418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ViraLock.exe
Size

194KB
MD5

8803d517ac24b157431d8a462302b400
SHA1

b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256

418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA512

38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
SSDEEP

3072:slkfrcHVaq65Oe/ALwm19MYDzMLGquSOt+nSmgevSvoWAnvN0bfINcfln8rvK:Wkfrc0q47/UwQFSFnH9SArvakSflnCS

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ViraLock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ViraLock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	lGEQYoco.exe

Executes dropped EXE 2 IoCs

pid	Process
992	lGEQYoco.exe
964	tosYYcMQ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lGEQYoco.exe = "C:\\Users\\Admin\\WOIgwcQY\\lGEQYoco.exe"	ViraLock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tosYYcMQ.exe = "C:\\ProgramData\\nqQYcwsE\\tosYYcMQ.exe"	ViraLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lGEQYoco.exe = "C:\\Users\\Admin\\WOIgwcQY\\lGEQYoco.exe"	lGEQYoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tosYYcMQ.exe = "C:\\ProgramData\\nqQYcwsE\\tosYYcMQ.exe"	tosYYcMQ.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ViraLock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ViraLock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	lGEQYoco.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	lGEQYoco.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3368	reg.exe
2012	reg.exe
4952	reg.exe
3772	reg.exe
2220	reg.exe
2728	reg.exe
4452	reg.exe
3708	reg.exe
836	reg.exe
1084	reg.exe
4048	reg.exe
3844	reg.exe
4600	reg.exe
4320	reg.exe
1208	reg.exe
5004	reg.exe
1068	reg.exe
4220	reg.exe
1916	reg.exe
4344	reg.exe
3408	reg.exe
4320	reg.exe
2736	reg.exe
4120	reg.exe
4444	reg.exe
4328	reg.exe
1700	reg.exe
3368	reg.exe
2584	reg.exe
5072	reg.exe
4176	reg.exe
1144	reg.exe
4120	reg.exe
2764	reg.exe
2976	reg.exe
4448	reg.exe
4528	reg.exe
4332	reg.exe
1140	reg.exe
3552	reg.exe
348	reg.exe
4556	reg.exe
4836	reg.exe
1440	reg.exe
4824	reg.exe
5048	reg.exe
3244	reg.exe
4088	reg.exe
1440	reg.exe
872	reg.exe
2292	reg.exe
1292	reg.exe
2976	reg.exe
404	reg.exe
552	reg.exe
3916	reg.exe
1092	reg.exe
2584	reg.exe
2728	reg.exe
5072	reg.exe
4472	reg.exe
1340	reg.exe
2584	reg.exe
4904	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3376	ViraLock.exe
3376	ViraLock.exe
3376	ViraLock.exe
3376	ViraLock.exe
4132	ViraLock.exe
4132	ViraLock.exe
4132	ViraLock.exe
4132	ViraLock.exe
3644	ViraLock.exe
3644	ViraLock.exe
3644	ViraLock.exe
3644	ViraLock.exe
4760	ViraLock.exe
4760	ViraLock.exe
4760	ViraLock.exe
4760	ViraLock.exe
2808	ViraLock.exe
2808	ViraLock.exe
2808	ViraLock.exe
2808	ViraLock.exe
4968	ViraLock.exe
4968	ViraLock.exe
4968	ViraLock.exe
4968	ViraLock.exe
856	ViraLock.exe
856	ViraLock.exe
856	ViraLock.exe
856	ViraLock.exe
2348	ViraLock.exe
2348	ViraLock.exe
2348	ViraLock.exe
2348	ViraLock.exe
4884	ViraLock.exe
4884	ViraLock.exe
4884	ViraLock.exe
4884	ViraLock.exe
4440	ViraLock.exe
4440	ViraLock.exe
4440	ViraLock.exe
4440	ViraLock.exe
4980	ViraLock.exe
4980	ViraLock.exe
4980	ViraLock.exe
4980	ViraLock.exe
3220	reg.exe
3220	reg.exe
3220	reg.exe
3220	reg.exe
3984	ViraLock.exe
3984	ViraLock.exe
3984	ViraLock.exe
3984	ViraLock.exe
1916	cmd.exe
1916	cmd.exe
1916	cmd.exe
1916	cmd.exe
2984	ViraLock.exe
2984	ViraLock.exe
2984	ViraLock.exe
2984	ViraLock.exe
2060	reg.exe
2060	reg.exe
2060	reg.exe
2060	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
992	lGEQYoco.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe
992	lGEQYoco.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 992	3376	ViraLock.exe	87
PID 3376 wrote to memory of 992	3376	ViraLock.exe	87
PID 3376 wrote to memory of 992	3376	ViraLock.exe	87
PID 3376 wrote to memory of 964	3376	ViraLock.exe	88
PID 3376 wrote to memory of 964	3376	ViraLock.exe	88
PID 3376 wrote to memory of 964	3376	ViraLock.exe	88
PID 3376 wrote to memory of 1208	3376	ViraLock.exe	89
PID 3376 wrote to memory of 1208	3376	ViraLock.exe	89
PID 3376 wrote to memory of 1208	3376	ViraLock.exe	89
PID 3376 wrote to memory of 1856	3376	ViraLock.exe	92
PID 3376 wrote to memory of 1856	3376	ViraLock.exe	92
PID 3376 wrote to memory of 1856	3376	ViraLock.exe	92
PID 3376 wrote to memory of 5048	3376	ViraLock.exe	93
PID 3376 wrote to memory of 5048	3376	ViraLock.exe	93
PID 3376 wrote to memory of 5048	3376	ViraLock.exe	93
PID 3376 wrote to memory of 1960	3376	ViraLock.exe	97
PID 3376 wrote to memory of 1960	3376	ViraLock.exe	97
PID 3376 wrote to memory of 1960	3376	ViraLock.exe	97
PID 3376 wrote to memory of 3984	3376	ViraLock.exe	94
PID 3376 wrote to memory of 3984	3376	ViraLock.exe	94
PID 3376 wrote to memory of 3984	3376	ViraLock.exe	94
PID 1208 wrote to memory of 4132	1208	cmd.exe	100
PID 1208 wrote to memory of 4132	1208	cmd.exe	100
PID 1208 wrote to memory of 4132	1208	cmd.exe	100
PID 3984 wrote to memory of 4804	3984	cmd.exe	101
PID 3984 wrote to memory of 4804	3984	cmd.exe	101
PID 3984 wrote to memory of 4804	3984	cmd.exe	101
PID 4132 wrote to memory of 948	4132	ViraLock.exe	102
PID 4132 wrote to memory of 948	4132	ViraLock.exe	102
PID 4132 wrote to memory of 948	4132	ViraLock.exe	102
PID 4132 wrote to memory of 872	4132	ViraLock.exe	104
PID 4132 wrote to memory of 872	4132	ViraLock.exe	104
PID 4132 wrote to memory of 872	4132	ViraLock.exe	104
PID 4132 wrote to memory of 3016	4132	ViraLock.exe	105
PID 4132 wrote to memory of 3016	4132	ViraLock.exe	105
PID 4132 wrote to memory of 3016	4132	ViraLock.exe	105
PID 4132 wrote to memory of 1872	4132	ViraLock.exe	106
PID 4132 wrote to memory of 1872	4132	ViraLock.exe	106
PID 4132 wrote to memory of 1872	4132	ViraLock.exe	106
PID 4132 wrote to memory of 2352	4132	ViraLock.exe	107
PID 4132 wrote to memory of 2352	4132	ViraLock.exe	107
PID 4132 wrote to memory of 2352	4132	ViraLock.exe	107
PID 948 wrote to memory of 3644	948	cmd.exe	112
PID 948 wrote to memory of 3644	948	cmd.exe	112
PID 948 wrote to memory of 3644	948	cmd.exe	112
PID 2352 wrote to memory of 464	2352	cmd.exe	113
PID 2352 wrote to memory of 464	2352	cmd.exe	113
PID 2352 wrote to memory of 464	2352	cmd.exe	113
PID 3644 wrote to memory of 1224	3644	ViraLock.exe	114
PID 3644 wrote to memory of 1224	3644	ViraLock.exe	114
PID 3644 wrote to memory of 1224	3644	ViraLock.exe	114
PID 1224 wrote to memory of 4760	1224	cmd.exe	116
PID 1224 wrote to memory of 4760	1224	cmd.exe	116
PID 1224 wrote to memory of 4760	1224	cmd.exe	116
PID 3644 wrote to memory of 1440	3644	ViraLock.exe	124
PID 3644 wrote to memory of 1440	3644	ViraLock.exe	124
PID 3644 wrote to memory of 1440	3644	ViraLock.exe	124
PID 3644 wrote to memory of 1012	3644	ViraLock.exe	123
PID 3644 wrote to memory of 1012	3644	ViraLock.exe	123
PID 3644 wrote to memory of 1012	3644	ViraLock.exe	123
PID 3644 wrote to memory of 3232	3644	ViraLock.exe	122
PID 3644 wrote to memory of 3232	3644	ViraLock.exe	122
PID 3644 wrote to memory of 3232	3644	ViraLock.exe	122
PID 3644 wrote to memory of 2744	3644	ViraLock.exe	117

System policy modification 1 TTPs 32 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ViraLock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ViraLock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ViraLock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
"C:\Users\Admin\AppData\Local\Temp\ViraLock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Users\Admin\WOIgwcQY\lGEQYoco.exe
  "C:\Users\Admin\WOIgwcQY\lGEQYoco.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:992
- C:\ProgramData\nqQYcwsE\tosYYcMQ.exe
  "C:\ProgramData\nqQYcwsE\tosYYcMQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
    C:\Users\Admin\AppData\Local\Temp\ViraLock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        8⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        10⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        12⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        14⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        16⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        18⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        20⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        22⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        23⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        24⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        26⤵
        
