ea1d0d59f1bdf4934d7e7cca759f25bebdfd26b4641e554066399e1dae9a0967

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2023 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Size

246KB
MD5

99df8d33b5994eafb5091985cb179bf8
SHA1

a8a0d1c03615a621bb7517ea8b3f6a2aa92cef5f
SHA256

ea1d0d59f1bdf4934d7e7cca759f25bebdfd26b4641e554066399e1dae9a0967
SHA512

574f175b472a7a6aeaf0582cf067dc449d7fabd5ba8e90677cbbf01e18e559168cfee18cbaadac3b3b8ab51e3e7b5b809ec7cc83cfa42eb083420e7de3f11fec
SSDEEP

6144:rbVh8tzlcrBZzgL/qK6wQoQLbguqsRJGjJ683v9r5txu:r5ycdZrJGjJ68f9nxu

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Executes dropped EXE 2 IoCs

pid	Process
2408	YWAAssQk.exe
1504	cOUUEMUA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWAAssQk.exe = "C:\\Users\\Admin\\gUQUUQEo\\YWAAssQk.exe"	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cOUUEMUA.exe = "C:\\ProgramData\\oEEQIYoA\\cOUUEMUA.exe"	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWAAssQk.exe = "C:\\Users\\Admin\\gUQUUQEo\\YWAAssQk.exe"	YWAAssQk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cOUUEMUA.exe = "C:\\ProgramData\\oEEQIYoA\\cOUUEMUA.exe"	cOUUEMUA.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	YWAAssQk.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	YWAAssQk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1592	reg.exe
2544	reg.exe
5024	reg.exe
3460	reg.exe
1808	reg.exe
2200	reg.exe
1128	reg.exe
464	reg.exe
4696	reg.exe
4692	reg.exe
2076	Process not Found
1604	reg.exe
2036	reg.exe
2132	Process not Found
3452	Process not Found
4360	reg.exe
5100	reg.exe
4984	reg.exe
2076	reg.exe
4800	reg.exe
2120	Process not Found
1892	reg.exe
5008	reg.exe
1212	reg.exe
1092	reg.exe
1564	reg.exe
1584	reg.exe
4752	reg.exe
4172	reg.exe
4596	reg.exe
5040	reg.exe
3564	reg.exe
4984	reg.exe
3040	reg.exe
552	reg.exe
4440	reg.exe
4788	reg.exe
4032	reg.exe
368	reg.exe
1972	reg.exe
380	reg.exe
3476	reg.exe
3992	reg.exe
4264	reg.exe
1516	reg.exe
3684	reg.exe
4444	reg.exe
4896	reg.exe
3264	reg.exe
4500	Process not Found
4964	reg.exe
800	reg.exe
4224	reg.exe
2304	reg.exe
1280	reg.exe
5024	reg.exe
1144	Process not Found
2304	reg.exe
5020	reg.exe
4904	reg.exe
4968	reg.exe
1120	reg.exe
1096	reg.exe
5100	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4812	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4812	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4812	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4812	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
1924	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
1924	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
1924	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
1924	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
3636	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
3636	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
3636	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
3636	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
3564	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
3564	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
3564	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
3564	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
2084	Conhost.exe
2084	Conhost.exe
2084	Conhost.exe
2084	Conhost.exe
1344	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
1344	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
1344	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
1344	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
2204	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
2204	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
2204	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
2204	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
1016	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
1016	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
1016	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
1016	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4424	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4424	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4424	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4424	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4908	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4908	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4908	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4908	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4972	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4972	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4972	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
4972	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
2136	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
2136	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
2136	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
2136	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
1604	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
1604	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
1604	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
1604	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2408	YWAAssQk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe
2408	YWAAssQk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 2408	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	82
PID 4948 wrote to memory of 2408	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	82
PID 4948 wrote to memory of 2408	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	82
PID 4948 wrote to memory of 1504	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	83
PID 4948 wrote to memory of 1504	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	83
PID 4948 wrote to memory of 1504	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	83
PID 4948 wrote to memory of 4016	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	86
PID 4948 wrote to memory of 4016	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	86
PID 4948 wrote to memory of 4016	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	86
PID 4016 wrote to memory of 3588	4016	cmd.exe	85
PID 4016 wrote to memory of 3588	4016	cmd.exe	85
PID 4016 wrote to memory of 3588	4016	cmd.exe	85
PID 4948 wrote to memory of 4908	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	87
PID 4948 wrote to memory of 4908	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	87
PID 4948 wrote to memory of 4908	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	87
PID 4948 wrote to memory of 4232	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	94
PID 4948 wrote to memory of 4232	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	94
PID 4948 wrote to memory of 4232	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	94
PID 4948 wrote to memory of 2084	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	93
PID 4948 wrote to memory of 2084	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	93
PID 4948 wrote to memory of 2084	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	93
PID 4948 wrote to memory of 4688	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	92
PID 4948 wrote to memory of 4688	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	92
PID 4948 wrote to memory of 4688	4948	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	92
PID 3588 wrote to memory of 3668	3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	95
PID 3588 wrote to memory of 3668	3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	95
PID 3588 wrote to memory of 3668	3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	95
PID 4688 wrote to memory of 3272	4688	cmd.exe	97
PID 4688 wrote to memory of 3272	4688	cmd.exe	97
PID 4688 wrote to memory of 3272	4688	cmd.exe	97
PID 3668 wrote to memory of 644	3668	cmd.exe	98
PID 3668 wrote to memory of 644	3668	cmd.exe	98
PID 3668 wrote to memory of 644	3668	cmd.exe	98
PID 3588 wrote to memory of 2164	3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	99
PID 3588 wrote to memory of 2164	3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	99
PID 3588 wrote to memory of 2164	3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	99
PID 3588 wrote to memory of 3804	3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	106
PID 3588 wrote to memory of 3804	3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	106
PID 3588 wrote to memory of 3804	3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	106
PID 3588 wrote to memory of 2224	3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	100
PID 3588 wrote to memory of 2224	3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	100
PID 3588 wrote to memory of 2224	3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	100
PID 3588 wrote to memory of 712	3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	101
PID 3588 wrote to memory of 712	3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	101
PID 3588 wrote to memory of 712	3588	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	101
PID 712 wrote to memory of 1084	712	cmd.exe	107
PID 712 wrote to memory of 1084	712	cmd.exe	107
PID 712 wrote to memory of 1084	712	cmd.exe	107
PID 644 wrote to memory of 540	644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	108
PID 644 wrote to memory of 540	644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	108
PID 644 wrote to memory of 540	644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	108
PID 644 wrote to memory of 4276	644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	110
PID 644 wrote to memory of 4276	644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	110
PID 644 wrote to memory of 4276	644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	110
PID 644 wrote to memory of 2252	644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	111
PID 644 wrote to memory of 2252	644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	111
PID 644 wrote to memory of 2252	644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	111
PID 644 wrote to memory of 2384	644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	117
PID 644 wrote to memory of 2384	644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	117
PID 644 wrote to memory of 2384	644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	117
PID 644 wrote to memory of 1328	644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	116
PID 644 wrote to memory of 1328	644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	116
PID 644 wrote to memory of 1328	644	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe	116
PID 540 wrote to memory of 4812	540	cmd.exe	118

System policy modification 1 TTPs 50 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
"C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\gUQUUQEo\YWAAssQk.exe
  "C:\Users\Admin\gUQUUQEo\YWAAssQk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2408
- C:\ProgramData\oEEQIYoA\cOUUEMUA.exe
  "C:\ProgramData\oEEQIYoA\cOUUEMUA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4016
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqMYEAwY.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3272
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2084
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4232

C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
    C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        6⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        8⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        10⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        12⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        13⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        14⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        16⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        18⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        20⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        22⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        24⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        26⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        28⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        29⤵
        UAC bypass
        Suspicious behavior: EnumeratesProcesses
        System policy modification
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        30⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        31⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        32⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        33⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        34⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        35⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        36⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        37⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        38⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        39⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        40⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        41⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        42⤵
        
        PID:2560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        43⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        44⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        45⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        46⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        47⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        48⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        49⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        50⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        51⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        52⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        53⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        54⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        55⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        56⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        57⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        58⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        59⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        60⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        61⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        62⤵
        
        PID:908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        63⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        64⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        65⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        66⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        67⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        68⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        69⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        70⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        71⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        72⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        73⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        74⤵
        
        PID:1072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        75⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        76⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        77⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        78⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        79⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        80⤵
        System policy modification
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        81⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        82⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        83⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        84⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        85⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        86⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        87⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        88⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        89⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        90⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        91⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        92⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        93⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        94⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        95⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        96⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        97⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        98⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        99⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        100⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        101⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        102⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        103⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        104⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        105⤵
        System policy modification
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        106⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        107⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        108⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        109⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        110⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        111⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        112⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        113⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        114⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        115⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        116⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        117⤵
        System policy modification
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        118⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        119⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        120⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        121⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        122⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        123⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        124⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        125⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        126⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        127⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        128⤵
        
        PID:3932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        129⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        130⤵
        
        PID:4452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        131⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        132⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        133⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        134⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        135⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        136⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        137⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        138⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        139⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        140⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        141⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        142⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        143⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        144⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        145⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        146⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        147⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        148⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        149⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        150⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        151⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        152⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        153⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        154⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        155⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        156⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        157⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        158⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        159⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        160⤵
        
        PID:4068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        161⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        162⤵
        
        PID:768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        163⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        164⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        165⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        166⤵
        System policy modification
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        167⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        168⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        169⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        170⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        171⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        172⤵
        
        PID:2992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        173⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        174⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        175⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        176⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        177⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        178⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        179⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        180⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        181⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        182⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        183⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        184⤵
        
        PID:3628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        185⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        186⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        187⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        188⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        189⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        190⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        191⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        192⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        193⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        194⤵
        
        PID:2800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        195⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        196⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        197⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        199⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        200⤵
        
        PID:2788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        201⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        202⤵
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        203⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        204⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        205⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        206⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        207⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        208⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        209⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        210⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        211⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        212⤵
        
