18d83bd2b428ee8e6de9d5d37059ddc75d100cc97264de337ac624fe231c255b

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
Size

163KB
MD5

c5f55903a1f172a08dfe680dd93f79d4
SHA1

ded61d63402089cf45b37596a6de09ace26348b6
SHA256

18d83bd2b428ee8e6de9d5d37059ddc75d100cc97264de337ac624fe231c255b
SHA512

2678e53f3c9ae29e4534e8b2bc693852da94e2ae2c1839ea68df312988ae73c02d2d0fdbadc109d976296781f9a33e5316a783520a3cf3d6176d2546807d1a49
SSDEEP

3072:WPzvUX4xmr3QC5V+dEseA6Y5d5izUnqSaVL3O2r5ddwcEsSN8UO0Dc7tL:WPrUIxO5V+dEhA6Y5d5iQq7VJWcZBGY5

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	DllHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (75) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	qIcoQAQw.exe

Executes dropped EXE 2 IoCs

pid	Process
3224	qIcoQAQw.exe
3800	nacsUcIc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qIcoQAQw.exe = "C:\\Users\\Admin\\hegwMsos\\qIcoQAQw.exe"	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nacsUcIc.exe = "C:\\ProgramData\\aCIsEkcc\\nacsUcIc.exe"	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qIcoQAQw.exe = "C:\\Users\\Admin\\hegwMsos\\qIcoQAQw.exe"	qIcoQAQw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nacsUcIc.exe = "C:\\ProgramData\\aCIsEkcc\\nacsUcIc.exe"	nacsUcIc.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	qIcoQAQw.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	qIcoQAQw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4664	reg.exe
4148	reg.exe
3056	reg.exe
1212	reg.exe
4620	reg.exe
2252	reg.exe
1012	reg.exe
924	reg.exe
2452	reg.exe
5048	reg.exe
4300	reg.exe
4420	reg.exe
2564	reg.exe
3476	reg.exe
1796	reg.exe
4964	reg.exe
4988	reg.exe
4852	reg.exe
4868	reg.exe
3548	reg.exe
3612	reg.exe
976	reg.exe
4300	reg.exe
4648	reg.exe
1876	reg.exe
4664	reg.exe
2212	reg.exe
5028	reg.exe
1568	reg.exe
2508	reg.exe
1440	reg.exe
3840	reg.exe
2688	reg.exe
3568	reg.exe
4908	reg.exe
2704	reg.exe
1360	reg.exe
3120	reg.exe
3440	reg.exe
5028	reg.exe
3548	reg.exe
4652	reg.exe
2592	reg.exe
2980	reg.exe
2412	reg.exe
2200	reg.exe
3980	reg.exe
3980	reg.exe
1912	reg.exe
2856	reg.exe
548	reg.exe
3508	reg.exe
3628	reg.exe
1108	reg.exe
4944	reg.exe
392	reg.exe
3740	reg.exe
2852	reg.exe
3176	reg.exe
4868	reg.exe
2856	reg.exe
3568	reg.exe
2236	reg.exe
2928	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3568	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3568	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3568	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3568	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3436	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3436	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3436	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3436	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3596	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3596	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3596	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3596	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
1672	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
1672	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
1672	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
1672	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4040	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4040	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4040	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4040	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4276	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4276	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4276	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4276	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
856	reg.exe
856	reg.exe
856	reg.exe
856	reg.exe
3992	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3992	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3992	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3992	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3476	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3476	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3476	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
3476	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
460	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
460	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
460	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
460	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4544	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4544	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4544	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4544	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4548	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4548	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4548	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
4548	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
1660	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
1660	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
1660	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
1660	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3224	qIcoQAQw.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe
3224	qIcoQAQw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 3224	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	89
PID 4184 wrote to memory of 3224	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	89
PID 4184 wrote to memory of 3224	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	89
PID 4184 wrote to memory of 3800	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	90
PID 4184 wrote to memory of 3800	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	90
PID 4184 wrote to memory of 3800	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	90
PID 4184 wrote to memory of 1052	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	92
PID 4184 wrote to memory of 1052	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	92