        PID:1080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        27⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        28⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        30⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        31⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        32⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        33⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        34⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        35⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        36⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        37⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        38⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        39⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        40⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        41⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        42⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        43⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        44⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        45⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        46⤵
        
        PID:4980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        47⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        48⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        49⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        50⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        51⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        52⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        53⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        54⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        55⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        56⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        57⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        58⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        59⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        60⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        61⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        62⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        63⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        64⤵
        
        PID:1092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        65⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        66⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        67⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        68⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        69⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        70⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        71⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        72⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        73⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        74⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        75⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        76⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        77⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        78⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        79⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        80⤵
        
        PID:4436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        81⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        82⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        83⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        84⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        85⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        86⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        87⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        88⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        89⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        90⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        91⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        92⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        93⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        94⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        95⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        96⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        97⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        98⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        99⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        100⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        101⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        102⤵
        
        PID:1456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        103⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        104⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        105⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        106⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        107⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        108⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        109⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        110⤵
        
        PID:3552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        111⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        112⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        113⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        114⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        115⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        116⤵
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        117⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        118⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        119⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        120⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        121⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        122⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        123⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        124⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        125⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        126⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        127⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        128⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        129⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        130⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        131⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        132⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        133⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        134⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        135⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        136⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        137⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        138⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        139⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        140⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        141⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        142⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        143⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        144⤵
        
        PID:5092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        145⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        146⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        147⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        148⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        149⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        151⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        152⤵
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        153⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        154⤵
        
        PID:2328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        155⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        156⤵
        
        PID:4472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        157⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        158⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        159⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        160⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        161⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        162⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        163⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        164⤵
        
        PID:1872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        165⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        166⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        167⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        168⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        169⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        170⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        171⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        172⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        173⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        174⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        175⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        176⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        177⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        178⤵
        
        PID:1080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        Modifies visibility of file extensions in Explorer
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        179⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        180⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        181⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        182⤵
        
        PID:3092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        183⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        185⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        186⤵
        
        PID:4960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        187⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        188⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        189⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        190⤵
        
        PID:1392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        191⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        192⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        193⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        194⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        195⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        196⤵
        
        PID:4848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        197⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        198⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        199⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        200⤵
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        201⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        203⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        204⤵
        
        PID:2496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        205⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        206⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        207⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        208⤵
        
        PID:4788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        209⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        210⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        211⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        212⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock.exe
        
        C:\Users\Admin\AppData\Local\Temp\ViraLock
        213⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"
        214⤵
        
        PID:3348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwUEkAEM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        214⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        Modifies registry key
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiQQskgk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        212⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        UAC bypass
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAYEgwog.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        210⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        UAC bypass
        
        PID:3916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        Modifies visibility of file extensions in Explorer
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGYIkQAk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        208⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        UAC bypass
        Modifies registry key
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:1092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGYgAcwo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        206⤵
        
        PID:1456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iagoEEEM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        204⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        Modifies registry key
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:3968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkcIwYYw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        202⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:3724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies registry key
        
        PID:1092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYgMcwoY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        200⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awQYsYMg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        198⤵
        
        PID:1860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        UAC bypass
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:1224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:2736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmkwwMsY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        196⤵
        
        PID:4760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIooAEUU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        194⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        Modifies registry key
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rusMAEIw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        192⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies registry key
        
        PID:4088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIMMYIMg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        190⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uisgogkg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        188⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        Modifies registry key
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQYAQYoI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        186⤵
        
        PID:4496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:1068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        UAC bypass
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oaoIQYAw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        184⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUwocYcM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        182⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:32
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCUQYIIQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        180⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:4332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEYgQgIk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        178⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        Modifies visibility of file extensions in Explorer
        
        PID:732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUksYwgs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        176⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:3832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        Modifies visibility of file extensions in Explorer
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGEsIYow.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        174⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        Modifies registry key
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:2728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:2052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmYswgIg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        172⤵
        
        PID:3240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwggckAA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        170⤵
        
        PID:3080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        Modifies registry key
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwwcAQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        168⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YugccAIE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        166⤵
        
        PID:3584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:3212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywIwsoUk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        164⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TksgsAwI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        162⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOMIYUgM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        160⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIowkccE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        158⤵
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        Modifies registry key
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIYwgwQM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        156⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuMUQIQA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        154⤵
        
        PID:2860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWMsMQMI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        152⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        Modifies registry key
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CikwEAYc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        150⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:3788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\luQUkwIk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        148⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:4052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWwsgcAw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        146⤵
        
        PID:1084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKIEUMUI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        144⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:5096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:4600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGwMcMMg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        142⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIkwEooY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        140⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akcQUoUM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        138⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies registry key
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkAgocwg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        136⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSAcEwYc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        134⤵
        
        PID:3708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSUcscsQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        132⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:5060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGsUwIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        130⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        Modifies registry key
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JoEUswEw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        128⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies registry key
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIsQsosg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        126⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEUkUUEU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        124⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYEcUIgo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        122⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCMQkckY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        120⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcsMgQIE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        118⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyggUkUo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        116⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAkEksko.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        114⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies registry key
        
        PID:4528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqwAMAAo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKkIkooU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        110⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:3368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKsAAsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        108⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOoEsEIs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        106⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies registry key
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsMQUoAw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        104⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCcgoYYw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        102⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkosoAkU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        100⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUcgQUUY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        98⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgwMQkUk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        96⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igIkQkQE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        94⤵
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKwAgQUU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        92⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqgAkYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        90⤵
        
        PID:2976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        UAC bypass
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqEYwIAw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        88⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies registry key
        
        PID:3368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEIcQYMk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        86⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOwMYUgI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        84⤵
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        UAC bypass
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        Modifies registry key
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies registry key
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScAskQkU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        82⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:4452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIIQEUAg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        80⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:3996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaIIQAks.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        78⤵
        
        PID:3904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUQgokAY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        76⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYkswEwA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        74⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McsEQkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        72⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMUUIMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        70⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zskMggok.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        68⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgsQIQkY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        66⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOUgwkEw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        64⤵
        
        PID:2052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykAgIQYU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        62⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        Modifies registry key
        
        PID:4452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        UAC bypass
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NagwwQwE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        60⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSUgsksU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        58⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        UAC bypass
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQsgkYEY.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        56⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies registry key
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaMUMsww.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        54⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYEwsYUU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        52⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyMwgEsA.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        50⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQwcAogs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        48⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icYQAsMc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        46⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vusQcwwk.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        44⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEAwskUw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        42⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        UAC bypass
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEkMYMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        40⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUAUQMYc.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        38⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKwoYIcs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        36⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YycsAwkM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        34⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcQkkkkU.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        32⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYYkowow.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        30⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYIMoowE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        28⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssAAUYEE.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        26⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSAAwgAI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        24⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCgwgQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        22⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIkMIAMo.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        20⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miQgIAMM.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        18⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWAEowAs.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        16⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkIUAQEI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        14⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSEsMIQI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        12⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OycMgUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        10⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQkMAMQg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        8⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zukIYMkI.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
        6⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4884
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3232
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1012
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1440
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3016
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKIkAEQw.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:464
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1856
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:5048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKgkUQwg.bat" "C:\Users\Admin\AppData\Local\Temp\ViraLock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4804
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4476

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1652

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
228KB

MD5
1bd12c3b99ed4554ab9b2595077df130

SHA1
967434fa61797e87b1cf1b002b0afdacc47fb927

SHA256
f0bac0931118aebf26e5cafd40e97e28e37ccf2250809edbcaba3bf75ae26db5

SHA512
01837f545b6209e1079c8312c7ed1a83f2e508db3e6e6a6a4c0f3cd3342b07c67ae38dfb18dc6452f9de76d7b3d5db23b3f4a8fc43bd5109415d8b814cfdd1e7

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
234KB

MD5
ef6c4e5d3babc2413dfbe31a4fae0a75

SHA1
a7d2c156aad32cf99676716bf1b3af3c4a7fd0a6

SHA256
2f9794032d1e27fd9f8db2c5e6834f0bb787e4d3f37d9838cbc08e8e388160eb

SHA512
545d3a0296bab55b090a5210e1b4b171c8e08a75d970cab635a753e39d7b20330e60be5852209fb73ffbce36591e8c29c84e4c6ecbd5887b6852e9998237e0b6

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
329KB

MD5
2145b28296f201065d2ba68000baa33a

SHA1
a558cdaed993c3d29288cab29acf748481cf2db0

SHA256
e0ad51f2b2ae7db13ce8cf1f2c3a9a3b2baa8610c7133f385852e5e9f8fa886c

SHA512
e503ab84fbda17c3faff1dce9203d531127f31068750bbe1bee30b8dc63bc6958f7663e4fa1b1293d9a7d2f0ba11ab15a4aa51f90cdcabe157fd620c3d1d3316

Download Submit
C:\ProgramData\nqQYcwsE\tosYYcMQ.exe

Filesize
202KB

MD5
ffc392f2c7cdb1a1c91268bddc7c5785

SHA1
e18a6a26060060b6b37fa79e75b92ef734ff04fc

SHA256
30bd8d3733e5fb64e7ca593685e549d6179662375dfa27cd0e1ae6bd41089321

SHA512
583b888890737754698d49973effa64eada5075f57fb055b4d4180b11ad8879d454a482916c46d775602dfb3cb8e6aa8bc0ebeb2983b67811764fd52db293cad

Download Submit
C:\ProgramData\nqQYcwsE\tosYYcMQ.inf

Filesize
4B

MD5
0f0e1d43c454879cbfa0a878378c0b28

SHA1
b506bc3bd6cc68890ed0bc6776a42311bfea4122

SHA256
1b355a8fcce8791828ed28d25ca548bbfa0b91a68817ee92965f74e4a0f65da9

SHA512
74d2c24f3bfd42dfe7946aaa690674aa28769aef6c7a5ff209440815763471de52ef46dd767d3421cefc58b2230dc133f1ab7d688503a22bf24899ab5bffcffe

