418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

Analysis

max time kernel
150s
max time network
145s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
27/01/2024, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ViraLock.exe
Size

194KB
MD5

8803d517ac24b157431d8a462302b400
SHA1

b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256

418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA512

38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
SSDEEP

3072:slkfrcHVaq65Oe/ALwm19MYDzMLGquSOt+nSmgevSvoWAnvN0bfINcfln8rvK:Wkfrc0q47/UwQFSFnH9SArvakSflnCS

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	LSIAAwoc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ViraLock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ViraLock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LSIAAwoc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (69) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Control Panel\International\Geo\Nation	kGoMAUAE.exe

Executes dropped EXE 2 IoCs

pid	Process
32	kGoMAUAE.exe
2264	IggIAcMo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Run\kGoMAUAE.exe = "C:\\Users\\Admin\\EqoAAoAI\\kGoMAUAE.exe"	ViraLock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IggIAcMo.exe = "C:\\ProgramData\\RYskQQsA\\IggIAcMo.exe"	ViraLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Run\kGoMAUAE.exe = "C:\\Users\\Admin\\EqoAAoAI\\kGoMAUAE.exe"	kGoMAUAE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IggIAcMo.exe = "C:\\ProgramData\\RYskQQsA\\IggIAcMo.exe"	IggIAcMo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1526633464-1149972181-4216821683-1000\Software\Microsoft\Windows\CurrentVersion\Run\dsYIckcY.exe = "C:\\Users\\Admin\\fCQQkMkQ\\dsYIckcY.exe"	ViraLock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LSIAAwoc.exe = "C:\\ProgramData\\GMgUkMoA\\LSIAAwoc.exe"	ViraLock.exe

Checks whether UAC is enabled 1 TTPs 42 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ViraLock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ViraLock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4720	876	WerFault.exe	675
3412	5104	WerFault.exe	677

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2412	reg.exe
4260	reg.exe
1068	reg.exe
3580	reg.exe
1548	reg.exe
2640	reg.exe
2668	reg.exe
1464	reg.exe
4444	reg.exe
1492	reg.exe
4464	reg.exe
3580	reg.exe
1880	reg.exe
3544	reg.exe
4652	reg.exe
1232	reg.exe
3924	reg.exe
1536	reg.exe
1596	reg.exe
2996	reg.exe
4656	reg.exe
4432	reg.exe
752	reg.exe
3300	reg.exe
3912	reg.exe
4800	reg.exe
368	reg.exe
4800	reg.exe
3536	reg.exe
436	reg.exe
1164	reg.exe
1624	reg.exe
3056	reg.exe
4196	reg.exe
4844	reg.exe
424	reg.exe
4116	reg.exe
4392	reg.exe
3064	reg.exe
2172	reg.exe
4972	reg.exe
4192	reg.exe
1928	reg.exe
4176	reg.exe
368	reg.exe
4176	reg.exe
2276	reg.exe
4692	reg.exe
4660	reg.exe
424	reg.exe
1464	reg.exe
376	reg.exe
4624	reg.exe
2648	reg.exe
4684	reg.exe
4164	reg.exe
4624	reg.exe
2108	reg.exe
3328	reg.exe
3824	reg.exe
3040	reg.exe
2940	reg.exe
652	reg.exe
5040	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4692	ViraLock.exe
4692	ViraLock.exe
4692	ViraLock.exe
4692	ViraLock.exe
4164	ViraLock.exe
4164	ViraLock.exe
4164	ViraLock.exe
4164	ViraLock.exe
3176	ViraLock.exe
3176	ViraLock.exe
3176	ViraLock.exe
3176	ViraLock.exe
508	ViraLock.exe
508	ViraLock.exe
508	ViraLock.exe
508	ViraLock.exe
4960	ViraLock.exe
4960	ViraLock.exe
4960	ViraLock.exe
4960	ViraLock.exe
196	ViraLock.exe
196	ViraLock.exe
196	ViraLock.exe
196	ViraLock.exe
4412	ViraLock.exe
4412	ViraLock.exe
4412	ViraLock.exe
4412	ViraLock.exe
3176	ViraLock.exe
3176	ViraLock.exe
3176	ViraLock.exe
3176	ViraLock.exe
1888	ViraLock.exe
1888	ViraLock.exe
1888	ViraLock.exe
1888	ViraLock.exe
2216	ViraLock.exe
2216	ViraLock.exe
2216	ViraLock.exe
2216	ViraLock.exe
2072	ViraLock.exe
2072	ViraLock.exe
2072	ViraLock.exe
2072	ViraLock.exe
4980	ViraLock.exe
4980	ViraLock.exe
4980	ViraLock.exe
4980	ViraLock.exe
2036	ViraLock.exe
2036	ViraLock.exe
2036	ViraLock.exe
2036	ViraLock.exe
368	reg.exe
368	reg.exe
368	reg.exe
368	reg.exe
1320	reg.exe
1320	reg.exe
1320	reg.exe
1320	reg.exe
2412	cscript.exe
2412	cscript.exe
2412	cscript.exe
2412	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
32	kGoMAUAE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe
32	kGoMAUAE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 32	4692	ViraLock.exe	73
PID 4692 wrote to memory of 32	4692	ViraLock.exe	73
PID 4692 wrote to memory of 32	4692	ViraLock.exe	73
PID 4692 wrote to memory of 2264	4692	ViraLock.exe	74
PID 4692 wrote to memory of 2264	4692	ViraLock.exe	74
PID 4692 wrote to memory of 2264	4692	ViraLock.exe	74
PID 4692 wrote to memory of 2260	4692	ViraLock.exe	75
PID 4692 wrote to memory of 2260	4692	ViraLock.exe	75
PID 4692 wrote to memory of 2260	4692	ViraLock.exe	75
PID 2260 wrote to memory of 4164	2260	cmd.exe	77
PID 2260 wrote to memory of 4164	2260	cmd.exe	77
PID 2260 wrote to memory of 4164	2260	cmd.exe	77
PID 4692 wrote to memory of 4656	4692	ViraLock.exe	83
PID 4692 wrote to memory of 4656	4692	ViraLock.exe	83
PID 4692 wrote to memory of 4656	4692	ViraLock.exe	83
PID 4692 wrote to memory of 4716	4692	ViraLock.exe	82
PID 4692 wrote to memory of 4716	4692	ViraLock.exe	82
PID 4692 wrote to memory of 4716	4692	ViraLock.exe	82
PID 4692 wrote to memory of 4992	4692	ViraLock.exe	81
PID 4692 wrote to memory of 4992	4692	ViraLock.exe	81
PID 4692 wrote to memory of 4992	4692	ViraLock.exe	81
PID 4692 wrote to memory of 3064	4692	ViraLock.exe	78
PID 4692 wrote to memory of 3064	4692	ViraLock.exe	78
PID 4692 wrote to memory of 3064	4692	ViraLock.exe	78
PID 4164 wrote to memory of 4172	4164	ViraLock.exe	86
PID 4164 wrote to memory of 4172	4164	ViraLock.exe	86
PID 4164 wrote to memory of 4172	4164	ViraLock.exe	86
PID 3064 wrote to memory of 3700	3064	cmd.exe	88
PID 3064 wrote to memory of 3700	3064	cmd.exe	88
PID 3064 wrote to memory of 3700	3064	cmd.exe	88
PID 4172 wrote to memory of 3176	4172	cmd.exe	89
PID 4172 wrote to memory of 3176	4172	cmd.exe	89
PID 4172 wrote to memory of 3176	4172	cmd.exe	89
PID 4164 wrote to memory of 4624	4164	ViraLock.exe	93
PID 4164 wrote to memory of 4624	4164	ViraLock.exe	93
PID 4164 wrote to memory of 4624	4164	ViraLock.exe	93
PID 4164 wrote to memory of 4160	4164	ViraLock.exe	92
PID 4164 wrote to memory of 4160	4164	ViraLock.exe	92
PID 4164 wrote to memory of 4160	4164	ViraLock.exe	92
PID 4164 wrote to memory of 424	4164	ViraLock.exe	91
PID 4164 wrote to memory of 424	4164	ViraLock.exe	91
PID 4164 wrote to memory of 424	4164	ViraLock.exe	91
PID 4164 wrote to memory of 2940	4164	ViraLock.exe	90
PID 4164 wrote to memory of 2940	4164	ViraLock.exe	90
PID 4164 wrote to memory of 2940	4164	ViraLock.exe	90
PID 2940 wrote to memory of 5032	2940	cmd.exe	98
PID 2940 wrote to memory of 5032	2940	cmd.exe	98
PID 2940 wrote to memory of 5032	2940	cmd.exe	98
PID 3176 wrote to memory of 5068	3176	ViraLock.exe	99
PID 3176 wrote to memory of 5068	3176	ViraLock.exe	99
PID 3176 wrote to memory of 5068	3176	ViraLock.exe	99
PID 3176 wrote to memory of 4364	3176	ViraLock.exe	103
PID 3176 wrote to memory of 4364	3176	ViraLock.exe	103
PID 3176 wrote to memory of 4364	3176	ViraLock.exe	103
PID 3176 wrote to memory of 3644	3176	ViraLock.exe	101
PID 3176 wrote to memory of 3644	3176	ViraLock.exe	101
PID 3176 wrote to memory of 3644	3176	ViraLock.exe	101
PID 3176 wrote to memory of 4400	3176	ViraLock.exe	102
PID 3176 wrote to memory of 4400	3176	ViraLock.exe	102
PID 3176 wrote to memory of 4400	3176	ViraLock.exe	102
PID 3176 wrote to memory of 4668	3176	ViraLock.exe	104
PID 3176 wrote to memory of 4668	3176	ViraLock.exe	104
PID 3176 wrote to memory of 4668	3176	ViraLock.exe	104
PID 5068 wrote to memory of 508	5068	cmd.exe	109