        PID:4008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        213⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        214⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        215⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        216⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        217⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        218⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        219⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        220⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        221⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        222⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        223⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        224⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        225⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        226⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        227⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        228⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        229⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        230⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        231⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        232⤵
        
        PID:324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        233⤵
        UAC bypass
        System policy modification
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        234⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        235⤵
        System policy modification
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        236⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        237⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        238⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        239⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        240⤵
        System policy modification
        
        PID:2908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        241⤵
        UAC bypass
        System policy modification
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        243⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        244⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        245⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        246⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        247⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        248⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        249⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        250⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        251⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        252⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC
        253⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC"
        254⤵
        System policy modification
        
        PID:2200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgQYEkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        254⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        UAC bypass
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEckYEEE.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        252⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        UAC bypass
        System policy modification
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        UAC bypass
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:3384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsMcwksw.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        250⤵
        
        PID:2788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        UAC bypass
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        UAC bypass
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQIYYwIw.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        248⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MikUsscg.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        246⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        System policy modification
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:4712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgQEcYYI.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        244⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYwcYAoE.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        242⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:1288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGYIccMo.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        240⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        UAC bypass
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:4264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:2560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        UAC bypass
        
        PID:2500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGkkEUUY.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        238⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgQUEIEc.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        236⤵
        UAC bypass
        System policy modification
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYssMowY.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        234⤵
        
        PID:3124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCQocEIs.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        UAC bypass
        System policy modification
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGkcQAws.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        230⤵
        System policy modification
        
        PID:4944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        UAC bypass
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:1192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:4300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAYogQsA.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        228⤵
        
        PID:5076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMkYkosc.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        226⤵
        
        PID:736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgIkUAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:3592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWwskIkg.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        222⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies registry key
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:4832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkIQgwwk.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        220⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:4108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSQgAUww.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        218⤵
        
        PID:4788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOEAQQIw.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        216⤵
        
        PID:3100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssckQwsc.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        214⤵
        
        PID:4444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RoIYokUQ.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        212⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Modifies registry key
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MccscwkU.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        210⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        Modifies registry key
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOIcwgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        208⤵
        
        PID:1924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyUwsIow.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        206⤵
        
        PID:3360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMAYgMEo.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        204⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:1208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies registry key
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:1016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMUQQwIg.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        202⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        System policy modification
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkwIMgsg.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        200⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        UAC bypass
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies registry key
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEEkwkAs.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        198⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saQkYgoY.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        196⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:1280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKUcscIw.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        194⤵
        
        PID:2304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UacUgwsA.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        192⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        Modifies registry key
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies registry key
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diIAYUco.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        190⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:4232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqQwAwAA.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        188⤵
        
        PID:2404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWkoYwYU.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        186⤵
        
        PID:4328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies registry key
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikgUgEIE.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        184⤵
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUMsUQEM.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        182⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lycEQYkA.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        180⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        UAC bypass
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esowgcoc.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        178⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKgQgAgI.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        176⤵
        UAC bypass
        System policy modification
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:1944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWcIgskA.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        174⤵
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:2500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        Modifies registry key
        
        PID:2076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkMsYsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        172⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neQoQokM.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        170⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\digcckAE.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        168⤵
        
        PID:380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGYoAAwg.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        166⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqEUcMIg.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        164⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        Modifies registry key
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYcgsosY.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        162⤵
        
        PID:3664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies registry key
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWgAMoQo.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        160⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwwEoUgo.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        158⤵
        
        PID:1628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryMokkMA.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        156⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykQoMccI.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        154⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        UAC bypass
        System policy modification
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies registry key
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:3892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        UAC bypass
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZosUgoYc.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWQEIMgU.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        150⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEoQUkEc.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        148⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        UAC bypass
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQoUQMEM.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        146⤵
        
        PID:3100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        UAC bypass
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:1616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsMoEoUE.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        144⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        UAC bypass
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies registry key
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMYkgskM.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        142⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        UAC bypass
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QugIgwkg.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        140⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        UAC bypass
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUEosYIs.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        138⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcsIgEoM.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        136⤵
        
        PID:1548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGIYYYMI.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        134⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcAsIAwA.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        132⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCgcsQwc.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        130⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOAQEAgU.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        128⤵
        
        PID:3636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:4648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        UAC bypass
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsYosoIM.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        126⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies registry key
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwUUcgEM.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        124⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiUcEoQo.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        122⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGgMkksc.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        120⤵
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcEgcAYc.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        118⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies registry key
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:4252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKoIsAUg.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        116⤵
        
        PID:2580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsQMUgAI.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        114⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:4720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:3868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYgscUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        112⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUAIgIIA.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        110⤵
        
        PID:2928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciYgswcs.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        108⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies registry key
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayUIoEsc.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        106⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jckgwQEc.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        104⤵
        
        PID:2480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies registry key
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies registry key
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyEkkcow.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        102⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaQQAskc.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        100⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWEMYsQU.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        98⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsUkAIgA.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        96⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:2888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUIYIQYc.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        94⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWIQQYss.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        92⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUMQoksY.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        90⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:2600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:1324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwcQEAco.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        88⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:1556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        Modifies registry key
        
        PID:4172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKwcQosc.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        86⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIkQUIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        84⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeoIYAYI.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        82⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QckQwcUM.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        80⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaMkQYYk.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        78⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PusogkIw.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        76⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGUIMQAs.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        74⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQEookgQ.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        72⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOsUMEMo.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        70⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiEwswYE.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        68⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        UAC bypass
        System policy modification
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeYMcUQI.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        66⤵
        
        PID:3460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiEMAgQs.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        64⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        UAC bypass
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiggQsAY.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        62⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LacgUUEk.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        60⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgoAQggE.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        58⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCkcsIEs.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        56⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        UAC bypass
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noMwkMcw.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        54⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgkwMowI.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        52⤵
        
        PID:4528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:3564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCkksAQA.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        50⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaMoAEAY.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        48⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsgosgAM.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        46⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsQQYYAg.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        44⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgUEAAoU.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        42⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqEIwUMs.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        40⤵
        
        PID:368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgsIQowU.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        38⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAoUYwgk.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        36⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecYooUgw.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        34⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEgksEIU.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        32⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:2304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FosQEUYk.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        30⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIIkQIgM.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        28⤵
        
        PID:1776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMcUocYY.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        26⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgkwgUUw.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        24⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWMkwEQI.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        22⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikgowkIU.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        20⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGsYMkMs.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        18⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies registry key
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies registry key
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fykMUkIU.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        16⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCYUkEYs.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        14⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REoYQkEg.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        12⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dosscQcg.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        10⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaMYEgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        8⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:804
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1652
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:5096
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2152
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMsUkwgk.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
        6⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4920
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4276
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsUcIscQ.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
      4⤵
      PID:1328
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2712
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2384
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2164
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcEIogAE.bat" "C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:712
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1084
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3804

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe b4f353b41240496e081c5921bd43e578 hiZcZoq5CkCj2pI2oso6hA.0.1.0.0.0
1⤵
PID:5096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
313KB

MD5
9515fde258cf27841276fab347b59ff9

SHA1
cd4b79bb5c459d4ae99a3a27ff4c0eb59ec81101

SHA256
63614eab4f0398674481f8d15b7beda3f6321d0ec0a37b5e07f67e98d5ef6404

SHA512
e4fd5abc28529748ec89b9e1c28f9ac5fb0220eb56d89dcaab49eaeb4bfc20fb91e88a4b894688389ca30fd707eaf20f8db0054a0c2fd606dbeeef84e4fa546d

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
242KB

MD5
2167d3613c72e33c73b7fb55c0715448

SHA1
3a4cef984075c0512c7d9779a3ba2dd611ace49b

SHA256
729d33ff4c580416455b5300b4ace27e9d9c41124ac1058c406b43476bb60dac

SHA512
80f96471c538d74c05efa43f7884cd8ef87bdceee4a376b579cca8496796c2b0d2d92224b5def003326c0b191b3eaee7f54a03cce349eca2a00a1f0cab6d77aa

Download Submit
C:\ProgramData\oEEQIYoA\cOUUEMUA.exe

Filesize
190KB

MD5
d20b4ee43a3232d4b74ebeb0c14fbb15

SHA1
932f17402765f038eac274617aa804781c304f3a

SHA256
66b5d59c7e2e45f443d9efd7887a9b60d51d2e24d6b58b663070115575c3cf87

SHA512
463c4d9a50ac7799915a7c54f208c823db62a9d304eaf427f3e2b8aeebbd44eb35ef447a2fa79dd5ef3f9b70678fc258da9d42c42a06495a7678caa02733946f

Download Submit
C:\ProgramData\oEEQIYoA\cOUUEMUA.exe

Filesize
190KB

MD5
d20b4ee43a3232d4b74ebeb0c14fbb15

SHA1
932f17402765f038eac274617aa804781c304f3a

SHA256
66b5d59c7e2e45f443d9efd7887a9b60d51d2e24d6b58b663070115575c3cf87

SHA512
463c4d9a50ac7799915a7c54f208c823db62a9d304eaf427f3e2b8aeebbd44eb35ef447a2fa79dd5ef3f9b70678fc258da9d42c42a06495a7678caa02733946f

Download Submit
C:\ProgramData\oEEQIYoA\cOUUEMUA.inf

Filesize
4B

MD5
0cdf23913c3ec12564de1dc267abdaa8

SHA1
36379d2e23aa5da18eac522fcb78b7e4a1be2683

SHA256
53a99b33e49a56a74d18e3bc42382d7eed97b2cedf0b158ff02d1c70cdae0fa6

SHA512
7a396b87d595eb9078bf191fe6e0b940b199c07db6bc30ab3b4dfdc491defbe6d509ca37896937e990ae69e6c702caf115c1e89089e7a1727b54aee31d0100b0