Download Submit
C:\ProgramData\nqQYcwsE\tosYYcMQ.inf

Filesize
4B

MD5
4840460f754364b2e81472516165b324

SHA1
c645d0959e4182b89f2cfba9dc26f6d223de51ea

SHA256
270f2a46fdbcde096a632ad14f14b0fc174e33a24e139ead5d2805510a196199

SHA512
8b79b2da3e415cd05bf8fa765c9c3a3dd70a15e053d378a13051b8c3808604b9b68b3581ac5305299faf67b3b6b42eb70e8247da9e57d227c2acc350226d2788

Download Submit
C:\ProgramData\nqQYcwsE\tosYYcMQ.inf

Filesize
4B

MD5
3ca690081556ca96dbe218279e1f833e

SHA1
ea04a0d563c943db583039fff619d43a0b53eeb2

SHA256
432493ba4bf460d4723c40709fd2a55066508ed89476c3d262b6515266c45cfa

SHA512
caf7a918281e8d3e5db8fa2fb063f5b6cd4ae4c38128e5287d49932c171faf5f20543945318795942c2acbdef1e5a12be872c71f156f2490fb5dde3f89919579

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

Filesize
200KB

MD5
416a4f3e797ab878d521b3908b8a6284

SHA1
152fb6e3dce8070bdbf60948abfc783f5b5694c8

SHA256
d7a318156846b15df47a2bbee6e17bfe9a12b3e10d85c306ff7b61e8b365fce7

SHA512
f7d1e2c6a99745127c12e023dbbf75e7005a9e0d9c78b56689a35c4c1b564f3dc2d4061177fee9893b6c68fe9e1bd3441859f4117a8e773bc7663d560a59aed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

Filesize
437KB

MD5
50677ea8a24a4eaaf7d7be33367b83f1

SHA1
f3e40e9624781112658b365e94bf886b3fa6e4e9

SHA256
f0b32c0bd22de4590adf685b72767f2f923df344b7ca9549662c66db6617c630

SHA512
c89e85c9412d36eef922157cb5e3811350e91563e2caf0de3c7ff0a607f27a61c3f0a7f88bfbb0ebe10e54a21359424fd71b021278d7ccef20ff28c98716f71c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

Filesize
187KB

MD5
a83127d0b2a50d023c9c81943937a57f

SHA1
ab6c19e2bf61d376a6bfbb45c76a2735482fafa0

SHA256
e2e26fe19427b40bd94aa826b480ef1cc601b6a548d86a05a15f9c635c1d36e2

SHA512
d0a3bb2659872359b428524aff2751f69bac9ce1bca5e6618ab60781ff38ab811d2100e6f09dfe92869473115153377607ffeeed0349cb25c1b1736c0da5097b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsQI.exe

Filesize
204KB

MD5
9bf8ea6583cbf103f0dd16ccd1ff182c

SHA1
1ce9d85f457d5fce853388ec91b9c348996de982

SHA256
4e560a32759175ae9ced750a96f4a1dc05b0516528de807f6ba41f9dfa4d2f58

SHA512
5b4f969b4a529b0b7e2ede5eb3a43e432be9fd8d87b9c98fdb054eb6bd7975b4e1f53424f7b7b8df8667e7457a259a1caefee370c1b6c896d4cd4b8f2edc1645

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEYC.exe

Filesize
196KB

MD5
30c34dcc66631b8b250424ab046fb6cb

SHA1
cb59380a0fe56fdd2fefcb7048c4a6eecb4cd163

SHA256
507f08af9f2ca4928564f1d353f6d3cccc8fb258c354e9a789235bdc48463e1a

SHA512
f760f4e7a171e403426753031c638f09ca57c85b9fa84b8d0d5c9470728ced7b8a6947e3367fca288906cea8480d33f27c2f8d5d759be0d0910ba58a70a309bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgQg.exe

Filesize
206KB

MD5
aa391657443d49de6be5796d7e4b1301

SHA1
820211aac7d4dca5f6c4e61edcf6d4a1423c6fde

SHA256
de16e27c7de8033b4b2725f6f787eda11a1e7f0f9450bdbd7f00975fe3a5b6a2

SHA512
4c18c3938612de90880e1eb620a94f0d7ccfc981979947c2579251d05bd43c8a831d59853328cf2a56e2bc7aeed5a1016f65d5f39c0161453913cb1de34a4043

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAYG.exe

Filesize
568KB

MD5
3be6dbcc2c6d3331b4f1890bd7a55dba

SHA1
134ecc483f937b8c7f674ff4d393bdd1751ceea1

SHA256
d83af642ee005860af77dac0f020f8ac9d9a5d0f3635dd1c26790ce4bea5b3e2

SHA512
85aca43646c805b7833e7b9b9298f21a9077cf909f2fe0901cde9a582fbbf8d5f063aca550ab0028435704e2d0883f069b5fdf0054b096cb7d1567ba60f4dfd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EKgkUQwg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgEg.exe

Filesize
189KB

MD5
83c6546e83a9e1afc395276bd67ef159

SHA1
564431e1ebb1f521536fc6504c446754ffbbbadc

SHA256
9daf322a9e09a4a214c4d231365cdb24a2e56209b11f376f7098053d998515da

SHA512
ca163110b086fc0e442e5fb85f4874cd1c4e5aa7fb944b148381e0cf84137062cecd50b55864e458806a4080066e0e5f084997455b3b6392aceda4469552440c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoMm.exe

Filesize
199KB

MD5
8e7262558314e39406c66b90a2fcffc5

SHA1
731d2046620bdd54dae0eeed4dd0bb96c807e830

SHA256
d72990419ec52f314fc63824a4b909eacea9e3372414ff1f9033b350087f41a2

SHA512
f39b200fd1cb1674e8d61487b8325b19418aa6b33242c00975e72b792b6adc4aecff9acf1086301eb7ea781b53f2d04faba0ec2a83edcaa487af5aa125eeb30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoQo.exe

Filesize
198KB

MD5
603555c4529646dfcfa1a96decec159a

SHA1
3ac9200edbed3b319a906d6c24bb7c2526eda313

SHA256
48789f5887df1ed7d2844f47c601f990905d44b517d362599722fc73a4594874

SHA512
e56f5c780bfe0564f5f56ce987b530cd619dd5178b3095c343d6cab3c1ca9eb9d70728ddb9f6125b5f8642514adc64b7f452a13f9c965711598ab7c00a89aabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAwm.exe

Filesize
220KB

MD5
275d2f2b9ce97576b2f1091f42862d7b

SHA1
683795057ac52169c77241a14be2249116fbb1e0

SHA256
01f25674934719c67af5a1a7b47f87ac8170b09e1633ef0342f074007d6b0020

SHA512
0fe6d24b5f92b932059a19915873fb2ab49b1230d566389a428d4b1ce3121ede66050fc8881d362fef657c5487dbe2d624a20d7671682c92598248a0ff768e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgQi.exe

Filesize
208KB

MD5
89ff8ef2690853f017efceed24a1efea

SHA1
c13215cdb4c4ecf662376ff791fe6d7d61bedcb0

SHA256
2abe2bf7ac3ea33bf8e70e1d822b5a94ca16d51a0025b587f9e006751c7d6038

SHA512
9d2d0db9b81d6c2ea666bfd1a3da60979d205f5d734d7af1ef72ac62cef220b99d4d709634bef889bc5ac341f7b79a347c6c3b6c9f79c71750bf55d6458e8247

Download Submit
C:\Users\Admin\AppData\Local\Temp\HggY.exe

Filesize
202KB

MD5
27ae41254f67cbcaf95ec4310aea9345

SHA1
a40457231a7e20a284a6565b81738d050979d475

SHA256
dfc255efa7e9b9b513b92d54e92ea5302d91636d92dce4814225e0f41b9c8556

SHA512
6f6721c9af829eab07e5e151edc929647217416adf16100a39a506270d9592c58e1d9cde5c6b6dd55d25b4e065b9ce66dbb7614e925dfb1f34f23bb81359f26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkwW.exe

Filesize
203KB

MD5
87d5e131e4b8e0ff8baa5d2ca7465212

SHA1
a47215cd99b27d2672545a008f65653e5a0e396c

SHA256
7cd017be47df3b3068fb1cf666d499905d0cfa6c971df34975d1201a18a00102

SHA512
07e5433b002793ae13ae1862a7b2d3f687427d395fe17c922f9810fb533c109476d5ddc49470322ae4ca74683c3cd42576682c005a97aa81f1f5d94ff26d2218

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMok.exe

Filesize
201KB

MD5
b773adc2587a34c8f57f38a146b273e8

SHA1
88cb1907e6d4a2222a75ed00995192848e099ab0

SHA256
2280118be25da58f70795a1f72f98f8315534a45f3ccbd3c57a96f2f40b1534e

SHA512
3925eea1c7a20b04ec28a6da4be83e5b8f8f3b8e53551c55c4f99136c81c910234b0d1ef57c0791dae11b287027efaf3084e07587900938cad1e98915ddbaedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoMC.exe

Filesize
200KB

MD5
d58b4d1bb84fc4a3f775a3745df3dca4

SHA1
1d693920dfc0305d9875b66b8ff3635dbdf9e37f

SHA256
675d6f575c3e54a0e8827420511c026e59080ef2028172a2906383c4b92474e5

SHA512
47ba2881f18017f2ab2a48215a069d41aec4584f22305af2aec97b8180736b256ae437b0e85047660c15d5f8d8a32f193e184500a5d1476ac110fc548f531452

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUIU.exe

Filesize
200KB

MD5
0a1f3f13ba6578f332922ddbe9426333

SHA1
03c31643dc05463eec531f20808b2a81a79fef47

SHA256
dff69b3825375e2b45de0fc1939751fcc16a92886e2129bf1bf87e3a815b66af

SHA512
d02f6c12212114478ecd659aa7b459d8b5760dc7282eb739e23c9aef1bbef26d0d284bacb83ba33b59f175b67430a8f085e1fbf71adc87e54c5105617bc279a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KckM.exe