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
"C:\Users\Admin\AppData\Local\Temp\ViraLock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\EqoAAoAI\kGoMAUAE.exe
  "C:\Users\Admin\EqoAAoAI\kGoMAUAE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:32
- C:\ProgramData\RYskQQsA\IggIAcMo.exe
  "C:\ProgramData\RYskQQsA\IggIAcMo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
    C:\Users\Admin\AppData\Local\Temp\ViraLock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        8⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        10⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        12⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        14⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        16⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        18⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        20⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        22⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        24⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        26⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        27⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        28⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        29⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        30⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        31⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        32⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        33⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        34⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        35⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        36⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        37⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        38⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        39⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        40⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        41⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        42⤵
        
        PID:3628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:164
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        43⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        44⤵
        
        PID:3664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        UAC bypass
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        45⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        46⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        47⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        48⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        49⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        50⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        51⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        52⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        53⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        54⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        55⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        56⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        57⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        58⤵
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        59⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        60⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        61⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        62⤵
        
        PID:1100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        63⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        64⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        65⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        66⤵
        
        PID:4132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        67⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        68⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        69⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        70⤵
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        71⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        72⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        73⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        74⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        75⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        76⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        77⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        78⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        79⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        80⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        81⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        82⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        83⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        84⤵
        
        PID:3524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        85⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        86⤵
        
        PID:4780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        87⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        88⤵
        
        PID:2032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        89⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        90⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        91⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        92⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        93⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        94⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        95⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        96⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        97⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        98⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        99⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        100⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        101⤵
        Adds Run key to start application
        
        PID:3236
        
        C:\ProgramData\GMgUkMoA\LSIAAwoc.exe
        
        "C:\ProgramData\GMgUkMoA\LSIAAwoc.exe"
        102⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 232
        103⤵
        Program crash
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        102⤵
        
        PID:1336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        103⤵
        
        PID:200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        104⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        105⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        106⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        107⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        108⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        109⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        110⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        111⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        112⤵
        
        PID:4192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        113⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        114⤵
        
        PID:4212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        115⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        116⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        117⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        118⤵
        
        PID:1360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        119⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        120⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        121⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        122⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        123⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        124⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        125⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        126⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        127⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        128⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        129⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        130⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        131⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        132⤵
        
        PID:1580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        133⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        134⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        135⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        137⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        138⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        139⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        140⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        141⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        142⤵
        
        PID:164
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        143⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        144⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        145⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        146⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        147⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        148⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        149⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        150⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        151⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        152⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        153⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        154⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        155⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        156⤵
        
        PID:3552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        157⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        158⤵
        
        PID:3052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        159⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        160⤵
        
        PID:2072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        161⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        162⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        163⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        164⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        165⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        166⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        167⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        168⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        169⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        170⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        171⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        172⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        173⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        174⤵
        
        PID:3516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        175⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        176⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        177⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        178⤵
        
        PID:1752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        179⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        180⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        181⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        182⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        183⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        184⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        185⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        186⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        187⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        188⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        189⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        190⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        191⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        192⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        193⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        194⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        195⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        196⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        197⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        198⤵
        
        PID:5024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        199⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        200⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        201⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        202⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        203⤵
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        204⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        205⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        206⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        207⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        208⤵
        
        PID:804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        209⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        210⤵
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        211⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        212⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        213⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        214⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        215⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        216⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        217⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        218⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        219⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        220⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        221⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        222⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        223⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        224⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        225⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:2032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        Modifies registry key
        
        PID:4684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqYUEYgc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        224⤵
        
        PID:4476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:4192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies registry key
        
        PID:652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:1084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        UAC bypass
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saYQEsYw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        222⤵
        
        PID:4236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYcAUcgU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        220⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKMcQQcE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        218⤵
        
        PID:2188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:3584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        UAC bypass
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:2164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqsQEYgM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        216⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiMgkYAo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        214⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        UAC bypass
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        Modifies visibility of file extensions in Explorer
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies registry key
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUMkIUkM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        212⤵
        
        PID:3328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        UAC bypass
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQEswUIU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        210⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        UAC bypass
        
        PID:4800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        Modifies registry key
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:4160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqggkQsA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        208⤵
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:1884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:1700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        UAC bypass
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JygEUgoE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        206⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        UAC bypass
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IogYAcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        204⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMYEAocw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        202⤵
        
        PID:4576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGAoAQEo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        200⤵
        
        PID:4276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:2940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies registry key
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:1768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaEggkMU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        198⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:1320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqAUkUQk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        Modifies registry key
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies registry key
        
        PID:1232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIUQwUIE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        194⤵
        
        PID:2316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKIgkMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        192⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies registry key
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:4156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        UAC bypass
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmgUEsUs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        190⤵
        
        PID:204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSQwwQUs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        188⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWQYwwYk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        186⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqwswQws.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        184⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:3028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        Modifies registry key
        
        PID:4800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyYUEgoc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        182⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqoMggIM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        180⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:3908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies registry key
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:2528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euwYkswk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        178⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEwUkYgg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        176⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGoIwAQk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        174⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        Modifies registry key
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMcEkcok.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        172⤵
        
        PID:2032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diYYgcAc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        170⤵
        
        PID:2552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        UAC bypass
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eegwYkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        168⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCgEIUYs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        166⤵
        
        PID:4060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKEIIkkg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        164⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAcsgQAU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        162⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:4708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYAcMwEw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FakEMAMo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        158⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyAoUQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        156⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:2152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        UAC bypass
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuEgcYkY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        154⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:1880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAIEosgU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        152⤵
        
        PID:308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tywkYcAY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        150⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwcksgAc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        148⤵
        
        PID:4752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuUYkskI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        146⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies registry key
        
        PID:752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcUEocoU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        144⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUAYgYYk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        142⤵
        
        PID:4360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies registry key
        
        PID:1464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgMssAYk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        140⤵
        
        PID:424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOgwkgcg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGcAIkQU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        136⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsIsQsYM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        134⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROIAAccg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        132⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWscoYgY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        130⤵
        
        PID:2280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csgccoAE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        128⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies registry key
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOIsUgQc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        126⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        UAC bypass
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies registry key
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reUMcgwA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        124⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiEYcUgo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        122⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\waoYMwss.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        120⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:2244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:3812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bywsoYEc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        118⤵
        
        PID:504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:2772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIcEgMEk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        116⤵
        
        PID:4816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        Modifies registry key
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOsoAAYk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        114⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkEYMUME.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        112⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEsoEcos.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        110⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        UAC bypass
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROsoswYQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        108⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAAMUsYM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuQwQgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        104⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:3812
        
        C:\Users\Admin\fCQQkMkQ\dsYIckcY.exe
        
        "C:\Users\Admin\fCQQkMkQ\dsYIckcY.exe"
        102⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 232
        103⤵
        Program crash
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuwoEQAE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        102⤵
        
        PID:4840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeMsAoUo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        100⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcosssYo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        98⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\logkQwgM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        96⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgsAMUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        94⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqwkcoIU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        92⤵
        
        PID:4708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        UAC bypass
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auAgYEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        90⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQQAUcIw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        88⤵
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:5012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies registry key
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmkssEsA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        86⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PioMMIEI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        84⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkwUIksI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        82⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        Modifies registry key
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKEMowkc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        80⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQowIIkk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        78⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies registry key
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKAMQEkM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        76⤵
        