Download Submit
C:\ProgramData\oEEQIYoA\cOUUEMUA.inf

Filesize
4B

MD5
9576b367d592388353066d310a23d914

SHA1
6e4c74412d9ff9af5a3aba6acf6168625631b472

SHA256
094085076db4f3096b2b9d884c203dc5c576574be8fafcbdf9a130180dff2513

SHA512
b0b4ac8269b55fb87377711791963a3fc8cf2311f6af8a3956f133b351d8bf69d4e7e89ffd1190d167a376e417e37ccb9d5bc50398253dc66fa7184ded65745a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

Filesize
193KB

MD5
9c61563a576c3c7ad3ded230400ef7bc

SHA1
c58c68f122ba7d2d784b7f72dae70523c8bc9c14

SHA256
3e1574a1e0409605da9af2d1d5b254f7f61ea1169690834ad56c8a01d63c6dc0

SHA512
d61607e159e00b7840792ca45aa896ae97b1042a0db8242aaa7af2e9842db79583d36b2ff7a89195c48001236698ade528177121ea62d6ea20824cf036ff7207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

Filesize
419KB

MD5
9cb4243145716ccc2c8cfdef8e81c662

SHA1
7390c477bc93ef99fcf7b382577c6fc3cc5233b1

SHA256
25c744ad92f5e3c470db0d3464330ff503b13d7a5b080f0cc4027edc8f0f5a44

SHA512
e763992e6a79f4b827a0e0bbc1e29eddab63be4496e7a00606cbe10b0ce97c9683e83272a3d087a825a460eed47da8513fcad3af1df7f1d66fba750e46176b74

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

Filesize
199KB

MD5
b9d468ca95bf0a5e5af5ff68748bd926

SHA1
1d1c397002e98c5342f7842f870baaca5272ff93

SHA256
6c475f03ea4d64e76b87b9fa374a71139b441b25632c16bbf052cb3e79b7754e

SHA512
dbd3f886eaa7ff1e17c0f5da5caf9bab91c343791b9c5e6a9870117a952f9b4a50b6be79b4718adce7a011810c1a09f33335d85131eb6b68d44065cc4b5c6f89

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
186KB

MD5
fcfb0019ea79c76e5af38cf18a3c21f7

SHA1
61e4b4d1bf02c7a1fd3dc9c0306e9af45cfc5bfe

SHA256
22de7d76c9ab697ae3db30b85d0d09785232a658027fb9e88f2ae599a7e3d482

SHA512
711b76a1bff686daf8cdfa9849cf0f272c989b6dc193451812acc2a68eba44489b2f2437a1809faa0e4f38caaea31b3bfd1c71f06e76a104f6412f50fe41e616

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99df8d33b5994eafb5091985cb179bf8_virlock_JC

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEcm.exe

Filesize
197KB

MD5
522ffb192a7359dce0e02deb40b90b49

SHA1
6594864b966237f9bc32e14c84660261843b1fe3

SHA256
0b2a0482e7d6ceac10ad2230ff752eb0bf5fc3f07279413b3ea58b6429ff7016

SHA512
5857ffba3c43ff5cb76a6be43eea048a0f07c17e69720816d339795f6a5a775e06cbccf27ded9e9eab4ff59318ad2d279dedbc9b0efdecd42020f875353a5ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUwE.exe

Filesize
1.8MB

MD5
53e362cadd0774e45662404dfed5f9ff

SHA1
d5cfd592766323730197e128379cf8838a56e6f4

SHA256
9192f0b5c976037efc96dfd918bfedc6df45024d397b8290a932c2112ebe93d2

SHA512
6279b4a99de7caafe107e3f1ef658923afd43f027703fdb91ca9bf49edfb8a15e3fa44dbed34e72523e75c95ad62a389ac9c1a2bcd6da3d8d30835656cf5d274

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYgw.exe

Filesize
5.9MB

MD5
b9c601fb20c88610961b861edd9eb1c2

SHA1
368792268ea7a5b15434c40ec6bd2c9f8456da9a

SHA256
26b1d562f5d180738334af4972b622a0b343fc843969973eeec08b80d5eaa8cb

SHA512
6880c7c425c710f1869029e3991b7a18b34f3a040f948ec7875a507a1225bc2aadbde4974a011727e287f9917b81d8a9d8102e7c91ee9e70865941a70e22e823

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwUm.exe

Filesize
210KB

MD5
47c77644d1937eb987e4e0680b28b867

SHA1
1b455e1cfe17a49525f57ffbee2dc722f58e558f

SHA256
31c0eba1c29960f89514d4741cc1e7fd12a454a51c40b1a5364dbcac695b1af4

SHA512
c1f241750e210ca74fbc0b8f5c6d872e81dfa0778ac5dd6c52d00f39e1b165bd157917f1593fa5bdc685225097ef33df1c3cfceef595b400c03585d8829071a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEkI.exe

Filesize
209KB

MD5
b8e2af24d0e735c1b23327b75e2c4345

SHA1
90026465696433bd1b483e52748580aff86a804b

SHA256
11a1f489ff1b3ccdb30e3f7e31deb46b71b9fbdb7b76006fe9955e81a476e4b4

SHA512
b185e496d88efb562c385a655306c337f1c681358e78a767cc4a0a807e3b317944df1242a7e45b1ac4fd743017214934518ce1efff6ca9db2ccca73bf46ace30

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQos.exe

Filesize
642KB

MD5
6ec1d107aa57db830ebc6b529d12efc6

SHA1
abd01af57dea2624404fd4eea444dae126fb178e

SHA256
a5794e3d031538f58d4d7510ab84091f475d14e5250eb53600af6d28873ae598

SHA512
566665c8762edba891f1e367c3c367f8e12f7cc9e0963f6296cfadbc0b7286b4c3903dbc0ac919b1303f1b1a79fc7343071c33ec3dd5b1db868200e368a48456

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUIy.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsAy.exe

Filesize
224KB

MD5
7e7509441c8f453e9954aece3e894ba9

SHA1
e130bf1a21d00a7a1d9f7f8e0cbef48ffe281680

SHA256
1b550afe97157349281baa9fa0c676d5c867fdd804a3975e59aadc7bebb37b7c

SHA512
a85365198e82b56ebb8f1c8f1cdd769a63462c0bfe58f1458786f71a3144dc1fe889b18b64bf65cd2cb7f43dca9818bb091bf7ea870f1cc992529d5e90c6bd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIki.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUMI.exe

Filesize
200KB

MD5
122b75d745e3d0a3a8cd79fbcc6ad0ab

SHA1
3ae1364e36917062b356116b5927fe924f1e0f4a

SHA256
1881e78a0b849a3db9c6a44005495837f3a2ac8f4c2c7f87ca583ca9ef89baa2

SHA512
788002e3ea7df47e748b4e89248dc74ac153ca61fa06a321b796ce2d6cca0da8598fba9b47c40c10a7197877cf241906d24a110f37770f611d5eaecbb680e7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYMe.exe

Filesize
184KB

MD5
6411321d7fbf1acaf8c49b1854eccb9f

SHA1
22f8bf17af9bdb59fb8afab46f58526d8526c2b7

SHA256
e1bcdb6f7e61766c400a6159b9c51627c1140e1a2bcd34c5e06b9e7790d6db89

SHA512
cd8774a064b52c0ea7a5565bc80eaf4a430552fb368cc6b877f1665ef997ad9785e54de92da38908400b9a1a891479443790be76846097fe281ffa32a1c0115c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcgE.exe

Filesize
202KB

MD5
339370cece8e307fa82a081e54518914

SHA1
e6074c66bdc356a440af37fe0971708dfc0fe783

SHA256
dddccadeddff85b9691f887bae2ecc11414b36c784b5d0948c319e9f406a083b

SHA512
e703ef4a13005508d2b55ba8c2ea099a42888183ccfae9b28cad3b753fa77186cc43320c3aea0fa9775f93878f4ad3499ac4f3dee22c213ce8f49f7a4c116a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCYUkEYs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEEW.exe

Filesize
224KB

MD5
d769f30733d0505e8629898253932dbd

SHA1
6004ff4d1aaa17e7683783b2bd5b2d8e49b6d615

SHA256
82ff0f721c57c893bee13c0304dd9d174e65ddece62c393b9c8ad0ad6b46a368

SHA512
4926d15097af8fb10ee831935da8684e0af9aa91089a6779a8e9f8a9164a4ff933faf72e3e4695b116e4f2d48642f9e53301eb1e163367802887f07c8f1b45a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcAG.exe

Filesize
186KB

MD5
233464916ded0da29ca309dda94e91a6

SHA1
95add6208979c7107c1e401cf687bb6289f8f416

SHA256
f14d18daa764405eb04e6e37ba35f00009a9e71e5748ae00a55f3926c41c6b03

SHA512
ce00180adce5c0195899b94ee154ffb7710804bcdd21bd0103ad5dadba8196b335c5207f3803f7e570419d304188fd9763120a2c42a10799074a32336ab3e3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcEIogAE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMcUocYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQwc.exe

Filesize
202KB

MD5
400d8d9f0bb87d6b786b77a3dd074296

SHA1
1fe8fbf19afc62108fdba8e2ca539470cacd7b25

SHA256
ab6ed02e30015a53f761764a0372c731bc30d9951550cb20c378200009d20d7d

SHA512
167a90ac6e2b74a715c53261c004d00dd41243138b8af26971179648047be4628f9c3a8d0eccdde5ad86eca4472628a4e2805081415ba0bbf491acaf8d8da7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUQG.exe

Filesize
202KB

MD5
0187b84982783261cc432e736495a303

SHA1
622b2072e50279c31e72edba6962f74c4a6723c2

SHA256
491804360cb3c8305b7062b785f289d46057a680b43b37e0aea154ef0574aebf

SHA512
c3c667cc93dec48ba1117cb122dd165980218d9ac3b69ae2c34625c7324170bc858ded103bca868745c3c0501dba62027876ab0157904a20224e684064b3f80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgQO.exe