Filesize
197KB

MD5
edb9a32e4940889207fe6950e72983f9

SHA1
98d460eae10855fe670bc9cd35d44f6506274a5d

SHA256
03368469a7b2ffbfd33fd8bba18dc420159161b1b19eb0774cf376d3497ee79f

SHA512
4b4181e48c2ae212574b51e9d8f6d266e9f36887704c280b4477e937dc0726615ec506b10bf7c95b37da613f1fd854a92d00ed055140c6c8bf1b1f9c63415fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEEe.exe

Filesize
784KB

MD5
c3e7fb4b0ade3b1b662bb552df69abde

SHA1
510e78c4d016bb5adb94336235d74039b37c0df6

SHA256
c5c2f011be4b2719d1a2757af4bccb66004d5de7fd55d4c8ba83875a62f790e9

SHA512
1619f08df653c4e93a810d873c7312077dd504470a6764cb8c46c76216eca9a159717296f37995901272fa683d4f615367c435db3b1f290e9df77fd4dda9c776

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMkE.exe

Filesize
260KB

MD5
927d2fc43c4cce2ef483711c44a41c02

SHA1
4f4304779102cb4c8303078dd272c1030660d24d

SHA256
d882bef0783c1ef1e0d637d153ba7961da7f618dd22d180678873bb10b80b25a

SHA512
b4eb0067a9227867315af9c746f8d5f72f16b9d231ca4b5c8fc8dfc3f6ef9e2f24bfae58b7aff9bb5e901033d645e6f7041c9a31f57cac8a687d3598e9c5332b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYwa.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MskG.exe

Filesize
200KB

MD5
a98ff7e3284a1effe9bf47a8d131c025

SHA1
9fcc0bd5104a8c84fda4a3c991cb629f66ad0f8a

SHA256
85d5009b315ceaaa041f66d8bd996acbb04155af9827a14719b95fee9b0aa4b3

SHA512
526cdf695b830f4f738d2e06a7ecf780560a19756447f3bd8893d6e9cf724067ea0299467b4e4332f2f2d8f98e6f010ea0d68d90ddac34d80842b1ed61c750b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEUK.exe

Filesize
5.9MB

MD5
852fffbb579c723f52e900fa2bc63ee4

SHA1
577398b57e6ca9c71410c291dad60f549aa9c23c

SHA256
8a7556504cc4caa77249a67716f2d54e49474b40045ef06dcef65544bfd57cdc

SHA512
226e5871b943b4f2d226bcedbd52363e1d7b344c9b22f26a83cb73698ac2fa12bd27a73bfb5579276e9cb24d5e1d3602532d1ce1d4dc29392dc3a16a92fc5137

Download Submit
C:\Users\Admin\AppData\Local\Temp\NcMI.exe

Filesize
334KB

MD5
01f2c22cd8bff9cd36d666bca86a2e65

SHA1
c6a50b27ed0d0750690e414640a5f302f15b100e

SHA256
96c2a0eec25496294a8380d6a2babc066c341050cc6e9f4ea2f4a994e4b696d1

SHA512
43683a2b8e64a2a2de7cd0e961843843823b058954dfdb949320ee6974d3c75927d958ea0bdba50109eec1081812508c41101dada5966fc1794fa03f12a9f49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ncky.exe

Filesize
658KB

MD5
c1f30a3596071dfefb4d43333bf29f08

SHA1
286d3d2b0cb7729b3774796872e3c8eeab09ae2e

SHA256
86cbe143b89dfc59a0e5d33288d00f1bb21e1c21b08a321210b7024344a64bf4

SHA512
35f78ea5678cee0db7ef479d09dc688405adfd4efcad428ef12b3e2e55f5f8bfd06d9dc6894ec09923b3dcd4b4c78a1db148139bb3a697de630d0d48f90b8682

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsoC.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwoI.exe

Filesize
188KB

MD5
f632480a9016447b8e89fb33ed541acf

SHA1
a230d68934f18872473328b02249770969432794

SHA256
3d49a4074036a450f7d8e586e71ad24c6dff1bdb70d9e7c964bf7dd23d70ad44

SHA512
f340a108dec45400f2a39fb350529302e8d50e2acf80809bbf9da423855746443411e9750ec4ed5498fa17fe050f7d0437921340a9fa268d643587cb8e00ecbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIos.exe

Filesize
1.8MB

MD5
483b1e3c0831c6f493520b20c4e799ee

SHA1
2695137ab5a44397e8564de8fed6c037dd50febd

SHA256
148498829114c8a5b4244f46828dc93f3bf1661d75fb854a641a3205fd860222

SHA512
2dd7143a04838a3db7a233532154b554d1f1fe806a6a547f0b52035dc9130319db6adccc13b30f0e3316da8a32dcfa1dc5ee5abfb316fc0dd53228dfce0ca2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYYY.exe

Filesize
638KB

MD5
4719b08353afe5e1125b303c6f1eb9ce

SHA1
fded1fe6357267a3ca0a11df409f8b852f885aba

SHA256
ab4fa083208462f5951e0a6190fddb8bcfffc9c82be68b3a778054e2d508a479

SHA512
b53c57773ce265709a388575fe8500ce9b2f2fad97023257e4ed173ae2cc355250255a06e4c0db93a843c208de3cca67ed54b830fcf0e939abe1248e93bb361a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIcG.exe

Filesize
5.9MB

MD5
9fce7105daeab1d0c5754b35e3721381

SHA1
1c53f14e8f26efba9a0b0bb70493c4b305bc20a1

SHA256
82c07498ac32a291d8b360bc3fbdb2b615c8295582db557897f10776d18fe840

SHA512
37ec8d6d2f3cee7ef1ee7b119489bb91192d84b88cfe2304a6818d2d6599c5238a6882943c82b0c119460bd8c6aa6e815b9f60f24a7640b4c3fffb7f66a3ef15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qgou.exe

Filesize
633KB

MD5
78543e523df5d18ed443d85bcceeb747

SHA1
45b9061e0974967f490ae0278cf6cf9865f73508

SHA256
4d081a4b8b4419aac6a8dd7902f581b49b37b1f80ea2dd9764eacde698616afb

SHA512
6835119f2d98d4635e97b39946677c84ee3aa2e52d4178db9f5fb6e40526a78e949a1094d00c6e2bcca09addc5c53e69e040296a80985e2c4a4353ad6eb9a19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMMO.exe

Filesize
210KB

MD5
c80652dc992c9385158e16773592cc7a

SHA1
672f758e64c0276d8ad689de8ded440cb718be31

SHA256
6c2f53bbda7dccc34c346cb589bf58aeb76c8696b2ff214ea9020e6e457d7535

SHA512
33abdc14b7786df6bf1ae174e327ed137d1cf8ae88346e82f6257be9a6c301e1cd533ff233c1c2eece7ff6b9be3e9994ac6ff7a3046cc28977dc232e3e830906

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQAk.exe

Filesize
733KB

MD5
e81c58335f15d79e47c4ebb0f9d9150c

SHA1
d3f31868ec5cbcb4bf152063b68fc3fb91aa944f

SHA256
a95adca663c0dcc702787611eaf81f4261aa7938d4e45441922042c2c15d5967

SHA512
5b9f56cf5781c034a50ccab6738b3de9a94febd3cd9f8a965da5d6f1f568e01b5a409ecad1091c0d9611d4436ca87fe14691650ff1229f4d6a7d6312cfde9be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rgcu.exe

Filesize
631KB

MD5
dfc7d7991630fa8eb6e4565da52801ac

SHA1
481af606740146beda5af4fa282366a3f5a96a2d

SHA256
6bf9b8d751659aa624bc254ccc4b83cb82c1042137ce40316f31ae9c1add7350

SHA512
edae4ec02b98d92c84657c1081586443acf64140e102a8e2fc3f98f00efaa754b0890dbee9282124ad678dc6f8e509c6c31dbe4dd456124aff034f2752c3e306

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsQI.exe

Filesize
207KB

MD5
451ad39466f0ef9b72452d02fe8394b3

SHA1
11e65cac0868fc70623e9672caf0f4220e31d8bb

SHA256
dddb498acc1221850eb1d6469e28e9a21a45e1e0c7dd3685b346c092c88890b2

SHA512
03198bf197bc62015b95dd8fa6beff320637fd079ba3e7c4b5ad619a9bdb53c10d473a4906800536f1b83cc2269d68c13db98bc1346b0fd3f88c4662f537dc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scsm.exe

Filesize
201KB

MD5
99616ba731ecd05a4d956cd9e727391d

SHA1
8ac4e07ce9cd41d3ac68b7adfa87a5f817ee703a

SHA256
b6c440d8bb0399b88055ef3eae05c84f206d8637cb5d1518673b79e6f51043b6

SHA512
e221d39c4d60a00afc1ad7f9c98f400124861a8986b1e914311c58c121b56f73c2d9d43d2db16783890f3498c75186b12414a73b595c94139769d2cf27e1c089

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsoI.exe

Filesize
220KB

MD5
5562e2569e34d2fb39aae7f0ed1cb4a0

SHA1
6068b8de687b04a9c7994a3e7f4a39ce559eec65

SHA256
3366aacff069f87521be8744252eb2f463eb3c5d24fba32cd07d9b5ea6dfdc81

SHA512
455fff8622ce16bfcacf7a383db9c392734744075482643d479517f9b7620929f7b74301c4bf5c3e92088cfcf068a8d7933b8a2f02e86e644ed442f6c8129848