PID 4184 wrote to memory of 1052	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	92
PID 4184 wrote to memory of 4908	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	93
PID 4184 wrote to memory of 4908	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	93
PID 4184 wrote to memory of 4908	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	93
PID 4184 wrote to memory of 2368	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	96
PID 4184 wrote to memory of 2368	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	96
PID 4184 wrote to memory of 2368	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	96
PID 4184 wrote to memory of 3992	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	95
PID 4184 wrote to memory of 3992	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	95
PID 4184 wrote to memory of 3992	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	95
PID 4184 wrote to memory of 4344	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	94
PID 4184 wrote to memory of 4344	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	94
PID 4184 wrote to memory of 4344	4184	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	94
PID 1052 wrote to memory of 4048	1052	cmd.exe	98
PID 1052 wrote to memory of 4048	1052	cmd.exe	98
PID 1052 wrote to memory of 4048	1052	cmd.exe	98
PID 4344 wrote to memory of 2296	4344	cmd.exe	102
PID 4344 wrote to memory of 2296	4344	cmd.exe	102
PID 4344 wrote to memory of 2296	4344	cmd.exe	102
PID 4048 wrote to memory of 3184	4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	103
PID 4048 wrote to memory of 3184	4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	103
PID 4048 wrote to memory of 3184	4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	103
PID 3184 wrote to memory of 2724	3184	cmd.exe	105
PID 3184 wrote to memory of 2724	3184	cmd.exe	105
PID 3184 wrote to memory of 2724	3184	cmd.exe	105
PID 4048 wrote to memory of 1424	4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	106
PID 4048 wrote to memory of 1424	4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	106
PID 4048 wrote to memory of 1424	4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	106
PID 4048 wrote to memory of 924	4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	107
PID 4048 wrote to memory of 924	4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	107
PID 4048 wrote to memory of 924	4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	107
PID 4048 wrote to memory of 2200	4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	108
PID 4048 wrote to memory of 2200	4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	108
PID 4048 wrote to memory of 2200	4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	108
PID 4048 wrote to memory of 4672	4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	109
PID 4048 wrote to memory of 4672	4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	109
PID 4048 wrote to memory of 4672	4048	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	109
PID 4672 wrote to memory of 2088	4672	cmd.exe	114
PID 4672 wrote to memory of 2088	4672	cmd.exe	114
PID 4672 wrote to memory of 2088	4672	cmd.exe	114
PID 2724 wrote to memory of 1900	2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	115
PID 2724 wrote to memory of 1900	2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	115
PID 2724 wrote to memory of 1900	2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	115
PID 1900 wrote to memory of 3568	1900	cmd.exe	117
PID 1900 wrote to memory of 3568	1900	cmd.exe	117
PID 1900 wrote to memory of 3568	1900	cmd.exe	117
PID 2724 wrote to memory of 1284	2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	123
PID 2724 wrote to memory of 1284	2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	123
PID 2724 wrote to memory of 1284	2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	123
PID 2724 wrote to memory of 3612	2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	118
PID 2724 wrote to memory of 3612	2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	118
PID 2724 wrote to memory of 3612	2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	118
PID 2724 wrote to memory of 2236	2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	122
PID 2724 wrote to memory of 2236	2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	122
PID 2724 wrote to memory of 2236	2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	122
PID 2724 wrote to memory of 4244	2724	2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe	121

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Users\Admin\hegwMsos\qIcoQAQw.exe
  "C:\Users\Admin\hegwMsos\qIcoQAQw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3224
- C:\ProgramData\aCIsEkcc\nacsUcIc.exe
  "C:\ProgramData\aCIsEkcc\nacsUcIc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3184
    - - C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        8⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        10⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        12⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        14⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        16⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        18⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        19⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        20⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        22⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        24⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        26⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        28⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        30⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        32⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        33⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        34⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        35⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        36⤵
        