Filesize
191KB

MD5
24ddea9eceb9c460501b2755058ec1fb

SHA1
48d771da68b14c1a036f75a3050370e80d283fea

SHA256
8c85608a8d9b96ec7c4344e8a49fa5e2b4cc87fb48e328cfbe7ec4b62b914291

SHA512
21ac0b323b50110800a9dbf9dc754d0206107ba637a87fcdb10606e3c6e905402093766fdfe85f35c6f04895208b0e2a16b56dc8de2bd4b1f360af6226095937

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkoY.exe

Filesize
332KB

MD5
93d166c40d57a8565b444669afbfc5aa

SHA1
74a75b4c321e70e5da200c78df83d7a6c1eac786

SHA256
cec84ca960e6d83a5ba5e3e316ce79eaadf785cdeb8274d7153681df1ae44238

SHA512
1f886690ebce6783cd8904cdb85c83d186e08fa50a79e7552dbe7fb705af59b59e5cc437eddd63030de3d7c1ee891eda25d493b4828b2d7c6f6089cd88b99573

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsMu.exe

Filesize
622KB

MD5
a79f908e3b379a42222e19e60c7ee527

SHA1
6375dda9d1645de7aae3739b274c143bd3d5068c

SHA256
73091d2e90b1654a1723853e35ed24384e048f881749695dbdaecbde8cc95004

SHA512
888a3244d280398e331b5833e03b65c50f00fc241969721d538318ed57dbaef13adf749057baa2edf343e41b838f5868b431d36cfaf0dc521dddc84f4b7ab0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FosQEUYk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcIo.exe

Filesize
635KB

MD5
d558617fad2120f0a479850876b7aba3

SHA1
36ddb90a94904391c826871ee88307be8f78bb47

SHA256
6489dfb819eff890a44bd90970fb4c7eb0fa875fc503d64f25421ff770553fce

SHA512
b63a080e3f89bc89fc45d62cbad08ea10eff6d35b803d0af26f921b578e13c4484acd7b9bbd385f93c4efda6a1fd424cf51165efa6c882bd813a7654f7b63970

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkoM.exe

Filesize
206KB

MD5
06d96d370a6f9772bbad34d582df5bb1

SHA1
5c6325c4bb5324d7c4d6aec7cea06be01f9679e9

SHA256
c01925db9d39df26f366bcc92d068243b6da205c7d320599ac47cc64b13f50ac

SHA512
bd877084388f08620f30e577df7155a9fa09697ba18b12a13ce74370f257ca8d984dd82f6d0b9f6316d06b0168c81e7fe5cf421aab91be79ad1356791b201b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwEC.exe

Filesize
185KB

MD5
ebaf9d390ad8ff148351a90c14b7cb79

SHA1
f8532af1dd413429f5eb3a69c3cb1384dd654c46

SHA256
0371317ae937507b0bbbd6b783d7871329e74229b3db5600acf81a77d6ca0c47

SHA512
57322cbb7f7039bdfef3745e34a5caaf03b5911f061f6738de6e36ec61d892d7d9b4670d0984adae58107b4f77e1611bda93b23849a56357170fb86898e92d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQ.exe

Filesize
193KB

MD5
2afc68e057f2e59a4242ea215a95851d

SHA1
c6405ac07159785a94062c012ce596941e0e4103

SHA256
73ba6efb9e5a4518aab221f1d1cf5d73433ff0252b02eb938b51b02378037aa6

SHA512
dd86e2054907269058688c6d6c61a8d7c52546c7849a369f70fc1f9db69a1114aafecfa2d0e2b5bf741f751d2aee119c0449e292f813195186db7b3b3f1e58fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIEQ.exe

Filesize
191KB

MD5
5b5025bdd48b80c18a426c8613f4bba3

SHA1
6d4626653f0a4a67390b2099dc174ff496326748

SHA256
9a4e7b8a4e65eac131e1b43f234a4123c5068af5541f19b36b0218eeaded6245

SHA512
04880c6810d7b415471645c63c9e3e187b054e97ed6094a5e8f08ac7a83be22f2d596d668bfc4fbe94c4f41ccd95fbd161bb7311de03edf85fb87e260bd3fdd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUUU.exe

Filesize
195KB

MD5
147c0446a5d8c7af5c6e008dfc35e686

SHA1
90855d45f56c937059f4c2a673efcbd30a05feaf

SHA256
8a11cfa2fc97a3e418287bc8988f917e3c87862b4b1a1d6b54c2b295fb48cb12

SHA512
273dbbc73754e70d16b3e5efadf14fba7d9282cd982055ccd08d4a60b9025b4c26b8193b09ce1b7c0308f25f8c1d000f80e1401aca549c35026258b6b3a1162c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQMS.exe

Filesize
326KB

MD5
68a3b4b228c51326253c0ddc690add60

SHA1
34e235db37bd8bfc18135d6f225eec0b54a76633

SHA256
2aab3a8ba1447bd22a4177ce9c87517bdc40c4bf6fa5e7a7b458148e6103e7bc

SHA512
5d3fd6375b4b9e63dfa97261cad3da8aabb8a04d1ed325972aa0dc7f4155a8e52b7158bd4c43910274e73fb4ccd8ecd2758473396af73f2279bd89d444d79070

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ickm.exe

Filesize
493KB

MD5
29eacdfd47c493b9b6fce3cfe09cc0e3

SHA1
be407c4cbdba3a7c3135bcfd8559adefbaa4bdc5

SHA256
f4c61aa50c60515e363816e41b40406cac38092ed4d81300e59c38f1dd3df1df

SHA512
92e371c0e99dabe361a0cb9c8e110d35891c7e7e325b31ff97ef5a3c6a8374dc6fefd5d5df1be926d512d06c642dde939a5ab2066c55af958545dcb823b18626

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkYY.exe

Filesize
192KB

MD5
7171be04272630fde98ad9122359d6d2

SHA1
4158fc3b511001b90951ca41e11089ebfc7c0611

SHA256
8c4a28a2ad5dc34d7105d4a4099c92d11a94a928b0fc8578cf57a7af25901269

SHA512
8bdfb95a4b321c603a2955c1ca840e014fe06eaf3372274e9d26d034b62a83eccf6593d24209d7eec7ea3ea0afbaec2751e952fcfe2d78692d8a7a0609300c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEMu.exe

Filesize
189KB

MD5
930a926fdf220964bc241ec431d004ec

SHA1
b33520092b762db29c10c29e83398be38f47361a

SHA256
7ecf7a78b2bf0018e41370211443545ab7fa524c947fd3acf158d5a835a34b78

SHA512
b73afda8af130bf87a40625a057720757d0d4697ddfffb4c491e78ae5683c9682bc10dbe76e1eaf530801030569ecf03ac57b314c16730c301c310855b125713

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQQG.exe

Filesize
458KB

MD5
a38dc8a802b0c8330b59d5a7d10d5868

SHA1
f34c08c0a4535f3c8a3a5a5f5436ac6cc818ee9f

SHA256
3ae9ecd5568db1cdcbe2c8ea0ff93ae2eb694608b379246a5d3427e7aba290e7

SHA512
686bced4a1dc1fdef2eb4c0409bf7c44629e05f9248c6125a11456f11edaa55ed43908ae00bd173d2693e29915bcf8bec9674278d1bac5eef56b09fccaa5fad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LGsYMkMs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMAq.exe

Filesize
1.1MB

MD5
37fb0bd9a9e3594e29ecf26f96ecfb5b

SHA1
e0c556b9577524b0ffca22b498733f184cc28a7a

SHA256
8be9d5f5919a4ef60f40c3fcb1e0e07c13e2b72aa30ea0f266ed94d776f2fd01

SHA512
c42fe1c562551c7562d5c74347501d65a4f4ded40e01aca3f7c84390199e02381bc48bd75b99bcffff79ff095e3990d15fc02d9269a55cbc692c3441606b8740

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgIq.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lsse.exe

Filesize
191KB

MD5
c2323e795524954d627f9dc07a7f286c

SHA1
1eccdd2f9dc1c0da29c6a020a3a783d1f6b346dd

SHA256
e6644707b5a7636fb72a390f33fd6c23ca9919eb419f9478a91b134239d8871d

SHA512
e2a0332c143192fe11a60fa18b12572dacf620f04ab034adac0647cdb2c6bb1690054d58d987598912573625ec6d2133360460b251acba09d5225c2396ac3ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEgksEIU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQQg.exe

Filesize
647KB

MD5
10c057443cdacf014b517c6e7d4a3b05

SHA1
94c675e0daa0e8be51549b57e52354e909c72331

SHA256
d5a0ff49d3d33b66dac9a3eccca02ac406077ee1316cab2d2a048da88d6d5be9

SHA512
c45b15f0c79145f501158732bbf1a02b4dd50a13559edafbc9668460dad2155db7e4e80c0a337ba40471f260b178ed04dd61542471703d6c70c6169696b46d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEoo.exe

Filesize
413KB

MD5
fb46b5c022e6846b1f8889df7b457eb4

SHA1
88125a6929e38ba114eee520bd7b30732d96c8ce

SHA256
b01533f9b13118fb8b11f1650d86c82970cad16ecc169fecf8f904f186460703

SHA512
4b6878bbde2a72317b922aaacff0ea95629d4b721e4df4a5ee0b948269dbd9e61e58cbf1776a0e401faa1493d313a0290e07cf83eb1fc6dec70782e11ecb284a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NsAk.exe

Filesize
191KB

MD5
b83efdaeefe621cb84c0284bd623421f

SHA1
29f3bad0496d2d0c05cff937fa1396e5072df22d

SHA256
a44f5177e3513e1c581bb89547711127d7c2952091331eef7203e050b5065b71

SHA512
d725a043f42c8237f4f31ec019dcedb8bdaf62a313f19fa6f582b1cb2344d4ad7a592b61ab801412dff18aa51886263420b515bddd85023e9bd5e2a474beafd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nsky.exe