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMok.exe

Filesize
324KB

MD5
eda7074efbb6d9d947929d3e7fc2a9cf

SHA1
6c4dad00806a5022e70bf1da0bd27addc7092a1d

SHA256
d94c818a4da7504948fca05e061eee47879f94f2c1e5bd4a33ca0c38da2101b8

SHA512
e444b86320f31f6945dfcbe39573e75835b432bbf57333982333db48b834dc9ff50ea09d7a95bd1c5d6a0ec505daafbef535c781ae4701bb65605d76f31611a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToQs.exe

Filesize
197KB

MD5
e7baa3649e3ec7537d0d8138479f83b4

SHA1
ea1a2940e217b921d979e4a912aef141252c7604

SHA256
5359a5e31f61376ccec7c77cc1d463188402e19b78710021cf239bb3049b18a2

SHA512
28768f89b823073a593bd61f82a024095967ecfd92ef25b76e824d77ed7174bed5bb290e426a11051c58ce66ff3256f89b4c8270a7ed2c761ed100bcf2a086d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uoom.exe

Filesize
208KB

MD5
e50eaa0e0169b0f834bb87ee409060af

SHA1
41c7422660af479bf6721e34d2b3dd86d53f8bf3

SHA256
c5a4cfd5cf339bc6ac703cb149de63161c0594b25f27f9c5ce4b70aca8d87f57

SHA512
8c7ce82cf80543c4dc8e4370ca6e9d20d83b0dcd40f54223780853e8d521f98b8626ff3d0f1a88d3644c47829da9fb8a9c0fea0f325a44aebbe51bcff27a98f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIkI.exe

Filesize
770KB

MD5
8060ffa74175c316d925898837624eac

SHA1
8a27a3f87f6153bf288875545b464f3104d09981

SHA256
d728ad84db03407d0358bf6e9196d01b72189e8aa6d03fd3e7fd4c42647bcb09

SHA512
d3540566aea07fc09c5250b93b3955191c3671394f8c13c73141d156e73a29bbcb7558b6dea9593828a0eefc5e8fd5736a4ea4a5e46ea6dfd27082a594b70b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYMk.exe

Filesize
195KB

MD5
206094b5129ba1a545baeb3a46a412fd

SHA1
a701f3bbddc4d5c8e23802099a159fed728925a2

SHA256
e09799e3046324c75efc3f0dd2c55eea3629874128e3fac7055302253fb007cd

SHA512
d068b205012868acf24737fd944c175442cb76b01337086df1b943eef3dd3b927ebe066ff6ef9b0b77edc4222b711c517c91b42b46197e9d46c1e6107e31dd9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYwo.exe

Filesize
215KB

MD5
f2e788a88d67b900a39c63274d24789e

SHA1
5df446f00324aea45b881a0de16c35bbe132464e

SHA256
e1e20356d0d4dd9423a9bc1550791b352999a943473ea5319df4812e620f9128

SHA512
cb4d8ce1123b4c434277f84b089848403163d590090c613fddcf728b7118348dd736fc9e80af76483212a34449365c582a3d32a8791c2a5821a0e217b793a32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgsA.exe

Filesize
181KB

MD5
f2f94a25de85ba5af5f09d2f5fb45dee

SHA1
f9affd6e3fb19c17ad192c9381a22bf1af8921f7

SHA256
b11c631056a393885b7983c544a2cc1ca141cea71226b5193b3c496c6ab19d28

SHA512
2a619e922caf6c0dd1c9d9f3be69378d258b173a1e43cafa5cd9ccde8feaf32132e6574f59410324abfe407d830f1e1da8e04f602323f71a9e03bda7a3afa9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ViraLock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwsY.exe

Filesize
1.3MB

MD5
74b0739892c91cb93f312eacff086237

SHA1
6f2fb5be5741a363ac1b7254a912499f370bd2c2

SHA256
7b4a5b12628e4bac3fd45a01ca97a0755dfdf77387a9acde456e16627cf88a34

SHA512
e2a5cf8004ec4b74bd42c66438302d3f060ee8a2fcf516031553b91a55dfdd80893eb17675a812730f8ed84327ab561853f6b24b61eb2d837abe85ea3acd98b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIII.exe

Filesize
201KB

MD5
bfbf78802c1784cc3dd7203494f37839

SHA1
9b6521dc6e10d751362fbf4a1a5d80f1c92dd1c0

SHA256
8c073355548a01c092c835d2b1cedae48d42f7a8775fb3d0bc32191707e0c30d

SHA512
a204e872b6bbf4694f7d9faff3ab59dddab4036d71a73de97a9d2d0a57cd5bd713b5a5c7f75c4c3a38b2ff8142e473bcddff020c847c0e0dfa49593548528fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIMQ.exe

Filesize
215KB

MD5
38fb00d466770763bfe966dc322cfc5e

SHA1
035d5f4dcf1d11d1f5e8109cd7525c7a8d02049d

SHA256
7694c27f98c4fab0af03198a4868cfb71e96d0cfdec97f5c0507be24b831c9c6

SHA512
a954797db8d6588462102ce23f50dc087035b8871f45f610181203a4da3a4ecf758344f46e231370e6fb2b6517d94dffa110d5cac49a5ee759bc489462fc6590

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsME.exe

Filesize
651KB

MD5
ee2c85d3384bad96f168c59516e4115a

SHA1
d9baf0d20fc0ced9385ee7606f31f518da61dc1f

SHA256
ab33b81fc377f82dd94d7faa713e41bb4b0b7764562250ed6ce5e7e8023fd3d2

SHA512
1f4335a33d316d217aa9ccf1be5bc8814d81b9e84dd87e0421c55e63d091992d971a79c97afc9e0e410a7b91c05aea58c2891c673f32a7e4b32674646d808812

Download Submit
C:\Users\Admin\AppData\Local\Temp\XskK.exe

Filesize
206KB

MD5
a4720be466deb33f714defe62da16cbb

SHA1
0dad53eca45ff6e5e0bd75741644057801a3bac9

SHA256
b752a3ba8d34e636dd53b05b3742acfec29b29bb2abc3367b0e8f6c84993f13c

SHA512
cb0a1710ba7ec4af6c3645d9a3bcec4efecdb8e328a3c0f0fba6f9c9a4ff7874a49a8b84080d5ab76e5daa4a9289736f243968626a9ee9b533dcc2f64e8b33ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yokw.exe

Filesize
205KB

MD5
42c239d3f96cc5f04db5b38e9f071e9d

SHA1
211f2e90785819987fd0beb991b03e98350d771c

SHA256
48e338c282eac504257a288920caa35752e4529036724e1ed9db584b370943ee

SHA512
68b88a8a3b4876078d9ec50c0b7adee42385f49886613b39e587b1aed3017866e79506557ea010e17f4518cee00f459b095041487e77a7b2fcd34b36fd388fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMgy.exe

Filesize
192KB

MD5
4a3e205e80cd06ebebd8a57e16a98a3b

SHA1
100504b4a159acf90f68140f79a09f84eb2c2e76

SHA256
3d697fa726f2745915b6927a9fa69dfe70315d16073a76e55fe1bfd57cd807ae

SHA512
51416deb19246af3f91d996d8525944af3ea401302f0a3cf6613daa1b64f1f36293815fb5f259fe0758d66c480b8f5a8cb8c290d80e8fb4aa672f781facaca4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQwA.exe

Filesize
206KB

MD5
830aa891c1501754c883e611fd9efd04

SHA1
da5ccee409105c24d5b4510d513bcbbbd1734aff

SHA256
daaba5f0adfbc49fb09deae2bba9134373a918a74e4131a29ca2466fbb8607b6

SHA512
a32209c34d9cc83bdcded2b7d8161c1b01021ec0331a8c6d12519d0cfa82e3532c4714f4f440baf069520dd616721d1874696ae33019543f3790400c874a9ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIgG.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQwa.exe

Filesize
198KB

MD5
6e8db895390ca39a9f9a0c0e389f4ff5

SHA1
a7ca58508868325ad336ad9eaf81bc5f89bbc177

SHA256
c04ea6f465525d214a6d9102a0e8f4b382d608f2702520720e8c57d9988e2022

SHA512
2a136742ea79e8e9d8c5d9cf29183e839321984537f4438b9d7b4f84e91c7ca0b3c7a3a3eb10b72198721da6ef624fcf1fea36a293b810abdb98aaa43a08f997

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYQa.exe

Filesize
204KB

MD5
ed0ca8a572911271e21fe4c042fdb97e

SHA1
398e3cae1c790a49e8b10573a3194eb686624cc6

SHA256
57e8f7e14eef1dc446e4b85bc097c67d75178397c786d128e5ae247227cf2c44

SHA512
6772cc423fc694dfcf66adfdaee55630ec9e386ac078bceb3427ead0e83c55df36a1d55cb330e3757e0a9d915c2a2438a1c28c8a621604bb40b5a3d36a22c03c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMIK.exe

Filesize
204KB

MD5
57921151aada3f89aaf43b611368a34e

SHA1
cc10cd905457571f17aef0923edf2ad80ef91365

SHA256
e6d7733265e68774ecfb46306b40848d2078c7fcc2dc661251d07317576066ea

SHA512
4e12a406046f56206d81b8863cfc2c10474f7067d3f1a6a4e042359d9a2829660fa8c2122fa41b74d2ac8820087db8304852a03527411bd43a1762fa426e495c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsEc.exe

Filesize
219KB

MD5
ba56fc27bbfeb6be090ad2d16a3ece14

SHA1
e3e7392ed3e08df84aea5a407af6ee4d1bbfab7a

SHA256
9a5f724f171f1dd765913e84cb666111317a55c00d418a71a8e05d482c76f311

SHA512
24729a465bf9679678b8ea855d592e94fd280ba6842b888949a4de7499b15be1123bad3c31d44c576b59a70c63857278bb76295a1a760d72810bcf970f6f8120