        PID:2072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:4116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKIQQgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        74⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwAIcEoY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        72⤵
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUocMogU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        70⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USYkQkME.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        68⤵
        
        PID:1768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSggkokY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        66⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEIIcwcA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        64⤵
        
        PID:5024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAkAgIUw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        62⤵
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgcAYUEk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        60⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WewAgskM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        58⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKYUwggs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        56⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQYEwEwA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        54⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joQIIkAU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        52⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcAYoEgA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        50⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyEoAkYE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        48⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:4800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egYUIEwI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        46⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEIUYIQo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        44⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toksAwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        42⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        UAC bypass
        
        PID:3772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmoswIoE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        40⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwIYYEgs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        38⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWkUYIQU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        36⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        Modifies registry key
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIQEIkwM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        34⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukEkMwgg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        32⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSowwook.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        30⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAYgMIkc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        28⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsQoYkEE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        26⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeMYEIwo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        24⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYMMgEEo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        22⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwUcocsc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        20⤵
        
        PID:164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmUssIAA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        18⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SucwgcgU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        16⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EoEEEoAc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        14⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiwYAEIg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        12⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEUkwgYM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        10⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akEQUUsU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        8⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1768
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3644
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4400
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4364
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQUwggsA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        6⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoUAkAsE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:5032
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:424
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4160
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pukggMUw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3700
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4992
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4716
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:2940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
217KB

MD5
6124c70442ca3eeed8d2e75fcb7375ad

SHA1
ce47ee4f0785f89f476caf5abd88a6158186ef53

SHA256
18ead2e89e779ab4d4fc1d9e65dd6b49534db2b47715684cc3fef59298d5e6ee

SHA512
c9a33cdb3705f313bc0fd06e986fdb1b638f96d648d8b141e09f7011c06c00f2fd017797ee86dbcd5fc6101764f882daece92095d15c22e7fbbf4a3c5cac08cf

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

Filesize
186KB

MD5
08bf8f4018ffc5f2e6619ea624ed3d61

SHA1
60e7cc55e1fd2222a654a711e3ae1fff66d88938

SHA256
6ae4bdd5e484ec193b5cef9323200047c2683e4741f5a9575b5f701bf5de9855

SHA512
be7d8cd98acabf2085209bcfed54d8251b950099eb354584886b2c7a00031c9e8455f1118cb5aa7ed8321ca5f6ac600c18c1d9b57fa821dba26452675805c937

Download Submit
C:\ProgramData\RYskQQsA\IggIAcMo.exe

Filesize
185KB

MD5
f471c74d06d798fd8e8027b18695bbbd

SHA1
7bdad770fd4ad3f30bf7f5467604f6e8f7e0c438

SHA256
3ec80baa51651c630e9fbc5d0e8cef1ec8f79237044ba63620a4471a97a696be

SHA512
35f141c90a32c1b0e30037b7d0a18988b92292e27e8186b2b646ed5211f6d3fce5bdf6b5964bcb78eb134ff95e35cd95b6136825a6fbd3fa5c516bb82238ab68

Download Submit
C:\ProgramData\RYskQQsA\IggIAcMo.inf

Filesize
4B

MD5
0f0e1d43c454879cbfa0a878378c0b28

SHA1
b506bc3bd6cc68890ed0bc6776a42311bfea4122

SHA256
1b355a8fcce8791828ed28d25ca548bbfa0b91a68817ee92965f74e4a0f65da9

SHA512
74d2c24f3bfd42dfe7946aaa690674aa28769aef6c7a5ff209440815763471de52ef46dd767d3421cefc58b2230dc133f1ab7d688503a22bf24899ab5bffcffe

Download Submit
C:\ProgramData\RYskQQsA\IggIAcMo.inf

Filesize
4B

MD5
9d604c4fb808851d6d654c0c560fe7ba

SHA1
ab1c4a2024ad9379fa3e44a6f91877c4df40b44c

SHA256
e0f6e17fb746685a54987b121a1c09e8b1cfc365b2f1d7203eef19375173b592

SHA512
59fdabda33b5593652203c988409e46ad8e7ba9aa5509171d09e195791749f7bd4ec008d59baf26ef9d758090f499c9a968312494afdd053e3c70529446d7f4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

Filesize
187KB

MD5
cd23b91540db4930e890e6fae19e21ea

SHA1
5caeddb2b83be16ec5934a75fcde6351c43b9e5b

SHA256
0af8e4617a83199c8ce9568c7144310e2b34d30349b2e0c9ccd9827988656925

SHA512
2617d6e5c5413d71e16fbe05bc6fb807ae2e9884544c2b858ac6f8911b8c3026a692d7479be50105666ff7fe4a3a9650b63df36b67860dfd641004b24483703d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BggK.exe

Filesize
203KB

MD5
ab27799f43f89829fce3366dc726078d

SHA1
652ce75c4202ac448ebc221bff99b2f28e27accc

SHA256
6c8de78f1c1f0bf2c99426af63cd33b33e13668dd4118866cf50906a608be4be

SHA512
4ec4270f4a23f92fadd27746adcd034d1d5271c01e0a116d7a4da669f42c29a886805a8add0ee11b9c950884a35ae95070b84361f1c616c7c3366a2ee719a28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BgsI.exe

Filesize
196KB

MD5
97d6e1d7c0e93b553e8f7f6c18bc41b9

SHA1
c115086451ea7e0034d7defa66156a8b103601ca

SHA256
82db0e039a75b0ed4ef413a0cabca77a9b26794d47d30e97af3ff83bbd575295

SHA512
36604065e7742e733a8e59d23f07c64961289dc185f5054e7040ef8a3f2db3818cd67647abd6d137e4bbb349089fc0809b7af271d6a294cbb251e473b97202e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkIk.exe

Filesize
214KB

MD5
f311b3048636cbef63b43cfeacdafa7b

SHA1
6169583e95ab1b45f424aa6348b7b229ec277465

SHA256
19322a564f3dd43f1365ba4a2e0ea4ab7364801491643abdd7a592f7b97f9061

SHA512
634056219aeff67d01433b7c2d74bc33ab133175a6a7b668704fce1095ef85ef0a35b1312b22e136ff37a4f2feb4ec0bcfb6bdba0519c3f2a8c1df8aa6ac701f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIMc.exe

Filesize
186KB

MD5
ad82f8ee51a374e7b379163b4a710c6c

SHA1
5aa195b6b28d76ecacac95c50edebc5ec4263463

SHA256
f2405c4bd6bd6fdcf8fd16757a41faf0ad1acfe75d253c47a75113a722b606af

SHA512
76eaa85cc0f460987efb8bf93eff3c3f2486868079f14bf7ca20ace20533a8c9595883e429ef9f9d5443e83e49fbf68ff6927d3a3d65967a7c7643f4ebb54003

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwYe.exe

Filesize
197KB

MD5
5f464da7610b7d7d10789ede6b5c9572

SHA1
99a02db38bdd06bf80d83e95683953e35c24b0c7

SHA256
90486547e3e274425c80f734eb5c0d763e68869114f8553f2a775013df7c5980

SHA512
67ab8602406c2d69510c824faa829db310bee978d713d8868bc9f450f08fc3fb60cce399ee7a4bb9cb9125a8791df2230d50e20831692e7776e72155b193559a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAES.exe

Filesize
664KB

MD5
237dec3e83b09991542668e49af36a53

SHA1
b7594081bbbd6918cf3ddcbe1c91e19ab8d85dc1

SHA256
df1b3ed972e1ae8a8a64ab680d49708e82714d233a86cc2c17fa4c6a850f86c3

SHA512
9c7b7108071ed36a1a8b629d732825968b52676f480c6225d4246e2242efe7b484f6b18911f1af18f8483b3a1e9eda1b6282ad53d453f9d9ccee3b9e168b2664

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dcwe.exe

Filesize
202KB

MD5
89762efa0ca57839eccd4c2d8d0a4c0a

SHA1
36555e6e67e15c91515e8295d05aae61a57dbd3e

SHA256
b96069424cd8dcc64ddef87646882dca23131c1496865e10e302408110e504c6

SHA512
43a4ca94cb1598dab42957b9a2e11579689bb22d438151c17b5affd43c23f67d0c91ae17cdd0d5d61e924399094642d032b4bb9ade16b70c162d9e72fbb29f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAUy.exe

Filesize
200KB

MD5
2c3732fe4c9a17d2b6c87bfd90bad60e

SHA1
d7c3cc368a2dd79b83f0e643b6643157e1ad3984

SHA256
1fffa47f0ab4ebb6363619fc32bff0a60b029ff64c4edb4abc157932362a8d90

SHA512
3d6a7d864676253dcb019826b073b878026613712ca44538d27305a37c265ea4bcc59050938fbdebc60cfbe19356a1ef4a26000f7d8d784d891f0c81ce51a14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Egwk.exe