Filesize
220KB

MD5
e37459f24ec4608774eac47aad5d787d

SHA1
a7f374014c3fdcc8a3bbceb57c960c5b3eb12e7e

SHA256
8622c1df29e9aa94d2efe5a1aa09798fb511d8ec0949274f7857fb88989fff7a

SHA512
8184ee6e9586d88054fb191bfaa7a0a534d988c744aae8e5152b4c65f7f5b2cacdfce4938c69f8c9c524dcb3d3c06ebbb0a7ed831ae6159f1d42915d0b4d2638

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIkm.exe

Filesize
239KB

MD5
3c80a6b9e33a73d1fda832c11f675c0d

SHA1
5184ca779ca803c7a3422f554ef32d0a99de599b

SHA256
6ebf62a891160964b1fa6f4ad4d81147da0887c00b6ba29f333dbdefab0f3863

SHA512
213fa6ed86a94d8bd27a0449d2aa01e0cb0d0d91651f1913b15bbfbc0c6c5fc4ca65f39c5323f1957e260bc9a7266c6566356d47652ddf3538f6887adc103131

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEEQ.exe

Filesize
213KB

MD5
d17eb13136cf85aaf4200dd3cc42900a

SHA1
b2e633c9aba4ebb0522b717bf9d6b2e514c99063

SHA256
dfd91188342ba1b07654458765721beb807ed2f0e27cb51cd0f07ada8322c8ce

SHA512
2fa0e3fca6cabf43c16e4f178a272792e87872c960cae8dc7e699c2393c517ee1d564ac5536746076f13819cc515f5837b4cf0851fc18b62bae1743154f7ffc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIAc.exe

Filesize
770KB

MD5
14f7b6b0a13c17986f66e8cd11ab083b

SHA1
5a6aca70f98b1217e6d4db94aea02de6ce943f32

SHA256
aeface0c71ec4ef542f45f8dad5673813e6bab0c795c3630edc5fffe45390fbc

SHA512
3df10faa489508d847bfb946bce4645b736e1af02cba360c2a15f5fa7b15f66a30fc2cbb0cf65fd7d8f870f64f10194208d96f716aa1b5fc3b9cc7e07d3fe14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qssc.exe

Filesize
5.9MB

MD5
3e055cd7b8cab949545ed063beb48204

SHA1
f1e451b3143ab4d7c9230d81a43285cb69fb9743

SHA256
a172f029a764f67b30fdadadfb66ac598d7ad2fda3b7737a3c5f5687a0fc5e62

SHA512
e461002b259752f6989c2efc069f0befd80f19ef72da3105158bcf71e558d58ba8e39c674ece897f4422c9e6951a9946d0e9909214d3bd8d6af67d1d7ccf8359

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAoy.exe

Filesize
5.9MB

MD5
0c57e2a3c92b97966950032fb196429c

SHA1
04b01eadd75b01712c0a87271750e399646106fb

SHA256
83bca2b244d845d8afffcbe65de1ee26ff781e7a7fbfa2c9d0cab09d562a9251

SHA512
ba76e92a82fe162088be5afb0f1b8920f7e772060a9b974e6feb4fca165c9e79f558d4325b63c62147e317063eee3ad4a51c2a3a80757138a01c9ab7d0d02e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\REMM.exe

Filesize
205KB

MD5
53de7b00ad362f5cf016f075ac49acc8

SHA1
4e098d1bc2878b6b649da565d6303cebfefbe9e2

SHA256
63d71918bbabd76cb222f1fff1c83a6ad52136a822eb2544e046940c66637d0e

SHA512
03b9b0758fcf4ebe30f8bd892b88349e3ef5943c7133d4e21b06c07075a0029590c1dcb6203b7eda1db1d6f134463321de33818ff2745a9afe5a54cadc1fc90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\REoYQkEg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAEm.exe

Filesize
193KB

MD5
7d6d07070922ce2e3c2160c186a81e17

SHA1
86fa47a64f8f9b2ab29c95f53271cd78a4135090

SHA256
105311e73c1cc046887354d6d9485f6f412100d13cf2260486a0050360cdcfc0

SHA512
a01b2cd1536e16fb7a27b0c8101e2fceb089583c01a1eb3d9e67956aed2a832c950c8bd30a5d8ca59816a4b245de9c23d9caf57a8788d438880c0456e1e2534a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMko.exe

Filesize
821KB

MD5
712906d3887fc1015a22f0a9ee9f9c0e

SHA1
a8afdfdfb23061e4709ea8f68f7666bccdf26ab1

SHA256
efcff5627ec0c2e60d21922c9ff0c60554c4d8d86e4d5918330103e60607ebc2

SHA512
cddcde7b2e19c6631764c02b7b74eea3e56c88823f960fc91cd63169d94f048d1c8a7728cada7838423055e32f5515cecd30c6e84e0ff90ec3e20ccaecb69d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAUk.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEIO.exe

Filesize
201KB

MD5
43df5df01d3fdf2e1103f28665831de9

SHA1
5cd6eef04edd2c15a1878724c40aea1f2d793b5e

SHA256
89d1acf4ffa7b35684df2f7706e9c4a09efe6686af234fe07db0c2345ac9121d

SHA512
35750000d86e777c437d62caf56f518f5c7d4aa64b3bb76305c3dc92e5a29f1d3402a6ae070adee2fe4a5340417bcb3f3472efd1e33a930628a395cbc2152011

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIko.exe

Filesize
206KB

MD5
18f436600bd0d99bee120283c05e830b

SHA1
ed5a5d59dc18c0e71cbf4a01537e6a5f1e45e5ab

SHA256
678c5d916133f094ce5933aa5ae8e5e9ee226d1dd13a18fa2efbdf02331933aa

SHA512
2578f6c948607bb5c6acef5660b6ea88d8e20197ae50fc2e06f33ac977a50844adba65b8f0959ca3ad7a705d09bb0aa1d35db1f30d43afcf3c1ea901f4be74f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMAu.exe

Filesize
196KB

MD5
e0322f4a1f749a5dbfba71297b499793

SHA1
1713773b4d8806be0e8a9aa3eae55e561411289a

SHA256
134a5228249099c023fa441ef1ced78eec18b7bb26e66fbf993a65037c057ca2

SHA512
05e951278fa1513cbe93cd936776385ed6bfec530eb3c478e723c1472a081da079f4c03dcf6a12790e16af3a6041468255bc9145a833321b8738af4fedc1a29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUYe.exe

Filesize
189KB

MD5
04644d9dd92577398525c6f4e7af6bcf

SHA1
35152f56248a7c27f678e813f5022e97477a3cb2

SHA256
312e98c1471a386bdd0fc50881833ac19312ce4e1a32264eb35e1ed680515314

SHA512
dc1c55c08ab7974aa42bb3164d4ab07518acb0504f2a64c317ba2412c5f9d253dddb9105e686950e7916b7fc1dd38f0ae4c8a4369565137e94b56dfbdd8eb6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAoUYwgk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEMy.exe

Filesize
316KB

MD5
e723d033cdc3b42b66d722b4550fd16c

SHA1
b96b3fb7474ebcb1f7abc59c79b1db097f9bfc5d

SHA256
967390d61d524eafb8b00e7c0eae66c10e41d8264e05a46002ebc1ee1dbba29c

SHA512
a74513aac5797f932dcafda65f26cb26a1ba2916dc44e9992ff4c7cd13e85c78a0f2b7f3993c21ebf7ca4bb442feee9f9ca92994c97c93f8d3b6d23a3e1e5410

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMsM.exe

Filesize
514KB

MD5
8e5942a7c903b15be280609d2b58067b

SHA1
f32764c3d411dcb625b2efe07e4a2b7f1a390461

SHA256
fbec65c371352bdc399d28d495fdbe9ac62f7fe179e50ca991f7a03cf6483c0d

SHA512
53bc4e7d168c7d4d9dd4cdeb2ec65bc79c42b1018bf257b4127088ce4240e28def9c5960f95deae63b9bb77ec4e75e79743f904c958ab361c355a2e564c73d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgQI.exe

Filesize
792KB

MD5
f7bcdad1367975b3289de0269aa0931d

SHA1
9bbdbbcda3407b5e7d3c390e3de98bab2e8521a4

SHA256
fb2406b7b7d680001de88b6d1f2c6dab341515c760c5d9783d86bcc60663e0b0

SHA512
2c858932170385abb4eb4a90930a7669f6a16a584f77e9284407de70c768fca0ad98df7bd7dc5c3654b8308ea470a562f1c9db277b0e93404b759e6936941db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ugoi.exe

Filesize
192KB

MD5
f3e7facf608361c1ce4ac22d9caad82f

SHA1
cc68172f3457216e347593955ec1187117c00354

SHA256
d31688ebd3f0203327dc76b35e1fdd0db2bfc15989ea91bf780ffac2eaf10d3c

SHA512
8af3138d9d63d8e820e769d221542091608c79c2ccd533606cd7a683d2aebf2077c6784a7d7a65416ffdc8975726f60ba0cd0da1fcfd01bde0f976d33940bc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkUq.exe

Filesize
231KB

MD5
a831960c61fcfc968da2ce5f56516986

SHA1
c5129e43ece66870dd45424e1eff0ae38b308338

SHA256
3f43eab1edf16c8dee4c9463edac0f73bce1f87b6ecde5c079fcb81173031829

SHA512
129a59315895dd37c001856177702c58635d5cb350f86781bfb541220013e51749bf74afc19f658c8e239d4fb6ae48d9a22422f4d1d4523801dccafbfb0096c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UskC.exe

Filesize
189KB

MD5
18584eeb82585b665a2773b84c0c4770

SHA1
b75a9c3959f580b0788678fb51b7f708bb13e3c0

SHA256
92105c23df0561202b5e98df753a0d77b8c662dd9699003e7bcb815c0a1f3d01

SHA512
26fd23fc6313cddfb0bb8b250906f4ea4fac53f0529b1b53b29e39d9951c705f3b5e2e06589a262aa99c6490f97e20050c78699fc710e4a7dcc6c7a730049c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIIkQIgM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VsUcIscQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VsUcIscQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEQO.exe