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAou.exe

Filesize
196KB

MD5
ae165f6a689303fe1d956235e15ae11e

SHA1
44595c1de3f09e90b089972ae689bae063db815c

SHA256
338ab5d4fabcc098fdcede6f94ad9a2f87d12ad92b8421639705c400d755454f

SHA512
6ff296b52585a2a4cfc87e198c9ce6bdea762f9f3332cb584006bf7a88e7b2d7d800a395734285f4e833820dfdaeb985d2a55e3d1e3752d3d003c2c2d5da35bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMMo.exe

Filesize
201KB

MD5
368cd52a729e422445995b68913b26a5

SHA1
fdf11e1d9e45355be92bac58aa3b9c2ad8f50f45

SHA256
bba53cdc9df8d68fc0c067ec269b6bf2a86212c2080fbb55a20da34fb0de215e

SHA512
9ae32f37b0c2482c2907d58df14a81d8868e41883184bce93b3cb92e84105b9b17dba5ae85168b6be9189e4e6ab21bee141d8ac680d11233da593b5b49071d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUkC.exe

Filesize
188KB

MD5
7f63a842956e6823bfd5373c213f5c92

SHA1
2486e0410d80c50216af1f3bd511d696614818df

SHA256
7e5202ec0b8fea7fb316b217f5118304efc57873e3ae0fcf6b051c8c05aabc6b

SHA512
c4a5811e870f463acf18eee084f5b18f4ade842752c48809e3b911da73b1aac9aea738888f138956350ff2244ca21b28da8664da65cb34cf3aae20089c6a07ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIIS.exe

Filesize
228KB

MD5
ee69e210e8c52a8618be9bc12bb27bc2

SHA1
4f1dbc8ba5ccb79e74253d70c00e56a4f3a111e7

SHA256
875682107faf1f7cd28a9d1ba0ca234bd34837f9b17f1af033eed227c9f73e1f

SHA512
4fe480b0f3c70fcfd033efe34162a0313070895ef519b617028d5eadef3cb4d92587a2f4b4565f1e243acaff0d62acb2dbfda07985f02168d69eb3ad4b9de055

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewsE.exe

Filesize
193KB

MD5
f2cb54f4ecba92f0386d99581cb2d95a

SHA1
5e2ecf20dd28c7471cbfdb4122fba112594cb8fe

SHA256
b0a4898db5fcb79e71424d71219ea368820d534fc1cf6a2f0334a82e2af90d51

SHA512
af9d3057b6d6e37d32ab1cc0d0def85344a2a23f44b9a3f14ba28655e114e172f6a3a954d280ade1e441ab267718f9640c33d2bab883695630877ab859391306

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAYa.exe

Filesize
829KB

MD5
1b28e4023d97336ef748c2788596d94e

SHA1
255ec82b78e4a3ccb2261e550b47205a54e1c4ce

SHA256
e757eca3682d8f5e900efb1ef2e352375b1a248b316ffa4e3b770df789596df3

SHA512
b954772678426fdcaf47d5c9a448296f1f63cc89baa2204f45c182f7d369b6d262e4604a19e47b1553f99a63c980a83b582a293dbb348846c76fea71b60984ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEEW.exe

Filesize
508KB

MD5
fbe9954e51956a7d42b10724c89e82f3

SHA1
2f70136b48dce09b11596802c24845a9835e3520

SHA256
0bc30fa912723e6a3b2eee1b79e73375a340693ce3f576110f5a84fcdb534708

SHA512
38552603be4f81e240c462a13a437c723aa4d022fa5b92ea656e165d2204b686e1857ef2f610fb6cb9aa59077851abbebf2fae6fa85b58144d6aba039f1aa002

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAMm.exe

Filesize
239KB

MD5
5e1b13ab605ee329693987f6a79fe9f2

SHA1
6f6c1e98182faea2f4750dd7b5dbb6e6220cde0c

SHA256
6ecfc5012eda9909c9756653a1b29414ce3d5995b6d2ad77011c2af9c9f301f0

SHA512
26dc91517e9cb0825fb5fe3342e715447262addc41adc0e8ab58661c99da0016d3dd36e6eca11df9d026827679f0d9a09f9b713e801fb75e2f86de2769861eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcwG.exe

Filesize
189KB

MD5
0b990f958d807918223d9aed70264360

SHA1
74c368341f31e00d4344b50a2902fc290b684ac6

SHA256
7f8ef65e7956c24763af4e0281c2a278b129530f0b8d08df2df75aaebff5bb50

SHA512
d896a5087f11f6a3ebbb6af23f8e84be34d59dcbd97467dce79a830553ada2426d5d1243f8bcb88407d9d1be8a8bb41b0499aa722a7a3a7f2851678c14e94418

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAcc.exe

Filesize
198KB

MD5
8bf984180206657831aa5747586526c3

SHA1
788573264c923d11d7419114ac043246d902af28

SHA256
aa30ae1d19241d2aa8e5a80a99f913af44569cc6422c19bcb8c0cde6e3364b5b

SHA512
f0da857c49b1e57059db124462bfd73fa263f5db9802a073ff79922dddf8cfc3baec6fad4575b363478dfa09568d5b7954479255bd63fcad46c98582d3b64131

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEgK.exe

Filesize
201KB

MD5
7feab42926fcf8d4729c9fafadd4bfb4

SHA1
66e7781f2583d691123a39d54f00f3506fa71890

SHA256
eb7c687acea52aa9b0edcb0c77705b3b5a88fdfd65ef0606bd573443fbcb0e56

SHA512
325bad06c6f74325c51026aa3630df9cf4a165191b2d231e9261dc622655588533c60258be692081e9891689bfd243f1cfafadcf705fa782da59658db26a9842

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQom.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAQO.exe

Filesize
188KB

MD5
51131e541344a4e3b2cb31449c9b54dc

SHA1
1cdb7ba0bd9521e312b2adf9a0445a77a0880c29

SHA256
1dba86662628cad21aab63a2d741dfd0a8987f80049d68e39becf2dd09eaa56e

SHA512
a79f11977a3feee31fb6a556e15b0716af52b11caedad5a896b21b37c143b6dfb2f97b245d9a7c3f3a85702a5c39cf425a373c9bf523eca93ecc6f1230d9da73

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAkw.exe

Filesize
182KB

MD5
25d6881e355665fcdac8c34362fc3932

SHA1
f0040bdbd40b1ac89a6632428b756424e844d2f2

SHA256
992f8d7dda573d1ad607cd8892418324513bf581c3cc8df45f320a21d2592ffa

SHA512
b999a2aed81047564e9053ae0a923f4b901df10b7197a03581c099d54213ba00da8cd96212c561b4036db863862419ac3119218a945883de6f2c832d78d8c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEMU.exe

Filesize
182KB

MD5
bcdfafd0e59fceb30e995f4b1fefd6d6

SHA1
3979f0fa90c2d10c4c4eff8af48444f765b9b924

SHA256
d2678b9d40e1045f34c984d018f265bac03a1c148181377c46467cdf8d6b7169

SHA512
17cacb4219c932b16091e1a215d2e3b6033d1ba1e2835c353e61e9c1dd6560f32d5b61c753c6850bf30f508f57b797062b8bbff708c6fd6654f4e7b415b1aed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwwc.exe

Filesize
188KB

MD5
d0f35d61bb9acaf6a5a7ee5d2be83da4

SHA1
49f1c4876a094afa8a229e3f6c5d5bab28ab7515

SHA256
7221ff083c07d492eebf684805ab5a5e35785e27b5de5da91f34b76cbe5a202e

SHA512
b0c647cabc31288d4566e5ac8415a0657238b83ab1b1a066306870fba390979c1480db5fcc5c420c481de6d49b230f66acc0242966cdef714cd9dcf064c7ff51

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwYa.exe

Filesize
5.2MB

MD5
337e3db215f48de825e2fce87c9114b1

SHA1
0fa23781f70aad35eeea06f6683e23e3a1b8461a

SHA256
07414095eafc024c3356b89945fda4e3e78e0e003034110c14d7b4c2bbce6dd4

SHA512
d5419d0c3261962cfa97aa4116b7fec2966e106eaea60ca385106d435d6cd1c0be287adbfb779cd9ca0f7b126a3a464452335bffec47492bc13b8d8754dba155

Download Submit
C:\Users\Admin\AppData\Local\Temp\mccS.exe

Filesize
496KB

MD5
195e96f74f4336be8cb3298d6ba81e58

SHA1
1a9c18f4a70a018f0453b9969f061e7ae127d36c

SHA256
1e3a7f167bc9c2f08d353b7bffecfd5674e79dd4d5a0371caa59defabfc32d20

SHA512
43c20526bb11ecc87ddd592db539f6b50c1e61fd5b2a8dcf2daf0dd90acb1e0691e1cfdf2efe6ba85c1697bcb2e30738131e75ce550c36a68637a2ab987964f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQYU.exe

Filesize
188KB

MD5
5afaa93fac6d04689c1aea437eab9df8

SHA1
62283c22e52f24f254edd35ee7ed757e137dde78

SHA256
d95a6462fb03e1d435cccc413f8fb7d58fb491a53e259fb2f8947b358765aebd

SHA512
4aef729bd6ede35bd4c4bcd34797f2ce768e2a309b870ff06ab4f5b9075d215e671749efb529d9d94e56f899796048ca17acb6081abd556d35b22f10ac2a81de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncIS.exe

Filesize
188KB

MD5
ef80e1e246c2620fface23cdca50cdff

SHA1
a5d75486dc4a2d059360d2825b2c6de0d47d69cf

SHA256
ed71d7a70e001d441ec8574e6929ab13079e5013bad508214085322f3f50ec74

SHA512
4bb647e56c3b55cd43d92f7b452030c4ba12aae4df948e803a0acf80d002bd314f5fc824b2f3c6bc8af374240535ea56b90a092efefc8351bbb432f0a81a2b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUAa.exe