Filesize
194KB

MD5
43ec03203a3d468c4c81fe83f61ad929

SHA1
983a50e6cb22f7b0f4dfce4d7e451e7c28ae2c01

SHA256
05a470f1a1b15998c9cf952093ea59988b6137e23cf26e5619cfe26e9bcb9c43

SHA512
828690a6d919b5af0ffdf9688c0ddedd8bc713d0c9ae0ae2b4f1515535e66e212fca13f4c3bdf0b647afc5cd32f4d7168eb5f87d6a8963d424d27dded8e83702

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwQg.exe

Filesize
189KB

MD5
8f77afdfef2dd617ae8a9df645871050

SHA1
d237888777b03d61de124a1e71734a2b3a681608

SHA256
52e283166c352534418f635a148c7112d8b55cbbc075238e70eaa77d4c7cc583

SHA512
2d94ada12479afea9040ab06508d24a091eec15e51171c8b7891aa03a4316b4b2927fc21de03d7b1349a26196a5745ecde8bb1c76721172022fb27b2147381ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwUc.exe

Filesize
637KB

MD5
0b8be57ae718388cda2161a8c94eee71

SHA1
55ba3fafc813f31af54c2b6b79a4c6ddabe35bec

SHA256
f74ff358ff7b3c94e8359ff7e099514b25cbfb4184192d2724cf50ccedc3f06f

SHA512
4b65fd247a24cf3d9e9e65a487cb5ab025bba9e000bf915b1e51a6339fb6cab8f28767cadf972ae87413aea1f2354b12dc942bbb8f02afa03cd375967790073b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUka.exe

Filesize
193KB

MD5
e6df48083424adfc6b38b1e1800dd93f

SHA1
68cd83880af71555456b6066f9bf693f98fa6271

SHA256
878e5b2317ab6f7d949de8cd59546564b1e865b84a9e51e92709ec2fd4956901

SHA512
cd807d87b59575b4274f8f540c0920b888a0fc3ef80b5e5d7dade5b1e211b27b9f6f0612503052c25ace06578f134b73c303d17783cac4b62abbe9c813d5d99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUkm.exe

Filesize
232KB

MD5
fb83104bf8bf06bed63f211e32fa3357

SHA1
69a7ce1c4184afb921725d873b0cbfb3d26fc243

SHA256
e2630e64ead54798041010275f3ea33fe11a1a8dd1f181716b21bfde115ebabf

SHA512
edb0700d41fb533d63ba0e81c4cc7ae557aa74476e4d5b8cd753c62a23bfcfa83f211eeb608137f009b7f8dfa95b4f527230eaecd4c932e189ca913269f05d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gocg.exe

Filesize
197KB

MD5
ace0b84561418a0fb1b8a85411d4b2c7

SHA1
9e3cd80ca5c22ee6ef0c9e3d63fc5e7279e9aa72

SHA256
6b20bfe05dc4b99c2e65c291b8c8776c447c06da584e39d370d8a450ec399794

SHA512
3e876d77964946c01fd8ea1488b35ac9d90485b331ec194ba29aedffebb8f56ff70e57a4fd2bc17cc941e6e4cdac9ef1d2550ebf0ba602a671f7e2663385f3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEUo.exe

Filesize
191KB

MD5
b4147e287ff959a6620db7a523494296

SHA1
6779f6e1a3838e459301da2f3fe59d970a6db698

SHA256
c068ade03e427b85cbfcf56598769c8f55256b74e67b5b9a5592be2be2dfef61

SHA512
7216eec3d28b8ee7dfbf520b9d52326b38c9de66a30f24e0fbf264c335d40829d611e3288d5dd0eee612f6f15808251b7d239c7baa0030183cc7315b4bf8fa2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIoi.exe

Filesize
185KB

MD5
64286320251619ed1be229e30bbd43bf

SHA1
47bd3c843f7e8a4b9c070cb38843f25b66ea528e

SHA256
f3305612e03d08484f0b93a051aafad98f5659b7af9761e7a76e735109b28b27

SHA512
206f5ce0bae02af25a0cf29aafd76b98e0f2feebc935369e4bf4924322929caf86b6a912fb99fb6996fc6f9b8e866a90bde13f1f8960e2bbf86bd4119802c2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgQO.exe

Filesize
226KB

MD5
38f9110af146435db032b41f41aa562d

SHA1
e8195c6a263ad245b0745ecb8f6cc0a16ad44845

SHA256
1394267e072c4dbbc651caa3f70b2b7b11610433a18d26fc22b5b6e502231868

SHA512
9e87337f287de7d43bc20ec862bcb7f5f5b370a553d7391af2a19e4634c5186fd3d71b68458124dc1e4e9a239e61c0e13ca0327bdf671d152db4af0c113ae0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hkoi.exe

Filesize
204KB

MD5
0bc7666c651169fba172eff356626d15

SHA1
c318f697063470e9f4e14f47731769e0ef551353

SHA256
415d62dcb8578f96a66eb26c4e113f2a05a37342ab280beb48495dc0967623b9

SHA512
452f617036534668c2b98886888086177ad6747dc7bd139398b35b42ff5183d9ec829a697c5ff2af7413c9c2ee8968a20da6632e56968c499ae896e50977e090

Download Submit
C:\Users\Admin\AppData\Local\Temp\HoUu.exe

Filesize
192KB

MD5
c8d9ae8c8429bae44c45eb9ce2e3d5c6

SHA1
392ddee8d435de47b57b84b4c53da7057d5fb89c

SHA256
092c343fcb1fb96cb2612ef95995ef6be90bf50ff7aef4af62c9090a32b18299

SHA512
81d0de959b71e2e2e2a4e37fca1148f74191aae9313cdb6f50c682f3102692bfdd132524b408333d728e6887bb08cce62f303df4e13c4c70cfac9a76ca1d2703

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIAE.exe

Filesize
564KB

MD5
8f1625225be635ce5266b1b63c3c2e96

SHA1
740debcc38dfadd529d83acf6545a4b8857acac4

SHA256
e53ce8d7a607cef28b1f083d54c48701824851875ad68c33e631805e3401a22d

SHA512
694864465ef5f192830f00b815178bacd2fbfa0a13906c0d0a5d45b00863dccfd7dc49d62372a719b592fa2932d90f9055776111fbd3ea56faeba972e6d3a8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYcY.exe

Filesize
185KB

MD5
c748fe1f926be2b75ca9de4de3221eff

SHA1
3f47ebfae76aae9cd4feb8edb090633c044af2bc

SHA256
c00193f0d9ed3ea3812066de847c9f068985d4af53f1462c6dd633ff61ccf0ea

SHA512
56b57511575e5f61d870e9c98516aec8882112f2d89807488214767d7376d79eda0200f6f36c46422f01769b7c8c8a2e5af5a9741c8cf2f62e95f76ca096c835

Download Submit
C:\Users\Admin\AppData\Local\Temp\JgUw.exe

Filesize
576KB

MD5
a899b3cfda206bcf9c1b999d3fd68a17

SHA1
350e9dbdd7307a9a9231be23ac260a41e4e21a2d

SHA256
59cc277937ed06532ed9d419b77b7b15f52d360424903fec4b352322be3f6ea9

SHA512
96edba9ac680c1ca53aac2db09beb09fd40792d48a0103034b4f314b4564ff6ba346cb052713600eea5649db85d1d6aceace2357a335a90a7d5552f2d5ca8441

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcsI.exe

Filesize
362KB

MD5
12ee645af8a48a9fa43774a45a3a424e

SHA1
54af92f29c7975af4c0e955edc6075fe3e5bcb27

SHA256
7d148863a309e6fe9c48358e93a4ea3980eef1bb3fee33d1f723075ef25b740d

SHA512
d7437e51dae6752aaea003cb4fb9a87de58222186734bcae4f0bea5feb8b3697557c66588e98374f383620a299ef8d3cb2a1a4189098f9a9e093d7f675de3979

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoMK.exe

Filesize
205KB

MD5
a07e82805496f3541ab5248dbcc309d6

SHA1
0c5e0fe967487db3ecc06b900988822742108116

SHA256
a16e6b89edbdf7db9068c49042990480fa058c8d0e1b684c3f308a20b39b607c

SHA512
31e6149e8d9b0414ce2937c396a1720db7e5b42c79a9cb2b1ed0810ffad4581156914c6258c0d94cc04d6e2989ccd65c31df6fc1fe012b9caabb21364a4a155e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYgI.exe

