237bfc28caa2de6b292aa91a3d8a7738ae61a501108efe48fe0fbb67a0a850e163ef4eb408e7bb37cd11f0cfeaee9340fea51629d3a2abc40683bf02a

Download Submit
C:\Users\Admin\Pictures\GroupEnter.jpg.exe

Filesize
568KB

MD5
3314bb651da12ea1cf480c95c3908d01

SHA1
d64ba964c7752e4299a42d5bf3ae847c0b047385

SHA256
ef4aaadeff3c9f36ef57f99228b6e1de4599a8342f9043294f9a1fb3b96fb3ca

SHA512
b8380910412d97ca912f1acd34b078ae075c2ef353b40ca9bf04b7ac74e0d69f856f80d75397e6f564a0f898284885337141bc14bbda19b52ace799883ee55b1

Download Submit
C:\Users\Admin\aIckUMUA\VQgEsQEo.exe

Filesize
180KB

MD5
7f0bfe5cd15f2168062da05b01de6d22

SHA1
e147d806ef77ff3b562d2316f04b44cd617292af

SHA256
71b38155bb478844b2faa22f44d8783800724424755717df082406ba24e2849d

SHA512
a407ccaac9e017eb23f1b4b5566d628887168098147efb942c1bdeb516d535d95eacabfe2c43a782e5bb05a40777482cbcff5ce949b4c2cf5085274312d6508b

Download Submit
C:\Users\Admin\aIckUMUA\VQgEsQEo.exe

Filesize
180KB

MD5
7f0bfe5cd15f2168062da05b01de6d22

SHA1
e147d806ef77ff3b562d2316f04b44cd617292af

SHA256
71b38155bb478844b2faa22f44d8783800724424755717df082406ba24e2849d

SHA512
a407ccaac9e017eb23f1b4b5566d628887168098147efb942c1bdeb516d535d95eacabfe2c43a782e5bb05a40777482cbcff5ce949b4c2cf5085274312d6508b

Download Submit
C:\Users\Admin\aIckUMUA\VQgEsQEo.inf

Filesize
4B

MD5
c59aba3976c55b59e4778102da33a9e4

SHA1
7de429ecbe292fbe1ee29ef59c4f464f88731671

SHA256
8cd6b51f8acffa4c2e4e736ad882eacf764adc29a7b39fca708c23cce5d4eb52

SHA512
da8518a5618eb8c072969a32aa3d24c8ae6df176409b407b1389316ab7eb22536cdcebe19d3e168562d8942247e56e2eee8ea68c8c7ef6c8dc4f3f3c43b6e709

Download Submit
C:\Users\Admin\aIckUMUA\VQgEsQEo.inf

Filesize
4B

MD5
ebe9c846b8a22ad4a18fdd760d26926c

SHA1
bd51814fca74706aa8ddabb1b5b684bdc02e3b10

SHA256
9abb0199ce0e59186fca6b006bd78e8d6cd9106cdf75e8a3b77abfdc525c9121

SHA512
a03c56b9e7bf3bf9f116df43cea050c799ebaacbf791b596c2253d9a35dc0dcc58491fc1836fc3e1e9cdd18ec037c7ff01490290bef2a0bd2a766d2709bbe813

Download Submit
C:\Users\Admin\aIckUMUA\VQgEsQEo.inf

Filesize
4B

MD5
bcdaff402fc545421d23ff629310ad6e

SHA1
b838bebf74f6f2750d568419b3949b521a6df892

SHA256
25e4d5af0231f93624b74acbbf0815375d66e1730633fae22fc9aa464edcff8a

SHA512
61551c4d8cb89f0ab15369e0bba6fbfd42f84d0bcf12d320de9f958f5b5bafccd01be26ff2a1c065b8e29b2fa00a1d045d0377acc4d2be258f4d51551491b758

Download Submit
memory/228-478-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/228-486-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/324-371-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/440-469-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/440-477-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/540-175-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/540-190-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/760-290-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/760-401-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/760-411-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/760-275-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1188-533-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1188-521-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1480-437-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1536-457-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1536-449-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1620-458-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1620-466-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1644-242-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1656-514-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1664-219-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1664-229-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1728-513-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1728-525-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1848-141-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2216-305-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2216-291-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2344-534-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2344-542-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2524-332-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2688-497-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2688-505-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2776-152-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2776-133-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2912-438-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2912-448-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2976-344-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2976-333-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3124-370-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3124-382-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3300-552-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3552-383-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3552-393-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3620-192-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3620-204-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3648-496-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3728-254-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3728-267-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3768-279-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3788-420-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3788-408-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3996-317-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4100-357-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4200-148-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4228-179-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4296-561-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4304-253-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4528-429-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4672-402-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4716-200-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4716-216-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4736-553-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4940-166-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4940-155-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download