Filesize
203KB

MD5
855d9ad6d9dffa9c8958f041757154ed

SHA1
11380dd52cc7b04fab8dc60ef7802e9a2440ddd1

SHA256
b51fc227c9891b9b356fc97c671d748af04471b75c3d6dce7cc47bf58fbd93fe

SHA512
2be1e24320d6515e7c88aebe7f9e2fa9cb10f27531ea3b8637037b68ada7e30867a02ea3c83874b7b9043d908cc615c14060ecae84eb03a32b264b9a648d0605

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogkO.exe

Filesize
201KB

MD5
04f48c69225c96c15c8df29d3f40ff18

SHA1
4c0d24a35b6094592355e780b8316e8854a05b3d

SHA256
632c639488fe47e694513c7c33b53b9cf47bff87e50b23da22f0171ec3fe15d6

SHA512
d499ac0c4429da84b4a6163c71dffe42ff0c9ffdcb524b41a269e31156d710aac0ca66f61cbccccae03a14708446e0f31b919ee9e32519867b7c15a7e6c41989

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogsq.exe

Filesize
512KB

MD5
c01fa94364fdfeb2e14769d2b9a44fb0

SHA1
1f9e1cf32a651aa6ba3c8543523d445023b98c2f

SHA256
b3acd8746ea5c38d33da571ecae404d09ab7c47408a94e35e65e993466a8e282

SHA512
37345e6598b17830752427c8370403f3588cd967a87a663c8581476b5b1f6834fbd2a3c261f56fa08a5c5bbd6c9c02c78b47d0517a0e7a9112da6f078a269b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIAe.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIQs.exe

Filesize
790KB

MD5
56ac33aab81539693135ae630c2e3361

SHA1
30d1453d7573aa72203d2f3f96b27ae60a5bb6c4

SHA256
c34a8ddc2c2a4371c565ffff5eff06e805b42ce6a05214d21b8bae16a7aff335

SHA512
d34e6681857feb3f5ebdd8917e37922e38cb4ec374ae1f95d7c6bd755b6f99056985f8a74eacff18119dea1b6ca798bd6774789ebfe0d293ed02a58435654c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUcW.exe

Filesize
448KB

MD5
580f490d75264146258e735919b11840

SHA1
f60e11057afe883cf3f0ca5b48ff14872d405d3d

SHA256
3da1a668e600fafd15b8adf208bfb10c3dafc65d47f94bc998254c8d819aff27

SHA512
58c562b22f1d0cf2144febbfb76f17adcde5d5081d3cedc8a67d1dc9fe1adc21c3c34a73cd556e1ea07c1f24f294fb2a13a7f497f229ed6cdc3cd63725d9bde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgEu.exe

Filesize
200KB

MD5
72b1ea56bca1e0e5232c94b098c6044b

SHA1
97d1d0aecf94cd69cfd94bc716904a74459dc240

SHA256
5f9aa091351ee50b90365c0e095b68d96b5e80a699f5650eb49b147b8f241101

SHA512
ed037b2f3a95fdeebf7110c94a8b29d2076016b34170d49061c7c2d65826bccd1977806b939b6b4c33b4e0527e4083ed4b151c8d7cfc6ff18eaeef1dbbf3eb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwgU.exe

Filesize
221KB

MD5
bf02d0c38e6285bfc55407a8f3d298d5

SHA1
b724822c2164d3fa689541c1b01006f8030959e6

SHA256
5f10af1dd6e5cf0a746c0f9b4887753c25098c431b5b884a38784a9fdb58d6cf

SHA512
27aa6029e3874278ce4d3849d9dfdf4eeb5942c342cecf8e915a7dd5262948ff06bb532731954cf96ffc028891772e09dcb060b3b3af3666115e009c55b09729

Download Submit
C:\Users\Admin\AppData\Local\Temp\scwk.exe

Filesize
195KB

MD5
72c5900d023b6e5cbb92c06715a4a8e0

SHA1
c7a98ad0d8f4d3f6afe3acacac172cf2d28f1447

SHA256
b815f6cd4479dd020a3cf64c03c9406d8fdb81c51b6184fd6d24e0d1f86dfa17

SHA512
f804d49e5a763d3878689978b756fa4259cd8d97cfccf170128fcccdd03ffe0dfcc62e1860f57c738a7f9cd89f0782086c99ee9bd892195a1aedc500a0f4bd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\soEQ.exe

Filesize
327KB

MD5
783fa464a46a8a752bb33f1f77849f79

SHA1
30c9f86621299214dadee91f2bd022e20c72ac4a

SHA256
bfe5da40b5ddf203bb71c885823c9dbf1097378ffe51808b774aa5a99606238c

SHA512
bbb956482d07d663d9d50e114bd766f6ad761941def1c75d962b6a30609aa2b05e2d8e99fc529cc08a296f4252b161c4c09a27804ec9eab917404669b04a60a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMwc.exe

Filesize
205KB

MD5
b397863b93ff7c94f4d55ab4c5a8f463

SHA1
0bdf0fd57f353ea40c121c33e5aaee9ce44e7607

SHA256
175a51e83c95d10b503de95085a66379048bd2a5bb4395fee5428edf6b842d9d

SHA512
f7f94c79408972370349e169253b22b6bd42a371bf9fa35c71ee1e2a389ef58be6ce65a5252b66ca77a77285cd16ffcf277c23202dfe07e57bba6f2b27016037

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgEo.exe

Filesize
5.9MB

MD5
6919ed2f98e89de6251dbd2e23533f1c

SHA1
27bc45ccba0893d272d106c7401cbf71db974c63

SHA256
5152497d79731c09468f6c7cb2666b176c527a0b01ee0688412f419bade3edfa

SHA512
f11f34a17fc4b7509b7ab2038b89f12e051c3c6abe6773b6eafef346f976faabc17d1934487c20456e93ad6c287607fbbdd08cabe5b64fa9e84f17ba3dbc80bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwAa.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwcU.exe

Filesize
5.2MB

MD5
8fafff3f9babe994999a0abc59c973d5

SHA1
e28f5709de8ec8636a35ef7fff17a08540dbcfd8

SHA256
4fc367c491953240e14a26114733d21a8be9b12f00830a98e0e5bc0591bb1776

SHA512
7a5e2303d14d2f8cf4c34e11f6318f4107d863ae76abdcf575a9ce6b880964ac4ce55127eed994e66bdbe272534dfafa2cc274baa003de0f6f0759f325e4b40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUoq.exe

Filesize
198KB

MD5
3afafaaf21a6f5a228237a4bfebad803

SHA1
4c198d6fb41793d086a533a892a7c09dd9cc8015

SHA256
824f84cea8c4411a6b1938a037645b93cdedcfa94a63d91a8e2a7c819c1ccec7

SHA512
3a8cbf2e806cf956d2395e4c611768374b5cd95299369532c330141c14586fc467dfb8a47712b6d7de43bcc48f4374849cb3e623b0c3f3f157448ad532a537e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkEA.exe

Filesize
190KB

MD5
911a79a6394a35b51f19fbfcabb6ef27

SHA1
44a64c2ccdb7bf2afd2689872ca9f647f4cb0fe6

SHA256
9634cede87822df2c1b07bf91f85c698e8e83472363699af1c5b2f9291378e9c

SHA512
ae1ea3ba0563674f131349c51eba839b944afdecc5df5a10f916a8eee65a135f5c5f0c5465d00053a1b2bef69d5619b05e6dd430eaf39ef81d32ff262ad090ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsIW.exe

Filesize
5.6MB

MD5
97a4384f9f96fadc510d68d2d8d23079

SHA1
e0c4291198d2520166530b1c1f7a8836d6749589

SHA256
068fc75b4aa34c3611b4f8f455f270a572d99297cfea76f4d5ff2c2785a18a59

SHA512
b9e8589a466ddeb60e7786fe62bdaef08b20986bcee1a0c12f7253d06a2b80e3ce247c16d8f959db864c41df143ded12d5255d8a827738376c04d1fdc76c9f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEsk.exe

Filesize
813KB

MD5
0fe1dad2fe5e33c1786c5fa3d333c8ec

SHA1
afd1997c12a7e1607a436f32d7380943fb149c73

SHA256
290b89e02324c26998ab5d50d21b56a6f582d2f6f1b851a5b83ca63ef0264433

SHA512
4b558b2e0d921196bf882dbf7b0d779aaea19ca8c748aac47bda1a6ab1b2d2556e2f98f953942fbb5437fb6d78e21a5cb5567d5a256939bccd7613cf1fcb2c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIAC.exe

Filesize
5.9MB

MD5
4cd1a2b27ac2739786b11e353c9516b9

SHA1
a1f50df4154d57adee4480ce86c65ab9336d861b

SHA256
89aee6e5357041939d1d886be991632ffd50d59516dfbc3b11365ec8e54b1198

SHA512
86a7d485459c072dec686c23263c1dcd80c389788885c5f07ffb1edd207d294a7dc69091ed1c2cf3c850dd7a6a432e7d10ce674cc48fba4142629cace765ea88

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkAu.exe

Filesize
203KB

MD5
94ba99e25af8363770141cd3d7a55a47

SHA1
456da9f44539e9fcc2c4e3132dbfc76f9a97bc31

SHA256
3304377d3b58188bb792172e49ea9e044edc504c873dbc7dc240955492f7d8dc

SHA512
4894fcd842f8f5e106213efa52ea71cb2771a3bffc7407dfb65f8b5d50ae5e586af97be12a4c165e8d53cb588d7072b29e5e02e20d31465921123c8cc0fdbb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wosE.exe

Filesize
197KB

MD5
cb76b31cac21cefe6602fac1555764af

SHA1
246917dce89eb2b4d3f3a33013225b0edca994eb

SHA256
80244f1a66a22e4c30ece4df41c50feaa1da38633391bfc8a7d8da07b31093b0

SHA512
64128dd1e08e7d9d3221683639468e934103366e7242ecc02e629727949b4a8f2013672f2b745923b69142f400612a3367a7f223d372ea97cd71ec1412879bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwso.exe