Filesize
656KB

MD5
ed315ae5fb0d1751434dd8453a1fe44a

SHA1
c6c93895e311ee26cd20fe62a95d491f25bb117f

SHA256
61d0ffd5c51bd3e3b9e022bf5f0803405a9ddfda67bab198ff3c1a149150a9c4

SHA512
fd2d654c4c42ce91b4ca8a78d35e22b3781ff8783a6384d1c775187f9fc87ea0e44b8ad1e1fefa7e29a8a46cefc8131e7d107f465fd9f9f42545f0075ebcb69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lggu.exe

Filesize
188KB

MD5
bceeeee7382dfaa4d31cb3729fa51c0d

SHA1
d7393343f1a18fdec7f0b7f6b2f2558e91bcb995

SHA256
b4af8cbf1e109b57e79f0db059ea873214227c69fce96905d3db38f14985c11d

SHA512
6e0afb104ceb55d4f66137aa2a80ec46a30056c4ea496b990ef17e368879483c1f866ceda2c970338d55b42d0c6679f7dbef7a5d5d6e34dd360a368f323fe133

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAgg.exe

Filesize
323KB

MD5
433f3cf66c371e2e8c3aa4208d90fbde

SHA1
41bb1bd619627f781dcc38bf16e4641dfaf4cef9

SHA256
3314dbccbc71fd027bb61a7e3df8e3b6933c01adc7e8e14340762379b47c3f0c

SHA512
8fad7bf1f900175eb06313f152e1c1231490e9d5c0f890e5f7cf37be73f99ed78a31a5ec8fe5bd1f559774456237f1851229b61dd4bba94281d90d92817c1f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsQC.exe

Filesize
222KB

MD5
f51832ffa591202deb10df7eea64d86f

SHA1
c86f6a3eab2c6de613b8b8479fc591cdcf71d44b

SHA256
4ec665b509f8b61d478d2c2b307659064ba0beda17781f3340c3d6f9caa0ab66

SHA512
50ad48d8b59457b99a44e08fa7657977739d659c37d82a5c02312b06bbfb553fc0b6707eb07c9ecdd99dc717f67b9609759c4ddb061ae13f908bf8bc60313805

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMIw.exe

Filesize
262KB

MD5
085cdf40c5e0fa8aace9d70834a9982c

SHA1
68b73fbfce0d7649637f6074e6566703c7d50eb8

SHA256
10fbde5d7ff4f8b588592fc1e06d9d1016b3607e89a7d8ceeee11d82fb2df840

SHA512
ec8f0ce1fdf6b468b64b13412f460907f988d5992b46fd2ed6b1adfb15d242f906fe491da959f5a372c5f0887ed691f2d148084b2a4821315da8eb4cbbefc38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nwcm.exe

Filesize
640KB

MD5
419ae22018ce491bbda7acc97b18aa34

SHA1
d0d4e8bb146d3e1e5c00d9fa549bc2f4240aa96a

SHA256
1da40e6e6e605b8a0a245f68df88b932697a2cf75e52c77fccc6f878ef5f6a59

SHA512
1aceae3031f39a8c3c4f51a97b1a955477f13dbd69669142ce49e34dca480febcd2fb160ae9312273e0d95eaa846789885f3eafbaacc65d8b76c07d88d3a3d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYUm.exe

Filesize
1.8MB

MD5
f2212e742eb599fe11f4c13e334b6854

SHA1
df98b01fa0a2774b1ad834c3d0dff75b42863ab1

SHA256
71cbbb75249a4546ced5a380a9216c14c2f21fea105909430bd4a77df03e888a

SHA512
a4f0ccb5cf6dfe25965f9f300c695e16e86a005079e3a1a17fa6ef2ec4de6ba7ab234bc4cced01791997c5362fa753dd444050adb448ab1d4ee8c55fc8b932ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Okki.exe

Filesize
197KB

MD5
986195fece26e2c04d696c5c186402e9

SHA1
1fde66a5e7a6721c15b03483f719f0708096697c

SHA256
c0c48411d9bc8551868e8c1726a938ddd9f1d9bec1b1bf3e7d4d1e6edf59975a

SHA512
783603233c4b431fd8bec93b27369d235ec013bff041e1f375af1d707d4faa27f16abd001ddbf754555e2705465b65a671af93fd91bdf6f57d2fedf719cf35d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIYk.exe

Filesize
321KB

MD5
bbf5aa2a6cc7d01f495f9f58c3425f78

SHA1
9fe22ea7bac2ad3849feb996259b9b1eddfd76fa

SHA256
2812ed72aaf648fbd0d2aeea7c81b447ec697d1fa8bd970c32cec69a4de1a4d1

SHA512
e63dea6846c3ebe3cc3dcc5f21142f6eecf32a3dc2c4d0805b0e4e40a1fddae004780be2ac0ba6ff0d45ce96a3b056ffef8e3663d09750e4e84749920bac9824

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQYM.exe

Filesize
188KB

MD5
d3d5b95ad9810a115c0eb1a7f149f916

SHA1
529afa9ddd254bdee909e94d273089947e8073ec

SHA256
feb9742f844fe3aeffec00b4517e9c464ea1b3daa822dcd82224641196cd8682

SHA512
d048d16333d5771fb648f5366c9e3911594b3c682f21482290092e92e2edc71e2eb9e14e978c3515cd54afaa9652c87a403aaf50d534ab8681b3aeb68d3eb3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAMe.exe

Filesize
197KB

MD5
677fba6e2c84c6f12f69fbd0c21aecde

SHA1
1ba9312c75feed4a4d80f83faafc06546ff73f92

SHA256
d32810042c4b8ee82930d94c530ad04c05e7e25b5ee4c0ceeb03c3a06473763f

SHA512
1191be06c062158ebb71ba586743097b55d507fd94eb4a8d94ed1197fecf76ad120433e96534ff43340fb3a6f01c62b497a6071b13d95707eea63ac147587806

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgkW.exe

Filesize
194KB

MD5
198b070be17141195563e30ed8cc6ab3

SHA1
6d045f86083d8f8284dc0651ada85284f715bcd1

SHA256
552993b3c6947a539cef186eadcade1c4f8ddb80bdcba8f002a1717ff497964e

SHA512
7346326c7146e3fc7b67c06042930073fae02c5eae58f9dcb9534b4cee4bafaeeb9e78f87cbe9e4cedd7b041801e86528e3a19662d315aac1ed728af5bd55d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkkS.exe

Filesize
191KB

MD5
c00ba51942c50322dd108fa841833c31

SHA1
d9c5873446e5555f94013ef512de39b28fd0343f

SHA256
56754001d066554088af87d78722a4c9b8ee8df72f0b08b46d1dafbad6834625

SHA512
35e2b83f32853b741197608cd7dd2fd17519879938c08c3dfe6d3ab2bf112d9d505bff267bff0c1168aea70daa4e6d56093dabd85851bb5114a8f3a1942bbe46

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAkc.exe

Filesize
189KB

MD5
680294520ca93ba5f55bbf6103a9d4df

SHA1
a7120b1cb0dc0884a450e5dcefc3ef240c6158fd

SHA256
a752f7a0afd9ce55d86e505be53f8c9e9b56918087d636354f50dfca901a51a0

SHA512
48e92d20b98766c7d204662b8b841020948e489aa3648d5e656afbc8afddf037f4bafd204cb1d8a586930abfd4bcda00230f5f142dd285af03abad22153d61e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIoG.exe

Filesize
207KB

MD5
de276a826b8b04d9e2eb7b76985bf8ee

SHA1
5ea8fad80c1af516dda928820bcd7ddfb2cb317b

SHA256
9d6a86f399ef9c80247028790142b86a103e1fcbca97784816abcca204fb120b

SHA512
62a4e3d36fb53df10ae9f079ea2e1894efdd504fa86481b1f1c6aaf128f982f8ff66dc025edd1180b3050651c522da4266824daaaeff2a4d36838dd81dde3ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYcu.exe

Filesize
197KB

MD5
cc4c5cac827081b966869943f77013ec

SHA1
3e100d526fbe99f8d6b8332dae0c67b0bb37df15

SHA256
a30579760a6ddf4178874a98fe8c715cd4792b68a66ad5055e845d968a56e9e1

SHA512
9b309da32516a8dced45af3371e06ed7757eac5d6a6d6c39e7b3100ad40872e617d19693cbf27885b2bf41d31cd8e687375418768839ac40c5ebd7cfdb388e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkYI.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgkI.exe