Filesize
183KB

MD5
5c8e869b5759d52e2ea72b0ec892a887

SHA1
c74fd75aa47f55012daf03db99b9a5760b8492e3

SHA256
a5344350e9310b98c4916da6eb9a75b8b1ff930c23ad073aef7f223c92efd829

SHA512
41b1d8aa5391c847e9c07eba35fa3a7e37b5289c0699a86a6c70c4e941b4e283d947a3e91217510e15955c87a4afd50c1d64a36504652b649af16b46ca1c548d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcsQ.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkUG.exe

Filesize
198KB

MD5
b0c279d38239259aaed2e74e473cb07d

SHA1
c6c48495ae07732d0a6ef1ba13112a3a5f8d7f02

SHA256
47996c6e45e0b08a58656f089a628c445b7119315c0f13ce4fb8ae6f8669297a

SHA512
e0bcba6fd35583bb978ff238cd9bc98bbd28857e8cc095577b58a576049717cfa28ed8ef7c71357a2e660a68efc422c0491255be3652ec541a922eca61c349c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIke.exe

Filesize
737KB

MD5
1aa7ba074dee9fa92ee1a0fa2cd8b6bf

SHA1
54102bf7ffe30ffc8b6e871ce76d5686b0b6f652

SHA256
defa6f79faf6ad70411225f97d1274590078cb74ab17386e6ab399d19384494f

SHA512
1d3bfec355d2276ff0b010287b528c46a350126eddadb9a98feae974377a3b0e4d5db58803ed2f03a87233c97f51954780651986dfa14c22d8d2ffe3015e9dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XggO.exe

Filesize
200KB

MD5
bccc3f59c738165aa8a646d534400196

SHA1
4d5ea1f750a6816c623e7863369e258dab42f91a

SHA256
515ceaf9fe140802c099d80bb2cdbf9ff85cbb3be54ab5cdbbe86ea3035cc862

SHA512
cf3e18fcc625998258c4c7399cae9f3819e4e50a7edcc3b5349fe9a3a29bd326b2293508d414e234125eecd19f9987ed86dd1b37e3f63391b9532bf35af759e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEge.exe

Filesize
210KB

MD5
c04921a86c334ee847d59fc1070a51d4

SHA1
8bcc9cf4f5cccb1c46231e456092581ace59f53d

SHA256
15996fd7a8a7dc371a40a0ba193779eb838e9bacc43b8be588054b0468a1fc8b

SHA512
d1a5cff7a587103a08285c48ade61ba3e7b61ff528e4179c7a6bfcbda1edb8b07c255e4e53a287237f3f2d3a4b3fbb1b55b7a28cf66348d29b16654935777f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZoUA.exe

Filesize
553KB

MD5
ee9dd5d004ad3cfaab91bfa7d7987ee7

SHA1
29e7f0fb10a7876d6264cb30edd0f6d30329fb04

SHA256
e894a2a04cdd7a017f78141d62c1db9e4a5c434c640cc4c232f5c315c23ffefe

SHA512
7726064a5c638e953693367c14c89c08d26ec44653036fb67d47cb7d063ffb2264a7175c504baf626628562805ae91e0b3c27d95eb3e1a9f3891377431e8d592

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYgy.exe

Filesize
694KB

MD5
474d2bedebf02b6afe376086bcb6a346

SHA1
bd4110f85bb7ebbd2ff03753fb15e8e4fc1538a9

SHA256
fb968bbb9429ead9fe489a84af5dabc93a75e2f61af325a3cc3a86c651566e52

SHA512
6e9c25844f8412ac70794d588f2ea732760d92ab5dfe0f5abec4ed23fba8e0f2e441ebf16e3f0c88239eab88a86b3587475a62245382d836b231e25f06f75098

Download Submit
C:\Users\Admin\AppData\Local\Temp\awMA.exe

Filesize
196KB

MD5
24765ce0e535a61570baebdcdec7d78c

SHA1
b57ae6cfacf3fc0314c234545c996a33055dcb77

SHA256
c0d39ebb3d8bcee4afa68baf5902ce9cf3800cfb393387216e1847a8fd59ef6c

SHA512
c01c13c086175632597534e3c719d6690deb4a648278725ae4a6b60f68eb1402555141c72fd8756ca7c7e96e02e8e80d5fb748cab3c5b5f8e399d3c7038ec7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\csQI.exe

Filesize
187KB

MD5
225555cace91007c1496a784b4662957

SHA1
e2741b93758297fe870027878c9c3a56bb45a1a1

SHA256
020548fa8c8aa9f026dae52d9e6cfc489d425a7d39e5333b91b06b36bde6a8bc

SHA512
893b977e6d998708390a9a1b525b32d69b0206cd1709b0f22627d2b90e4d8badd10a420bb6a7fd0130de1e3be13d489ca141e1e191dd91869585bcd576fad0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIoe.exe

Filesize
188KB

MD5
1ce28897328505877499027ffed81b18

SHA1
efd5cc74b63fbb5dc6bc7254033614762dce62b6

SHA256
1681cfc85a0f5866686ba104ffb6a5d72cb3bc9f454c01ebd3a524d924f7284a

SHA512
c152ab4f96099f1f6dadb548e2750c2445a85dfad18e5d632eead0a4faededa564559c236342842a7a95f71ebabc4c2a264945ddfa6a3ebe06e7c0de5739527f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dosscQcg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecYooUgw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\egMg.exe

Filesize
230KB

MD5
f22d8528f76c74a794c471324d95565c

SHA1
3169d038be56223d00e736d13fcf956ce8978b13

SHA256
320f707ae412a6d6418a32600e056b5fa7d1058fbb319e6ff9310c00c17fe164

SHA512
861828b7b399b27cd40fa3f0c3d100b002ebdcbc7f038ee69d69ddf74e7f4df22252a9ecf447f5fcde12f68edfcc23911f97d2de0998bc278e15b7b56afea101

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekYM.exe

Filesize
199KB

MD5
6ea1ede145e372a1cff32b812e0788ba

SHA1
c5c481b7c3084f0d9d7c876bea7ae8abc1c46b15

SHA256
8627f6d7b50774c50ed952021ad021b654548651acb2982bf7d8c17002530931

SHA512
bae8e28568163ffaf3b05c47e4a0a0149107f02361a0a792ad821ec693ad65462bd8dc280421132bf59ce1d02b8a5c022198ce1b3a1e2c1f6a33cb822f5301ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIog.exe

Filesize
198KB

MD5
ccfadd5915ed7f1d0fe03d8084541e95

SHA1
c05bd4948718c050065ac5e209870a4cf5c20b57

SHA256
b7f86cf3c7fafbac640179d5bdb703e3c84f426bd767ecaa805ebb89db04efd9

SHA512
c9b6c6db7d11a135beaef73f89a6df030e1370d1bafa69b2325ac27ba423a7535df874e7f140f1b3cbffb4b8c6cebd9840e842f8e7fd6401874e028fb10cf986

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYMI.exe

Filesize
901KB

MD5
36b501e8fab86a61a56a3bf704144d16

SHA1
8b5c2f2650237e9d9806a5c53f5e5c3d89f128e2

SHA256
59096138064c46f9d30a4cd84ea23d08f67c8e1b738d86cdbb320e83f84e14ec

SHA512
b0ad0b7d5e88f5a7a57c856c868ea438bed8a99c1a117f9815d7e5861451f4d79689b21d12c703dfa8f9d4da9cacea2b1fbec2ff5790924bdef6a1ba07fc3140

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fksK.exe

Filesize
632KB

MD5
472e8f764dd1198a623daacfaa9a05e2

SHA1
2eafd954ef419470ca96d7f36abd7d6cbb9e5ddc

SHA256
bf1d51c58b553a54f6e45b6293eac241213a2b947ac8e000c21e9ecb5a5348b5

SHA512
83b7d2210ab72cd056bbbfbbdade034b009a91f5863f609edaeaca1fff6f0ba4eb30a213d6bbe7632ef36c9d0a11f3cee240f7289ff65c71cba9ebaae80898d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fykMUkIU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAkM.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkIi.exe

Filesize
213KB

MD5
77bb8427771e0aebb5d631d95c413fb4

SHA1
7f2ddd723d2106c6d64deca514e9599c27ce491e

SHA256
6c41759fd039774ea29f0ebe250a19ceddafaa32d33dbfda3217862781b9b845

SHA512
84c4aaac31ececdd70a90e3c470578de2e3814cc2027baf2c8bc446749968bf590f493f0aab350917ea60b3835d189d23e78b0ce44f6eeceefa0553bf44de0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAUi.exe

Filesize
381KB

MD5
5054925ca0636e340fc542a14ef1c92f

SHA1
582ff8d2a2b76e492ce0bcdad3fe89f8d987a757

SHA256
bc8190f5c074fb9792aea09195e65e27fe54c290cc340d3387feab5f97652160

SHA512
38054eb4933cc4368765ba2d7504dbcf4d992b48a86570ff98b7e4766dd11faaf2be330b82b5e7c8d1aaeeef42439335f144c6561be86d5426fb209c08c7126a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMAc.exe

Filesize
994KB

MD5
b0125ac09c645947bd470c99eb1c3126

SHA1
905b50ba0685df2ef43b6b561a2a76d142e0d33a

SHA256
1155e2e0ab0b4bf3a6366247eda91030d5655767b795db22bf9d7fb41132936e

SHA512
c2a9d24c3e8a4607c41123beb20bf9042df88a09f77b46ee98a1ad941493ff0749944ae2c66b2e76a70732acb916e377858501caef601d76109d06ee4fc829db

Download Submit
C:\Users\Admin\AppData\Local\Temp\igAU.exe

Filesize
197KB

MD5
4938776897338f974bd602c41faa893b

SHA1
d13812285ac96815b0f4f156fa53a1aa2c38a122

SHA256
e78aedbfe83738dd6c7555e0c6c7cc799b83c794a7719a891f816b037f4d0660

SHA512
408254b0f346a7f2e55187ced9fd23bcb0fa88562e0f9ad1ecec5932bc6d3cc3a18778718b463b32fd1ed7f77a143a2118f7a357812691cafc18bb2ca1d20783