        PID:4852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        37⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        38⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        39⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        40⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        41⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        42⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        43⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        44⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        45⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        46⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        47⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        48⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        49⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        50⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        51⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        52⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        53⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        54⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        55⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        56⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        57⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        58⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        59⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        60⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        61⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        62⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        63⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        64⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        65⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        66⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        67⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        68⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        69⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        70⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        71⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        72⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        73⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        74⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        75⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        76⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        77⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        78⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        79⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        80⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        81⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        82⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        83⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        84⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        85⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        86⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        87⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        88⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        89⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        90⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        91⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        92⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        93⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        94⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        95⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        96⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        97⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        98⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        99⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        100⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        101⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        102⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        103⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        104⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        105⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        106⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        107⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        108⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqUwgYEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        108⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        108⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        109⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        110⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FocMgcgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        111⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        112⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        111⤵
        UAC bypass
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        111⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        111⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        111⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqUMskwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        109⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        110⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        109⤵
        UAC bypass
        Modifies registry key
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        109⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        109⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMwcwIEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        106⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        UAC bypass
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUMgMMAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        104⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAkAosUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        102⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcIwgQoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        100⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsIEQUkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        98⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dckYgcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        96⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqYkMoEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        94⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hocokkoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        92⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCIMkYII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        90⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mokAIUMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        88⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQYsQgEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        86⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umwgYQcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        84⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwAMAQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        82⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCQokwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        80⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zokgUEsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        78⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caEMEgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        76⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggsosEoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        74⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aksowYEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        72⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies registry key
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqYswEcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        70⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkwwsggI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        68⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqAcUgsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        66⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmwcwEck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        64⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCYcMook.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        62⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwccMMgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        60⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUkYcMgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        58⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies registry key
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMgAUsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        56⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naAsgMMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        54⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyYIYckU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        52⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOQcsQYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        50⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKQUEEow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        48⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        50⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        51⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        52⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        53⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        54⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        55⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        56⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        57⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAAosYok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        57⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        58⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        UAC bypass
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        57⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEMEEIUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        55⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        57⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        58⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        59⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        60⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        61⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        62⤵
        
        PID:1044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        63⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        64⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        65⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        66⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        67⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        68⤵
        
        PID:4800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        69⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        70⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        71⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        72⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        73⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        74⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        75⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        76⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        77⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        78⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        79⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        80⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        81⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        82⤵
        
        PID:4444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        83⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        84⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        85⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        86⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
        87⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
        88⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaogUAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        88⤵
        
        PID:4280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqQcsAUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        86⤵
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YScEgAEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        84⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CescMMwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        82⤵
        
        PID:2740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        Modifies visibility of file extensions in Explorer
        
        PID:976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        UAC bypass
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMocgMEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        80⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:1568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYwUQUUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        78⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        Modifies visibility of file extensions in Explorer
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nocEsUoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        76⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMMkosoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        74⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOMMsokM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        72⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiwkEQso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        70⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmIAAkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        68⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwkwAMII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        66⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQAoAIYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        64⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIIAcIQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        62⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAwsMkIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        60⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkUoAYsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        58⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        55⤵
        UAC bypass
        Modifies registry key
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        55⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        55⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqUcQIgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        53⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        54⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        UAC bypass
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIUMUkUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        51⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        Modifies registry key
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIgIMUco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        46⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuAQEcAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        44⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGgwoYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        42⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYcscYwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        40⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkYgQscE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        38⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        UAC bypass
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqYAQUcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        36⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgcQEoEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        34⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEggEoMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        32⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emAEIMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        30⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        UAC bypass
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwMcsAMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        28⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vusMsAsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        26⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWEgQkEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        24⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEwQkUMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        22⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jackowwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        20⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGUgwQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        18⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies registry key
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOYUQcQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        16⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeEIAQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        14⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEswIIAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        12⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgcAYoMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        10⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiMkEkQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        8⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3144
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:3612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIkgEoEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
        6⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:756
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:2236
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1284
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1424
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyEMUkcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4672
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2088
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGEkwckY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2296
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3992
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2368