Filesize
548KB

MD5
90268a18e7bbc1fb4b5cfccd0ee65934

SHA1
f6bb1590cbb13c9941565006e066b74e60ef4d66

SHA256
d85bd0ce2eb36eca8ca8c48852e9a34a122ef75b137283576e592b3e1b389973

SHA512
240c7804214aa5cb5d08889e2c7f847eede38c55106094ba5738081f60d313307f58884dd39320330223d255298f55cbf401c878723f6e630db5a3c6a90c4664

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsoS.exe

Filesize
423KB

MD5
7a0999198c1c06f336908c96d731ae1a

SHA1
607aad2becf96bacc36fe9dd016f60de81ca9631

SHA256
2f2859b3e6f1a28919a92420386649cbd5b8941822fb442c1e13789414f83578

SHA512
c35e33714eb2efbb152f8279dbe070c3c84c39d9c72d4732a91d0439c613a4a7ed50dc5585903c6c7620817c4572786a1b2ad705554e177835db82ddbf9c1c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMoC.exe

Filesize
201KB

MD5
a353cd40ab03709173c268c1949b8859

SHA1
962d174f3eb4451d1f6462521be5dae519884b91

SHA256
45e7fb00e97f276ce3e84850d219e905614b6ea37b68cb8dc58edc7164c58f3a

SHA512
d0b2c9aad252d1ce0c389fa7e5cae5e6f969f6c398e118c50ffd94488b2cf0edb1220678502c08bfbea0f1c1424fe225d4bac084289fd3d57aefaf483cff76d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ViraLock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYkU.exe

Filesize
199KB

MD5
361bc684e59673f647f07785929105bd

SHA1
695575e08b84d9648ea352f11303fb69f12c8ba5

SHA256
885791614955e99c190b910fe2a58936720fb8e4b050d0efb35234d804901f01

SHA512
7fc19524451ba15456c7508ecd9e92a4aff064fa85723bbf72544dc77ef49986ec493ca73b176f7814e0befb9d4f045af268d3a64cdb1623b9861bdc4a83ab0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcAM.exe

Filesize
64KB

MD5
f22ce1334b9ea984ea296b937165e84a

SHA1
ac20f3aa2e7c1896e7994f41ef2f1ac951f986ed

SHA256
c89d187e753c404b764caaa8f2c661d9af3af3ebc4f112a912c02a6be5bfbe53

SHA512
9b04f21287a4c56ecb172eda3f4e6dc300ee654605b18dc6b470f35cfd7b5781d41e06adca089ff3761366a9a4978a53da505cf6a9b14605a0ea87b9065a30ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQAc.exe

Filesize
199KB

MD5
72b878458000156a894bd8e3a444e1d0

SHA1
f987db351f716fbd337e2c3d184cd144371889dc

SHA256
75bd0881cfceac97c6a8fadd533b383de5b13df153a80d6fe0354b05528b066e

SHA512
e878990ec70b2c423396facaf732627ab38f837919c76ff3cb4af81c2049ff34b656e41c5fb53ee01483827b24eebedc2667c181da98a10c37b54227c1613ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYES.exe

Filesize
198KB

MD5
4eeddb5962dfb7d7ada67ce222dc152f

SHA1
94e611687fc0b79be428b653b44a6965638f332a

SHA256
927447c98aab79ad2bbcb62d081d057920bb9b51fc1290c15e62f23c0eb30c06

SHA512
47458c03ca4dadc7376782ad39c3a57503d7f56075d8c3c486192c7b82bdbc75a73b044c99d45f0c58784ab4a6e871a729d3b72f8611c851ce236fa5e4861c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYQy.exe

Filesize
201KB

MD5
5dd79b9c190e33c0a6dfb0a8842ecc16

SHA1
e973bf1f1950db71794166f74ced2abf6d57ae52

SHA256
bd82fcd045384734d575fd8f4fbe42597971cb1f7e1681f039558254205f7047

SHA512
cb4fb2087431ce8626215ee6f0bf50a664741650d6c0611579dc7b23843120ed17cd26e0578d2abd5cb20e199c68804195b414ff2b20141ce57e15332f51e3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\asoe.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsIM.exe

Filesize
197KB

MD5
2141f656b49c9c366b05185ba4b7fa82

SHA1
2af2039ffe597e2eb35b9ff521bf91a10f920925

SHA256
c1f607a679323399fb0b87ed726ea425fa3616448a884755e294727151be8abf

SHA512
8a5061a6722c33054d531e022e1e74ca65fe111d520f2dfe814162955fd805cc3b0557858d53b6f4b2d4f559d8eadac8e90d2bf163d5d42e073d5689805eb2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsou.exe

Filesize
223KB

MD5
7e3f7294589910bb8e077a92e29e82eb

SHA1
6de3892c8d46f6f5633048791351693228e163b4

SHA256
d321843327305e477448c11f51d0519700b0377ba4dcf6bf32da8e67cf5e5b7d

SHA512
7c00d86d40d4edeaee7c9dc8f9af341069c92f4c6947ef8d248516b6f745821d91160395c6aaa96bd08e33607c5aeef6e5ee2de4dcde9d427bf152fc17adfdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIgq.exe

Filesize
204KB

MD5
63fd07e5103917ca7563be556cedecc3

SHA1
078614d741fc7ffb86638c6b62f6540b3803cfc8

SHA256
ea7bfdc7568473fe9fdecf10f4f0151f30ccc102d139870b16d163f4033fe86e

SHA512
63a843fac88ec1a1e30efcc444ae6ef313c9a927ad4d0fbf43b33a048c99c6ea582d0747f286727158b42eb84f2b81820daea41d72fdaa9a2e0b2aab382e23d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMUY.exe

Filesize
825KB

MD5
e864a47d2c741bd1ff3bdf663b488765

SHA1
5bd2324cd8a83003d521b9893bcd3bcc79d5fb1c

SHA256
14668d4313c68781b85fe549d2b083d6b0e8d268d20be7e21ee997cfaa943601

SHA512
0b0f44b9edc280b845161da718fec62a15601ba7d8e2cf94e02e445312e67f80d0792b6fddd64d7c7424943731a8fd48f770b38fa22d3567131dc09ed0780a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\cooy.exe

Filesize
213KB

MD5
b6f0c82390239e529ea15c32843c4873

SHA1
021325eed6df16509ce7c5b64f47900a01f7662f

SHA256
ca2138681b98276465d859d41165001fae068225031c214c4e073cd352440440

SHA512
6c78a60addba288dfbb2b2baf6030f55d600ace5efbd16036d50e8e8cce3b11d973319ac210b341a127dd92fa4cf024df8b570e5e4963e53439833315a0a07a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgMk.exe

Filesize
210KB

MD5
5d61ef64aff2b7ffc2224aaa728f3ce1

SHA1
2f595efa2ac7adaba1bd1b95fc88c06595fb8e5a

SHA256
42f39b1ed395ceff63d3689c8191ff328e400450579128dd7ba3f11ce1a51126

SHA512
2be788ec82690d59f0220fd735fbb7b912ea7447f065e717402ace5b93a752c38d751cc79b656c37c02e261a20e1137e8a798f90c69de40edc217797847a69df

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkgm.exe

Filesize
4.2MB

MD5
568a2354f7115dd619f9463c9c736aa8

SHA1
e97506486d546ca1f3ee01f0cc848557c733e353

SHA256
fe3a7c9da773bed9c4bd215af1d9fc6cea9345b0dc6e5bcb34abe1517e2a2129

SHA512
caa14439b30a273973c80508566ecabd50f48a0cdd5a4f631466777e3e436869f747b81fc703ed61d1e3410750886b5c914db25b25ec3c3422820dce365f60fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsMK.exe

Filesize
187KB

MD5
724d2d4be73d532c65b69e9f6ef341ce

SHA1
b3cc9c6edf82c90842e2c8a965da16d7df7223ee

SHA256
c591b24f3a74dafcd0255c5132dcd45b2256a4f1e9167b9a680e1936ce63c3e6

SHA512
95ec1da8d88f30108abab48d03a15170317fc491b1165db0a7939618830b07cc9d5729e5e8e9c6defdf79f343e39d1fe892cde0e526536a05e0400c8e2a90263

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEgQ.exe

Filesize
213KB

MD5
2faa76fe54345d092d1b457825b35fee

SHA1
516047b35ff9e96c01193210224ad580a4e7f382

SHA256
72fde8c3082084d236243f83448ca0378b16ac4a6be2bb189c98afc7a2cda281

SHA512
ecf12d4b5927bedae188b540d3a6ae5618da6d084ba19dcc1bbe79fa715b2a156a4677a60673e7b86b7084efcaafeb86a309f03d5304bb281d94b0342ca2fca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAAg.exe