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikMW.exe

Filesize
188KB

MD5
96c55bd1f6a37873321c77fca66a5332

SHA1
97c996f750f9625dcab6afdf472224147c712562

SHA256
589bbe97d2e50443eed9eeebd10415c13e9c508494e3df9216c604462a78717d

SHA512
1b75c989303b03aa94b65d8fac5187340c01109ae53e77ac94868cfdacb48c05ca89e0ec51dc6079cd0f542fe25d10892179d4817a567192d27a4992530166ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikgowkIU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwUe.exe

Filesize
379KB

MD5
84cfc37d7b9e1b78bbfa4e2d80e7e46e

SHA1
38b9a5d992b0f829f72aba3c71211914c9c278de

SHA256
303ce8595cb9344708a675c62d3c6132f0b2fed47666feabd420a02095b87758

SHA512
cc594641d91c02a85ffc3b6ef7060dd8f8a67e42ec5cbe350d9aaca818b97d60bb93b8caff713b4bef1c2a9e0e7a08e47def1b1bd3a4b00bb369f7da452913bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMAq.exe

Filesize
182KB

MD5
1b7603a14624f7bfb0dc8b28395ccb96

SHA1
6ce56f38592563c176d9f00c9e44002fe6ea94cd

SHA256
8f80e3ad1f67a4abc59ffd3fbc750b02fa267e1b596946427eed6b3b4b6599b4

SHA512
76cbf1c04883c10e954bad06e0361f6970e38126327d58614a23e42de3b1e14be2dc98d5aff3bed314ea119b5b229ba0614f37f62643e57d5350d098bc5d3366

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYYO.exe

Filesize
271KB

MD5
b010086e92044e7038bcb3aea9d78b26

SHA1
e7f9e391e0f608a380926ec65c35751cd4cab334

SHA256
af832a2566af2e010d3867fbc14460a36953ccd4666f0a7f561de665da10cfad

SHA512
2277c4dffebb7990ed8c00b75dffaec241f0a8862b8b792e4d802be992da32e1a8d2b63e464e5cc569fcec77e5d0e409ec294862de96a458400fe885d6836159

Download Submit
C:\Users\Admin\AppData\Local\Temp\kogm.exe

Filesize
189KB

MD5
ca3b8f68f3215a34c7c9d161b6781454

SHA1
9ea2eed63da7e2678ea56e971dd618899c272ed9

SHA256
34c1039e56e2f4289db2e5afed06f50d21c6db58609d28e7608a5295a99c01d5

SHA512
9e9898450a7e37edbfff577a3e3f418230fcb1c08b041e104b31bd3e84c0be88aec34922db668bcbe62618cabeded2343f9d9e29c9de00a3933fa6cac2a226c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqMYEAwY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEQu.exe

Filesize
5.2MB

MD5
3e95307e86efc9b643496679b7840759

SHA1
034a6f1a60ed0c9771d3aae5ff4a38beb130c417

SHA256
e74766542905e64531a5ae3fc2fbe7f75cdac6c5546e3e9fee5edb3ac74d42d2

SHA512
ee72c692d1198c1ae42cb1bbf62022f1cc11d9ed79233dd0323ea20260c033da250c3434b2d43953794bb66a716d814965c696ea5cab51090119a7f92fd76a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQEU.exe

Filesize
199KB

MD5
a0bbfebcf5f07ee1c54a4cb52f47cff8

SHA1
fa8e6267febe09fa21f406669670b44dc1d62bc2

SHA256
a3edd1b5dba05213b2393495581781d5e175abef5d41a92bca807101bc0b35d9

SHA512
874b39fb66e137972c7f9706b408835fe3eef5414247f5beb09a5512313387a7cfc478d26cc72c4ea9525c1c952d3abf360cfbf3cbb7dcb4bfceb8070d3aad9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lggg.exe

Filesize
192KB

MD5
c94f7242a73a92858f01411677e4ee3a

SHA1
4d163053bdf0e6bd46a2bb5920da6d62cee9fb57

SHA256
a6f8a0c505064c1371bb7e7451d81f2e4bdb8f50695fd940c81d9be60a704ff7

SHA512
f9970b5a00ab9435afa108432d95e5e2f49cb5ffd6e66d7b00e52c91977c9030e3141a10aaaa9134bc3e8d7287fa1d76a41feed36d542cea22ba4cc6b85e2a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIEQ.exe

Filesize
202KB

MD5
e269f73883cfd989eec85bd2379c16cb

SHA1
666f992e0647d0fc45b981117e32091e29f609f8

SHA256
707ea4a3befe0c6cffc47ba51247c51ae7e618880fd375085325b84777360343

SHA512
6c293af9a02c82ac4f7de3c30e282117592934f65a70a9a6eee042d256d3e84acda99ec1d03289d4c4edf05cbc5b05a7058afa858791ec7a6d493d93cea0c3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMsUkwgk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYYI.exe

Filesize
185KB

MD5
e1b0ba4abee0ae2cca3888acb34afb92

SHA1
da22d2a6de4cc28a12a1f49f999749207aac9804

SHA256
e306aa67d45adf37c5d7e6ebe175337d0148518cd6d5774fed7b99256780d2df

SHA512
6a4093be0876f9d7bb0f049e44404e44be1cca7dcb94dd9dbcd78c54d1fff7c5b49c4693516cc578c0594eaa35a3cd8e7d68ea3a274b24a1c7bfeb65c5a76347

Download Submit
C:\Users\Admin\AppData\Local\Temp\owYA.exe

Filesize
207KB

MD5
52c7ba4d4d4374ac0fd514a4eb1fed93

SHA1
35af2641193155af4043e5b4819dee506974c709

SHA256
5be1beb954259bd9a13a9e79774f4252bc745cb9483b63c462049cc51ebf7e6e

SHA512
7a923935e439986538051913536854089debde965a76ede717cfe565fe75e386a02b1f7bc48d81846a54c383c279e892ea1ada5402fd59fa87428e43a48c33e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEoM.exe

Filesize
835KB

MD5
d0aa8f4ba09564ddf26223ddcabadba1

SHA1
a5945dc1fdee7a04dde907898f66ee2fc504c2b0

SHA256
8ca86edf4c4e0fbd177323dc93eafd5072b94df4ab5a022ab8780897a1243ad6

SHA512
22a4455784665f9d4e2bccee24a46522e6219cef785132576324f7047e8790924b9a3a0c67bf94b186b0552e65fc275a2e528dddb6986df616380281a4141383

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQYG.exe

Filesize
401KB

MD5
b1416fef0a9dadcfed4c2331c32967c8

SHA1
e9a380e54f4b27b84c9c157d1731197ab5e4f35c

SHA256
f5f9a27e5e1c61f1d2d893229cc4f7e1ea9d6824318c9dd71b37633060f7bb44

SHA512
e68fddb5cb49916051f145b2fa78873f710570b9beb6d9f5303cea23de24dc444ed41795a579945cd9aa41976ffbadcf23345013033a6ec217a56537922cbd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pWMkwEQI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgA.exe

Filesize
191KB

MD5
7c10ee57e85e1ffeac1988d8e1857e4b

SHA1
807d6f370ab88e623cea003046a11779f33cb958

SHA256
d4c8330c802e264cb42da9eb0af46e6e1c712a3f192cddf766cd5f1c7f0efc1b

SHA512
12710a2ed77d691683bd4c017c049a58e763bba175b742bdef42d64bf3917de2490492c71a2db6480275a7a257f0cdae5ceb70bf77efec3adfbd3745f6407ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkcS.exe

Filesize
206KB

MD5
117a64d658f249f029af6f9f47c8b4b3

SHA1
015fae66e86ac3a6df6d1f4b006e6d2e3dbd32f6

SHA256
c56649e1ef37d972fe2192e6e34c43c69a6dc766372cbf8b49c698823817c92f

SHA512
682460a6b57210a2b85f35d90758014aec801baff728cf25c8c7c294ab30e18cee7c2146533b5b06530c3b762c124366c424656d783b4d3d5d47948bd7498371

Download Submit
C:\Users\Admin\AppData\Local\Temp\psES.exe

Filesize
469KB

MD5
a5e2aa7c7cd17c674671485f9acc4639

SHA1
1e2c2157cd411a69b7e030aae06dd4b51242be11

SHA256
3a7eaad3522e7e9f8559be5c777dcc01506cfda89e3878f132eec432700d05e2

SHA512
95f191c7a22a0cc0e295c58ee9572cdb737d67138b5cc1fe57041bde66e302c1edb8e3aa89339957a12a94d011ea59e32ed71aa0f3ddd70e98fc1150cb4ca978

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaMYEgYQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rooe.exe

Filesize
194KB

MD5
f7a89114059cf0b1416e4a4bf2b41310

SHA1
bb7ca99695e9037ed1a7dd3354ab5182f711bf3f

SHA256
4052db7e5b4ef9f9d7d3ea9468ed3497d3afd011a912501372851d1f122a3fc0

SHA512
c4fddd112956dcd7ebe5fa65843be09a69383c75a20a545486b1becfdbc15c333d723827fd7f2061b2f935f67effdcc78ad38d29a15b2b75899376fa5735f40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsse.exe

Filesize
206KB

MD5
81e4640f1ef17ee3dc8d3c40bcb4c234

SHA1
177ede147d9608e2f8ead80d8e8b8de457116c66

SHA256
e155d592eb474c60b77746fea6fdd0ca799dd0f51500c2535cffcb651480d13f

SHA512
e0209a3ca5fa860af282516f6824d6c32e4ceea668b3b12d841731d7c07c1039b45a3742fe4df675895c0727b809128cc4dc37b8d3e6c56eaa194b776863e962