C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock
1⤵
PID:4520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boYsAMgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock.exe""
  2⤵
  PID:4844
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3064
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:512
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4500
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock"
  2⤵
  PID:4088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2980

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- UAC bypass
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
1KB

MD5
90ced8393accc57eef9c9de3d7b1517b

SHA1
2b22362178519143e21e2581f8aec066f67d8576

SHA256
50171512d44033a1cd0e2ec42626c02fc6b0dd66c6050b2835ebe5e7c8022666

SHA512
e6fb2167a3add1e7dc74f6f2a24214e35f2fc6715fed23f0de72b6df1cfd89710cdf473c8180cb49ac576339cd722d574087ae01a830103c412b9856934bb2a3

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
157KB

MD5
6e67395f266bfc9d0a27343f32361d8a

SHA1
3d62547d9fe5126e3182360821998f302dc6926d

SHA256
fe9d86d07fcba9200ea7f4902e0e7e1a6df50f5c8b06235436d2c552b4e5dc45

SHA512
35cc973be9baf0ae22943a7de0a7f35bbb5a50f39bfc8339cb4aee325c7b2ba4d42a246aa93758586c55e72bfc0327cfa9dc27ec42ec3ae188f6f1226171172c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
150KB

MD5
e40d00145272bb9b2b837acb21e82f9e

SHA1
320474f38b6e2e5f5f433680e8855eea07d34af2

SHA256
d54796dacba8a42db1aa51d3cca355796d699a284afaffe3e770700de0c8bb58

SHA512
ed3d2ea33b222d0162177b69837f0e695d4d0b548eba9cd46a4cc32185aa0326f9929a93bca05fb8c65fd66d6130dea838a241e1f5a345a0a32a19eb2af7b706

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
238KB

MD5
9f74fa5d281d825d7dba79270a5c2d62

SHA1
7795de34ac767773529debee4d36d91801e98a5b

SHA256
49772bad113f573971b28a7a120f06d69d4a396b5ba27cf4b2c4b711db96c91a

SHA512
3e7615e6bd833526a8cc43abd74acc1bc4f95cd4f8d5bcbff9ddfca107233faf2c3cd529e6c1c2cebc829a40d9c39a8ee0809231eb65633c6c70347a2497f31c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
137KB

MD5
f43a60913285b22b08a10ae01bff9ae9

SHA1
81b52e7aa4c64f456857ebb0a0cfe36cb3b166e9

SHA256
803d8d472f2c88d3b819b7bbfe6f27472bddda8371bd150f9d80e32f977bc213

SHA512
22aad432556d2e1782d9fc703dd61d58fd18038a8f81b942af472de167fc9ba3a83513c2f2ed477b0e4ab6dc03fc6593b9fb23dfaf4dc29754ec450714fb1fb9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

Filesize
113KB

MD5
6c89bc52a6febeb573ee2323d0d65f7e

SHA1
489cd1744f4d65cf5095129f9a32a5e27d7abb4b

SHA256
a87f16fb27fe4ac41576c43856ebf45fc63f242b9ade775caf2b1187a12a8b28

SHA512
5d206a87d3ba832108c155a45402e93581a60fe02891099fbc24d4ee6c23626f64b34b08621c3d02feb201c6edb3834e953d70cb17ec2b7f38b6d7bc3be8e660