Filesize
185KB

MD5
3df0485b46142f436c8e6bab0b4171c9

SHA1
d069d96d04cad7874d15c2a7d8b5efd7a11f1de9

SHA256
e167819d23210718cf98032afef52fec6e487473429d5fc0092a5c70ed368382

SHA512
1c91a2fc945de1527221d2348299cd0f65f652d0c4922c05e6669b560289d96880fdba718eb5e369b82097da1a0f0432cd0c1e8dcababca8079e1b74180ade3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xIMG.exe

Filesize
821KB

MD5
e0404be564226de3cc913b28a4874844

SHA1
1fa39302f487f35c5e441062817c6630f911bf44

SHA256
298d10354d5eb328d1412369e185c5cd716a62186ed10c0fa73cbe6498f2ad9e

SHA512
cc0da4140f02857a71eda54f6a034b9dc70af6c37dccb76abd77e7944eaffe3e27b23e67318f3169bb2d09b43ab41c39048b712584fcc7c37c2526734d268229

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQwQ.exe

Filesize
1.5MB

MD5
61d3ddcedf31ed88ef2f18c9d9d63c9c

SHA1
bc949201795eb685cc17bc22fff8706975e0e7ce

SHA256
61a798d65c81a4cd68da5ebd32ae5583a59025735f2c506266ed8753233e00ff

SHA512
44d15e78de5dfdc299f55816c1363c8de00cda37088afc07ede33a481be23b8acce004b324cbe9d8aa70c6bf6bf76c4284ca07f2832afde1ff5c30a6ef0bbbf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygYi.exe

Filesize
1000KB

MD5
226f3a51c0ae6448e28af5642fabbe39

SHA1
c7885c8867610795a520e15ee52cbe45772e6454

SHA256
47de9239d5fabff9904f87acb8a17efb0907fbff268972221751a4c37da5f3ec

SHA512
87a6dbe228109c26b00da78833667750879b73c5fb49bc07b413201fd4b3b73d55188d65eb591bbb581c0b0cd92a4846899c5275b7770589923c461ab4e9346e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEsU.exe

Filesize
187KB

MD5
b4bf9f16b70bea7ab13e7d39f175d170

SHA1
37bce73122826b56c791877884240f81fca158ff

SHA256
49f4e0c0cf15118afc2d820fcf155e5b0e02704338a5201f8db2bf61a0b7c285

SHA512
5fd57c52e929c3e1013676d036253f08a018d02b84a13892f52e623c83d5552ac8d1d9575fb51c6f60fe2bc53a00af5d96f0ddae13c4cf09c698e1017a152107

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUgI.exe

Filesize
5.9MB

MD5
f4af031b057d790953b5a65a4875b258

SHA1
1ef01ecb82ad0aba18b254e3d5c3d261323cd2fe

SHA256
82f48765e70bfd0e3d44f44e5608dbd2109816447e010ab82c1bfd2f48a84f92

SHA512
62a6f3597386784e2457c2b118a088be6dae6c8d2ee4f1ffe39d20505154636c84714b339a699a5fde88c0d7196a156d26e6050504cfafdb4fb308c0f8cebf01

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoYq.exe

Filesize
199KB

MD5
b5ef049d6b35f9ca7e6046b0e610db3b

SHA1
5c4b5311a10760a8129f8dba7bf00c2e6229daa8

SHA256
ca75dc96c9bd15c8d86e6fe372b19336309f04390ff59299c1269f388f0eac12

SHA512
2f5cd6214711c376dfb13181f6f3fb7d0efa824d532fed76b31eb440aba8e750e51362fae369315950d2e719e8a9990f9b18d3ed2b604719ed5c6d0428048957

Download Submit
C:\Users\Admin\Downloads\ResizeDeny.mp3.exe

Filesize
877KB

MD5
839f91f1555c3a2d12ea25b416f14b44

SHA1
a511eabdc836f9f5207e1b47ee87a99291fd2089

SHA256
923356933035fd3e06b07c91455cfd01506136b9945e34b7aba326d37ad9b7dc

SHA512
a644610240f998650334694daecf8dd51d6e3fbdde9e9449fbdcc10b3fd0abb2ee33f3f5e3d9b385bc6ad7b63efe6b339775eb2d6d99927b32abd32f83a86147

Download Submit
C:\Users\Admin\Downloads\WriteRead.wma.exe

Filesize
585KB

MD5
1b5c2b5fc871cf7083649f6e02bc7a71

SHA1
52525f48eb84ac3f1c400f70efcf501231addb14

SHA256
abbd12de4db92ff252fc69651fb3a1baccd94bc948818eaec44d03a9ce9f62ea

SHA512
df702a29bafccf3a0456bc025d58b39ee1283dd4f49294740a4a929debb7a2323201c397c1c35fd67c2802083d8933e91f5ebb2ea3e72a859881b8e1bdfab747

Download Submit
C:\Users\Admin\Music\UpdatePush.bmp.exe

Filesize
572KB

MD5
36bb1467b39d59e2ec8627b648a8c606

SHA1
1fcd5fa3ecc3ad50116688f18501afc9c3ebf7be

SHA256
c88207291762797a7c1da4b1479572fa71070c9faf8141acfb1069f1d91cb93d

SHA512
43eef0a47d5eb982709dbcf5eb2023974bc15efbf8f66814e1f41f610fd5e9105ad5b3e9786744b48224ca0d71dc6e64736b3e15983ccb6789ab58aa46df5efc

Download Submit
C:\Users\Admin\Pictures\DisableFind.gif.exe

Filesize
776KB

MD5
15d04765a94a99231af6c0ecc11341e2

SHA1
6d37d4d8d1d4359a6290e250e995b1aec0520097

SHA256
c3bee5b5f4d2e5687eb10cfe715dcec69faeca068be8634162cab272486aa351

SHA512
b56240c89fdace41cd6739f391163bda096673e87a838ca1b1e4b87e983fb764f0039e181a77f260559802f33063d6b9c79243b7cb32ee58f8aa87a9cbdfb86c

Download Submit
C:\Users\Admin\Pictures\InvokeRestart.jpg.exe

Filesize
769KB

MD5
e3d8d0eb88ace48c89d1c6b312fe72a8

SHA1
a5f357cea7dfe61d93b75873f8817fe460782e5f

SHA256
56b0e26758bbeacb34bdf53796cc8d9e30512d8a4bd348257c57429009871149

SHA512
621cb3b8f39cf86020cb5b126eb153ca78f8cae4ca905f61373c3b327ca6b4d43c7cdaa5516cf13a6d423a3ec4dfbdb7f3f9604ddeda3a671b8f280f20079047

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
208KB

MD5
489f6d5d6aaf14ddc8af3df7a67d0fc6

SHA1
bc7944a78372499b846cf97da9ca91698441d9a4

SHA256
5bf05f4743aefdf3f1bf81128d45756ea8087186ed667139eccf6ccbab33540b

SHA512
6b214491cafb54eb2fb1f3994765f0a75bf05dcb779d8747b3d4531df635ff7f83d449c2404824e665fd2d00836c356f9dc48b3bfc48624855e05e6548b30251

Download Submit
C:\Users\Admin\Pictures\UnblockSearch.png.exe

Filesize
1.1MB

MD5
d964da9747c3353a7398d62d9b2dd9aa

SHA1
6f91b4496bdc23471efb564c89b730709ab39728

SHA256
63ad01c442fc412d82d1290d1a76ef21efb76c01f3c0878f553f7643b71b6b0a

SHA512
c518c548dc89376addc850608229a238c2c56e232fdc69032d7141b3f69f66dd7a799bf6640cf01f8f6c6d8ed78dae95fe00cc4b17e5401ae73813d431673ce9

Download Submit
C:\Users\Admin\Pictures\UninstallSelect.bmp.exe

Filesize
864KB

MD5
f643510d6dca54108be55a26ec73ae60

SHA1
87ebcd63cb7707e07ec86c9cfc7e54815b736c0f

SHA256
91575d9361de4f76f83a9e77710bff350aa761d3b7be30e7d49e0e8ca458848a

SHA512
3fea084aad5df3476af45454fa552bd4cc4cbbb24e5240b98459240bb83dad375623811c452f7ed74bf30f783a861137e92b64edc91605bfd8e91b7adf011799

Download Submit
C:\Users\Admin\WOIgwcQY\lGEQYoco.exe

Filesize
181KB

MD5
5683b00228f0fb1e4036f8f1f046bd43

SHA1
199634fb2627077ff9fa4b16aa50b3aa550b6663

SHA256
2ba498c4432e38cc31c9ddaa82eae78f908de5e09e1a241f39746809ec735562

SHA512
dfa593f38ce040390d6f92e22ef6e189c3a5fb294c5fbd850e308e48d856d55332f79600e380e8bfc77888c6e5e63314b527f762ba02b01c677a91a6ead0dac3

Download Submit
memory/756-260-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/756-253-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/836-390-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/836-382-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/856-97-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/856-83-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/964-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/992-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-308-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1584-315-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1916-185-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2060-210-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2060-197-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2064-333-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2348-96-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2348-109-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2796-341-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2808-56-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2808-71-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2984-196-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2984-181-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3220-157-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3240-363-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3240-370-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3368-361-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3368-353-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3376-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3376-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3396-399-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3396-391-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3480-270-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3480-279-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3484-343-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3484-350-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3644-33-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3644-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3976-288-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3984-158-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3984-171-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3996-296-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3996-287-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4060-224-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4060-213-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4120-306-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4132-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4188-268-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4440-123-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4440-135-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4576-400-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4576-410-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4712-380-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4712-372-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4716-323-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4760-59-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4760-45-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4804-232-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4804-250-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4884-120-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4884-105-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4968-67-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4968-82-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4980-146-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4980-131-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5048-236-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download