Download Submit
C:\Users\Admin\AppData\Local\Temp\sosq.exe

Filesize
416KB

MD5
70b735fdd66c1f5038cd8838350878ad

SHA1
7fc1123de033b1ec1f41f1a774f48e722fbfa499

SHA256
51c0da4b6c244d70157ae0d41791ec87866b1aa03d40a2b5457669ea68c06d7a

SHA512
35c857636c0b16e5d9adf16174d29950c725deb5e3c98ad44b5e79cc0988d2f7e06fcfc646402f33209a4572915d17fdd00ddf07190b317d323cc2687a5127ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\swcc.exe

Filesize
535KB

MD5
d7ab3302e66ca824f2f0201479ddfc88

SHA1
ebc49e7a34222c6eabc3d905f5961dc01f52e848

SHA256
572fa893459846a94bb34331ddfec6fb67b8c6be9fe8ffbd063952645839d245

SHA512
2ec914e8a336306ac6f4259ffd4b67a901b7d350ea004daf439bfb60bd8c3e520dfe2ae473b406bca18712fc0653129c43258a381277c404fd43326fde017d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tIog.exe

Filesize
191KB

MD5
1a5c0911750d2f71eaf9051e78828a73

SHA1
34585ee1b5cc7bf605b89436ab82a325526529b2

SHA256
482d9f7bf3f69bf4fded558d9cb0631edb1db127d125ebab930eb17ee569691e

SHA512
b57e5a87295375682a468895e67c66c8560018d8c402d3814db6613b63a8a937031bef97ce05a5137153e42ad29470dd8b86a16d3f441444fb4fc656125262f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUYY.exe

Filesize
202KB

MD5
f863390c6e7811f99df7a328a58f76ea

SHA1
4ece63eb947bf6cc6e0f6868a488dcef784f1113

SHA256
985915b4766756da557de8abfa1b63a4d233532d0769553f4e808a4d6a1bac5c

SHA512
831c47112cd83a7e26b75c6c4b52a212389c0957fdbf9214fb849dafa0e6ee125e16bafadcfc4550f1b5cdbe04a85b619d6712300809f3dbed609db2a69e0b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgkwgUUw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIkq.exe

Filesize
192KB

MD5
7d1d747d48453c3395f4e626945630b8

SHA1
32cb56b443fdf8eed1fe4f9e805e0c5020b1f30a

SHA256
68877a9504c642ee84d678367fe6a75cfd5b745a32a3a4221936abe7a080e6bf

SHA512
d2a2bf1b87c31a2efbee1bea8c36eb2c5e785b90e4db962dcdda87bb6d9059d50fba653ddbe650b85697dd19abba2a557698ec895eebd76944c37a12e0e6baca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQwu.exe

Filesize
634KB

MD5
5351f2669acaf68ab5fc4387f738f370

SHA1
a56ddf3ca9ff8215d2704e63b7456c315a726a24

SHA256
6476a59ed2d513cc6d5b5b9089b669546c3bc8087e74df1447593ab0851cddf3

SHA512
c5109907d04d8d23d9195c254ca70c92aa8376219662b9b384a6c25af91b2f77213cfedca2b7209520e6a9e1bc620e865afeb9fd0ab3482aef10279c69bd1039

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgsm.exe

Filesize
191KB

MD5
ef38a5ccd998c152bc197d1fb1af08a9

SHA1
6be86e8423261caeea60c987de1b8d42e728fe9b

SHA256
6b3d4993a8ff994c0c1e192a79a1c3b34ebcd822824e1bbd210213ddf70bb758

SHA512
e50c917a41721e9c52e8afd65416f5dee7c286b326086ebde0acec315cfef0a6c6ea5d82e1020062b742f2b3e2f024b05ce0b1b8c7ddd59725f215e707485874

Download Submit
C:\Users\Admin\AppData\Local\Temp\voIS.exe

Filesize
436KB

MD5
ebf3f896689ae4a9f79f83d5cb855d7e

SHA1
d0899244d15e1d1d5ffe47121aae8fa01fda45c3

SHA256
ae88f6b807a8894375b3d07d18ee85d1e1b62eae790299f6b3833614dedc1e3d

SHA512
9b6c2fd703cc419fa4e945a26fc66236d96edbf9389a1886486295a0460aad23fa75fb945827b3998ee934072d4b57a39fb300ddee09c96ed6f363e11fdf2275

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYQe.exe

Filesize
201KB

MD5
611390b3bd744c083c88c2fd43863286

SHA1
9633e12be95dbf162950e1ba750527e92f8e0a02

SHA256
1050863480fb326c37745a0768a119c25d0d3b674480a42eafa3c002855751fb

SHA512
97be81903ca85d7ae326ba9dfed08d2a7b67cd73d30658e24a70a524cfd5c140caeace78afe8c6bcba951ce57380d525e5f561d240c9826b3148d7a90f2ef07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAAm.exe

Filesize
841KB

MD5
a30ae0f817a910e86c348b10888c27df

SHA1
2b3b9c8661f2b1907d57b3f0372bcf86170b6234

SHA256
4e417590a8b62d75b9ba85b807f8f5052bdc8dba9a82b9355dfd37d6619ffe2b

SHA512
eb42ed1a11c742fd9bcb7c466260cec0f246fa87ec5b04ecf7addc4ad364fc4979a82a1f0f3f7558bb4892a194c20ea981fdc935f31280562776265d33f410f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykQK.exe

Filesize
205KB

MD5
14c9eeb5d1d81c4fecb1b02eef1cc235

SHA1
ef89a97a21d97844abbc26ba579e15d1abf4b745

SHA256
90db94b9fbdc129e4b3393bbde696221fee7401856814adf5de4c2f704d494dc

SHA512
4bc8834e1c030dc7c46776c4bc1bcda8ff9b61cc0ba8ca841abbe342e0f94a7a23aadc8c7aad0565a0f3e34e295af2bdee699fd89065967e741ef9fc008887fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIYC.exe

Filesize
197KB

MD5
72a68988258ea28bd1b26016a7da0d28

SHA1
0728f3c79ebb5094c021165d3ff2cbdda55f9d1e

SHA256
d3b2ba2993be62ca2715cd59855b3da4d33f63310fb5e9ad6378bdc713c87fc6

SHA512
ebe5bac64cd563e37b9680245aeaa50f4ba1a2adcafffdb0297c1eb4124863e5a4ee62630de73ab1b3faae2c4e0ac9760e80a35c198a0b6d0fa264dd21bd42ac

Download Submit
C:\Users\Admin\Pictures\SearchUnprotect.png.exe

Filesize
377KB

MD5
522374eb158904c61ce8911dcfd28b3c

SHA1
dd4da694c2a967378c64d7993ab5f5b1c21f249b

SHA256
f6b7ce453b07deaaf9c164281b8ca7c630d07c4db143b730110d83dbc3e0771d

SHA512
2d3a7d16b189e97e01080e5bef0f5e18d3a03642fe37c03260a9ee1497dd09907a1a38d706450cd0f4cdf600e3e243360f14dd59e65d8d2464c156bdc21b1c6c

Download Submit
C:\Users\Admin\gUQUUQEo\YWAAssQk.exe

Filesize
181KB

MD5
0ee6b8fb931aadc86530ea299385e604

SHA1
a11ba851f196320c41a96dbb297477936826b6a6

SHA256
02bb775f0ac7d697afe72639527645d529d326458f983128ab655622aa62de9d

SHA512
44656a63d874fcdf876e761088151a0857ffa763c2af1f788726939d7d6d1e5d625ed280e63cb8e7498486b10c982f4b0dc87a347b6ebd2bd0bf18171ef4813f

Download Submit
C:\Users\Admin\gUQUUQEo\YWAAssQk.exe

Filesize
181KB

MD5
0ee6b8fb931aadc86530ea299385e604

SHA1
a11ba851f196320c41a96dbb297477936826b6a6

SHA256
02bb775f0ac7d697afe72639527645d529d326458f983128ab655622aa62de9d

SHA512
44656a63d874fcdf876e761088151a0857ffa763c2af1f788726939d7d6d1e5d625ed280e63cb8e7498486b10c982f4b0dc87a347b6ebd2bd0bf18171ef4813f

Download Submit
C:\Users\Admin\gUQUUQEo\YWAAssQk.inf

Filesize
4B

MD5
0cdf23913c3ec12564de1dc267abdaa8

SHA1
36379d2e23aa5da18eac522fcb78b7e4a1be2683

SHA256
53a99b33e49a56a74d18e3bc42382d7eed97b2cedf0b158ff02d1c70cdae0fa6

SHA512
7a396b87d595eb9078bf191fe6e0b940b199c07db6bc30ab3b4dfdc491defbe6d509ca37896937e990ae69e6c702caf115c1e89089e7a1727b54aee31d0100b0

Download Submit
C:\Users\Admin\gUQUUQEo\YWAAssQk.inf

Filesize
4B

MD5
9576b367d592388353066d310a23d914

SHA1
6e4c74412d9ff9af5a3aba6acf6168625631b472

SHA256
094085076db4f3096b2b9d884c203dc5c576574be8fafcbdf9a130180dff2513

SHA512
b0b4ac8269b55fb87377711791963a3fc8cf2311f6af8a3956f133b351d8bf69d4e7e89ffd1190d167a376e417e37ccb9d5bc50398253dc66fa7184ded65745a

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.9MB

MD5
8053a2b8f953753d34c92cd9a5a160e9

SHA1
5fe59f9d1d824fe183eb2d3dffe474497ff1b2ef

SHA256
4e65c5c6354d28648d2462ce27ead4c013365754188778f841303de315879387

SHA512
0b1aac3f4b0eb25454c0fbd815e404deed1104f88182f1170d57e5c66e7fabe2a86b48891f97179e1a5bb2ab0ccca3f88fe4d223d639f7f034c3834a88e1539c

Download Submit
memory/432-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/644-42-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/768-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1016-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1072-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1072-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1124-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1124-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1124-439-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1124-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1324-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1324-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1504-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1604-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1944-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2136-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2204-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2204-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-203-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-92-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3588-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3588-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3636-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3636-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3836-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3972-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3972-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-458-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-43-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4900-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4972-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4972-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5092-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download