Filesize
192KB

MD5
ae5b509fd39b0b36f0dd4b8643e31c1e

SHA1
759158a3a534e92d728574718dde16a8a8f76f91

SHA256
0ec3bd1838dace10ac63a6e7cb802529c7ea253ed768cf201d3f2076d7f393a2

SHA512
9ccb618e8c31fb7b0f4d17c168114a926d8f29060b9f29cf000040f86edd1df48be3e0e577c818b3d04ae462b409ce36f68839139ee1d01e595a886f27bc60c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUYW.exe

Filesize
633KB

MD5
37f1a35cadb532c8c38b447f6001aa92

SHA1
6bef63e6b09d72e48eaab148a728e4d40bfda23b

SHA256
c60e32b3cea6de97998f8135ad3d38d0cec45765a1a92eaa9398e223821e6527

SHA512
1faadd91a149a1efb2352d7a645a6e5d15831837b87d778507d6b9b1239f33856b13c9a3493a0229e5a68a70936382c39004b702397ee9e43f6b17863335c23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsQQ.exe

Filesize
183KB

MD5
7f729d2d9936c96a897cffbaa63d2f45

SHA1
4d3199383b8843cb7eb819d5ba4a834e82b8f125

SHA256
cf603a3b6cfce53c208b18de7dac36b387e62006d18c4f4b92e8bb780f031557

SHA512
e9bd3c277c7689d3bea51cf0374f813bc91638deba29a48d3c506e4faf19b7ff8bd1715ec6e14888a5bf0e8bf72125aee6ce57936b1d8f608e5ff11e364c042a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQkw.exe

Filesize
801KB

MD5
ef6daeb0f0224bbb89671898801d13b1

SHA1
06517ba02155eb074ee7dfda904eef1df963cbd1

SHA256
f02239ac0eb9be95ff6d1a4a59892347b8c292dddf775066082712f72de4e6a8

SHA512
d5e9cee5a12d88c5eb9377fa6dcf7b6eaafc180d47b4dbcdeee3b05ae4529db29deee009c8ceb7157cd327635e0d7eecfb1e6235f689aa17b435e1c17949349d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEwU.exe

Filesize
205KB

MD5
4537921eecf9b5ddde535af9cefa7d9f

SHA1
bbfba857988c0f1265cd17eeb06f42fbaee07619

SHA256
a990eb2fa4f015fd3219dff232a0e6a7712483fd7987de3c2d31aa4855ca8838

SHA512
11d4410a4dd7cbd5ef2038c16b582887b8530d9ea832f2d55035963f5109e764f5f2f51f929e4f796ea0bb397ef8fcb057224f32f320b23a6bcf4b48ab506ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\igcw.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioUk.exe

Filesize
312KB

MD5
8281e62cbfd68eb50de7f61338e95f87

SHA1
2e7bf93e824793f8dbcff53530b7d12a6ba18a18

SHA256
9c0ff147325a3b9a9fc526c2b2e64e529bc97b215ade415ea5338feb5492f1fc

SHA512
2b53be52490d324800d426daea4d5e9c85747e2245135cf91212e8a2abfc7a825fbc3fcfb4720ec308f4a3a37e8ee1b5ebcfc01e20b246c8fa7ad5f41c2cfa71

Download Submit
C:\Users\Admin\AppData\Local\Temp\iokk.exe

Filesize
206KB

MD5
28a054b1fee6ec1e6aa6367b14a8a495

SHA1
d4f9214e101fe1006f69efde8df308c0bede0055

SHA256
547168a5197b45f1ad8868a793cc310d5bb9fba8b16f27ab4f5e091dc3c840b3

SHA512
52391870a8508902c9c62b87fc577a2df43de80a74f0195c3cdaca7fd4ef0f5fe4095a479e409f753ab99835f25a55205fee8c37702602c0738ad87fb977c575

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMsg.exe

Filesize
836KB

MD5
d0af48bd8e6f5d07b9e613f062674fd2

SHA1
ff6ccd590ca9c3c50b977cf9c4b9bcc675968b15

SHA256
c8855e357061d53e63d8477fe5f1641810af6c0fca79dedfa439878ab58caf2e

SHA512
349420c34a46268357011e0e6477b1370cdb43ad1899bda46a570944db8fd168732209ac3a4d5125bfd73da5b5b1e01442908cb2a00e49f4fad3bdeb50f8aa68

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQIC.exe

Filesize
193KB

MD5
b94e3263475d78194e8ad282d6225193

SHA1
32109d313eb452cadbf852f8220a44168997e28a

SHA256
70f8382cf190346c10bbedd97d719ffd64ce18c31fbdacf2f3826bddabcb1b65

SHA512
66310d13cb3c33c745e61aaef9a194b164f0795f33e4cf9c8bab78db8690da0fc13393d619f7f653c0127cd6063cad2b8822433c1e6a2035a01413f4f34995e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcAO.exe

Filesize
195KB

MD5
119476e73ef4e628c8321b9cd036abe7

SHA1
acf0e9c9af565b77aac84a015a11ba21b9262047

SHA256
cd594c4e89f291b15b068e52665a9809a37f292665872284580f73599030e967

SHA512
fc901b012db2889d33d3b8b884654ae57eacfffde11fc0b36137a45658fd17f73639e7a17500a1362860312c8ffb3862e6820a55b259de757734506fa76a9899

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksQO.exe

Filesize
204KB

MD5
a3fd4f2c4a21071d2861faa24ac5f051

SHA1
321e5515c9e47436537a908a49a6226f9a7fec46

SHA256
8cc56eed5226f5792a94bda8deb56caf4608f4bca315f7e9e6c901d900bc98bf

SHA512
a6f1265ebf03630c59de1e17923b1a53873a6dd55b9550d6345880a2d4deab6965a9725e811cdfa14b753f9312d5aafc0a0b227fb09470f6d25649bab6ba7645

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsUk.exe

Filesize
198KB

MD5
1810b3748b68ec8d9e32411fb2fb9d35

SHA1
a4ed938ce45a8c8997c36c93d09bfe31a2f9bd71

SHA256
60b147b1efb772091178b25def04aad4c30592f8ee4acf3c9ec4acece23bfb50

SHA512
6dbc7efb040bec196298e90c63e0fd065d41447da133e36f9856fe547cc672d06c73efc9ad955f82fcb79aacb94f69610915cf318427190967ac785be4f34a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkMa.exe

Filesize
201KB

MD5
09be994068607b40c62328ddcb46e1bb

SHA1
b70445289f4e10cabcfce025c38ea5949a5258fd

SHA256
00766835972eb7badd596e4f0befbd60be82625413e5c5fe30937e7291bf71a2

SHA512
5b00a3cffd56da41082cfe4d4e3b3ff28a01ff6611f5a659132d9e786814f30684815ef8258324010c669968754303f58969ba6c47db04544605941fed067e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncYq.exe

Filesize
383KB

MD5
fbd8b6f2557e9e4fad2cbc74b1242ff3

SHA1
af931e0928474a5785a6c1f6604b3611d636b23f

SHA256
0de7a50c6b58239ad6f80363ab01c768b3b64d86d94979bc60c8b62393a342be

SHA512
46ee3e242b0c74c43dc2a12c932b3490be3412913832cefd85afc9e6b5e9944c3fdd2544a491c4e0b148fa418a575f939b9727510024d42f7bfdf390e6262fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQQs.exe

Filesize
236KB

MD5
dfcb7593b445f0a48e6032369ee1a9bd

SHA1
bef875806de75fa583ab43487830a5ae51d5da22

SHA256
fda1b95542b97c8663b91789126f66a1b3703eb0c1361a4d755503d20fb252af

SHA512
704ad3c3630565cc69c6f24cec535d998dfc0d13e8c503b45c949f0d6bfa76fe1f81f7a547c20330227b1f3740ac303608a99a9b6d3aa7c951a215cf378e0546

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogsA.exe

Filesize
196KB

MD5
7866cd742688aa4f0ecd1c81d40bf168

SHA1
a07b2d4473c56c94ba721ef060e2f9c109951f1b

SHA256
2ee1fbbfbcba63c1827b668a747b7d591ac4143d291e565f80b07d33d6eee1b1

SHA512
c4d253b19e0f4d36d48bda4c66518c9e9518ff0476a3ae36d8ab584da14dd8ed6d990e73362eb0c6206c85cfec816e0742ef9547e82b17ac0a741047094ebd49

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkUw.exe

Filesize
205KB

MD5
76690d65bab6b0cac8db0602cd1f4c0d

SHA1
5d0e7bcc5b7a9441884abb0922e6b3673c43c4b9

SHA256
f054b2efbcddaf4180738033e74f432d0b98865c0609dd5e77f76f44c65559a7

SHA512
d8888fbcd800d6bc187ea98ec0dd9f3d7eb803590a8c7490c376f51167c8e76f174d75c26b2e719fce420fa96099640f1b89ce1433bd9dc08084f6ebe718c483

Download Submit
C:\Users\Admin\AppData\Local\Temp\pukggMUw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIgu.exe

Filesize
214KB

MD5
142e628222694e280f05a3f9fdda37b8

SHA1
d07f0b03344922f1fcaf18ed55e025664924d535

SHA256
ac5a1929574094ba0a793caf23acb7ad4b8716795ae95280c4821071e5785935

SHA512
a5104b6a59d0387bc383a76bf245684770c3c2e5e00924ee78d565d002b68aca2cebd6dee6c4271332d17118a0e936f87e075a6055590cb7e1f5cba35bc9862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQIy.exe

Filesize
504KB

MD5
fa06fc46a4aa5b2a0e88b307705456df

SHA1
676792c4a4e63525033955aff8dee3ec3cbf4f4a

SHA256
84bade174df48da2e2347b72e30cc7f43ac2fbab5ece9ab54844cd79c603bbff

SHA512
781c6ef9237188eba16a1963db5acacb53b4822b16dd4d4cfd93b35880ab97788482bc50ad54299806772a84a8afbc4b6f7460696316226f5952f9ffec5cd804

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMoe.exe

Filesize
770KB

MD5
aaaf18c738dc196df844300f94f77af2

SHA1
b948980a4fc36b8a3fce050b1c898169ddb3a2f0

SHA256
b5a56562d62b0874143f187f673ec70be649813b312dfe61ede3c83b9499b4f8

SHA512
187f2cb1d7f981735abada90e792f6b92c40fabb940ed65e8670504cc602c202ef5777da0d7327c976099af3001986b5ca73c8ca6b7c5238a46b9496824ce6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAgQ.exe

Filesize
654KB

MD5
151aaafdc1f504ac3f8874ed14f0919a

SHA1
750abb569417c9adf0bb8354fb900681a3c00130

SHA256
f11237cd4b5ba0cc45a8ea3618a9c46d377f4b53ff77578ea15a54cb77c44fb1

SHA512
322504c692e920e8172926301d52c6535e4701dc8184cbd676698015d19db99fae46ff37600b9142d4bb0cccbf4c1789a055cf79aa3894599ed68c0be00e96ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEsO.exe

Filesize
322KB

MD5
c8bf2b31e76b9565459cafd8360d4052

SHA1
e5747084585b943033fc3ae6562fa1d467b13532

SHA256
4c732a57011f677cadfcc16b2f292586e5e53aba1f0e940d1b1b6e419bbc35d5

SHA512
46c4be74184715926e79ba0fc2fc8f06a837aba69eac7e265f1229388178d8a8f790f46a09c95cc1696a341cc56745cc17315fe155897de1c08b4390037ff1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugki.exe

Filesize
194KB

MD5
4b399cc806db93f8a1c45ad818e04c16

SHA1
979e87d406fadf9b09baa4c14de8ff15b856cc49

SHA256
fa53fdf7edf18a3181c8898324f2007bc2e5939c8a75011e88cffbed40ef47c4

SHA512
b11054009bf927ef32697593f264b05f4d14c78a9268f24d9cc5397d1c1db41fa3e61322c90caaee19a382faae5ccac688432d24bc57a7b5e92a676671265b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEEi.exe

Filesize
641KB

MD5
46574625572620b7d4b7f26c29353535

SHA1
edc6db8b004234786298f16770b621b8e7e10f5c

SHA256
661a5813fcd701023d47a540bd1fce232145a7b4ddfab725a7efb2df8b2f706f

SHA512
0202998fb39411a559738775245f6679f45fd2ee06da69aeb025f4df96494ae42214c7c0fdc845cbf7e19adb046b9e8027f1a5988bd1f87f64edeeade4b75b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIYK.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIoa.exe

Filesize
569KB

MD5
03a178b6837040bc61031ccafeb838b6

SHA1
60c7ff02a7a78a1287dab8a9cd5fc2e5b8c22cd7

SHA256
2dfcbf03008772c529f4c6c0a31eaf316f5190c8959c16216856c684cede0980

SHA512
0c6a21c4f69eb39a4142b1a7f73d26d5942a3b2aeb7f38e7bf18c6e07cdb0f59e843a1c55baf9c84a29dae1276ca2ee38faf5020523817888c7d84d1f33a04d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUQm.exe

Filesize
785KB

MD5
3a998d0af61c6a1108e39b7cfb6286ac

SHA1
d9b8cf0386f25970cb696a3d57a2e181fd6335c1

SHA256
e9bdb504bcda7c9b1234a03846077af35561bea0187052403d3abd6f584c4ecf

SHA512
0d96027adc7341b509a9ed916f2969c2db0175576370e3711545f3f82b9f873793907947038c947c88d0b525924ee63462a71e917b4852eb10faf91c30a61031

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYYo.exe

Filesize
207KB

MD5
56446fcfaa73217fd8c24dbb34aa939a

SHA1
a60c53e29d148f2ac3e5f674ae5bb7cefe35fade

SHA256
213d2b3cf024df7d47796308c8cbb396b601feba64e67d020323ba78cdb8ddc4

SHA512
f8401fb1996fac95f597df4efdad4039f14f5fbec217066337528d4712a1b270b8010dcf13da5bc83e6c8da9db3dba8dadf99f76ca2e3ff8a05edb74518138db

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEoc.exe

Filesize
216KB

MD5
70d90f68cd99cbae8cc8e80f1cc785d2

SHA1
1d488684e22a1d0108fdfbb305d90d74ecb70ebf

SHA256
b9675ec5cb343aac18a2241aa3fed4e63982a9675d9ffa60671edebe71da70cd

SHA512
99046493c6abfd3b2ab8ea046cef5a01a092f8715d21a213b89b6294b10f9d495b3dc22928a6990d8a2c4e745492caebb209648ee5f436dd96477c7a204d46bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcks.exe

Filesize
185KB

MD5
7f6c91eb8fe9be8dd1b6b6d805bb8c32

SHA1
5b91fdd24d8fee895938814b67efb93055848c0c

SHA256
c294199d693e93109405a018bac54dc5e8bd8c031b4698e91a259f9360cdadaa

SHA512
5bbb3093e19532a5b3c0701261ea09f442149c5fdd929217e8ad06ae51d86e4ddbff3b1a94c0ee8b32557c1256b2ac3ba4ded26d49f39d4c76cd200c15a1203e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkkG.exe

Filesize
181KB

MD5
b1386cc8430e33e64e601264df6c3c53

SHA1
f4daac990e35b5b0397059f213556f87f0293122

SHA256
9805fdb3733f826db69c60819efc2f54e9774a6af58ac1da0dbde84b14df249c

SHA512
97c8a90a1aceb7f911f5d4fea95fe4327f0ef790bfc2e4c07dcedd827148b9230aec5fc1c7f23ec74689f304e1f873f31f3da8e28409d95d5b626ff1026f029f

Download Submit
C:\Users\Admin\EqoAAoAI\kGoMAUAE.exe

Filesize
199KB

MD5
e948d7e83e55586ba1e4744608fc535a

SHA1
9e58121ef887222e68266221beba5f658b551c95

SHA256
04f0762fe593eb014cdfb611eeeafcb337e837d8ba194158e612e8a2cb46570c

SHA512
38ec91ea82a64c9975ac14e86b416e19b2ff08c5249a6308663a72d44381542a79daa79e5a557f2b57c7c39f3de3833f63e3e1025ce97f623e6cd021b7de86dc

Download Submit
memory/32-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/196-82-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/368-183-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/368-169-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/508-57-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/508-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/752-321-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1320-182-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1320-195-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1888-119-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1888-108-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2036-154-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2036-168-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2072-144-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2072-127-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2120-259-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2120-246-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2212-367-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2212-375-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2216-131-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2260-347-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2264-15-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2412-207-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2412-194-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2500-395-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2500-385-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2680-247-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2680-235-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2996-339-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3016-203-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3016-222-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3176-45-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3176-107-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3176-96-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3176-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3236-873-0x00000000004D0000-0x000000000057E000-memory.dmp

Filesize
696KB

Download
memory/3412-270-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3412-260-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3584-356-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3584-348-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3804-288-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3804-313-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3924-384-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3924-376-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3928-420-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4060-403-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4164-33-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4164-16-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4276-366-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4412-93-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4428-287-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4428-280-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4468-414-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4468-404-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4624-329-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4692-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4692-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4712-234-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4712-217-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4960-60-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4960-70-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4980-157-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4980-146-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4992-278-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5036-415-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download