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe

Filesize
110KB

MD5
073c3bdc2d530fd43a8a299f45467369

SHA1
e91adfdefcfd3e7e41aa26ea33928fd8c4ac13c7

SHA256
ea0ef350a3b5fe23b848091964d0f81851c42c9fad3b98c0fb0a9bc0a32fe870

SHA512
5988f497c28988de3982fe8eb78678d866b1981ab4a28a7a7db16d050aa48947d39e19b8e70601f000b3a4dac380eba8f561000017137037eba3af3b79dfc9f2

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
744KB

MD5
7052333b801860bb0c723ff2e21985d0

SHA1
efa0d151d8269b13d6119805750b0c7ceb55c698

SHA256
7efbe0ab244920cbcf5dc3ff59c795fc644b2035d6397ad37fb479e71af7eee1

SHA512
84b35cd92046dfe5aed773d8484153f7fe32ec3a89c38645970edf0a873769bcf78f5814d1b764a7cdd3406da885529e8ce1eb2436b8042fb86005c933a4ba9c

Download Submit
C:\ProgramData\aCIsEkcc\nacsUcIc.exe

Filesize
111KB

MD5
f57d4469f38b0a6730fb84ffa409218b

SHA1
af434a3924c7898f31f8bf600c34a0991beb52ac

SHA256
ae301416d5da984a7003d3a2b8f87de0a9b238b3f8306a15f5b3f6ddb0e49f43

SHA512
641e7fdabb495b5694dd2c8e0e4c6e66d277cc22d364ecdf1864463b9f38df7818878c755e52038a8e1e30a575b2a96e2a41eadcaabeb6f8b359210440c084c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
113KB

MD5
b2fd116e701533a91da38648e13f3c40

SHA1
60685b3076e2ba9e99fcbc9e7ea74ee6b48b0ee4

SHA256
f257d215a269a817a9c03a8edfe1e699471f6ecf5ba7778f95c99a5fa246b383

SHA512
8967a6c4cfda6a24ce480e1bc4310353f2d722105c0fbacf8fc8722df234a4b304fef0bb42c8aff278ea45bd80711d9f55082fbda9c38c0636551b2592c92b05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe

Filesize
113KB

MD5
177671c2f244f223f85c56adb9002f9a

SHA1
d49ae7bac56b60b1678e7a5064d07699b7e725d1

SHA256
09247967b1be32e6b7dbbe809808476ad756be928e6057ea482ec6a2ac2fc044

SHA512
588205b6126b01656563ce218e0d5ed95daed1db017fa5f2651180d5fd03e584560ba1ede0dabd9c5c08b90acb153be92424a98ad22498c70ccf5cc563a3c50c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png.exe

Filesize
111KB

MD5
1d39591c5687143834be6728f90493b2

SHA1
997a5cb3d566731c95e9503efd37f9072ac44f48

SHA256
e36affa4b3377f621953ec1e49f726b7742ec7eada952f86e91c7ca6d56071bc

SHA512
a90d63f1cb6ca849a90f4602a9f71bc3baa9898c4207d58aeebc03a8054e1d4698f1b732512aa1640407e4f50c189ca93969d5e0b78443100a15de6dcffd542b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
4ecda279c671e70f94064fe2deead004

SHA1
d30e83daaf95bad91a71c0c7ccffcc3f7ea64d54

SHA256
0a67a049ba016ab0bb5c6c37bb2da2b589ec0800e2394ec793dc9d8f7967e215

SHA512
f000ed2e5bcb05b7bc40d8c298975a1b5646d54b9c774027168e5f367044b1b3b8cf8787cc584af05bcea51ab9f686629fc3bf92f305d6c69cb72e37db6a3aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-02-02_c5f55903a1f172a08dfe680dd93f79d4_virlock

Filesize
48KB

MD5
3b20f5e18b71fcd1d72cfc04349c721f

SHA1
3438a78d3c3b5a9c65a0f5f1d0110adda4d501f3

SHA256
8bf0705e02cfee4457efbaef3cc5f5aeb680d20dcbd7c8d893f386da85baafa4

SHA512
d7eed3b09ebcd4d9e9dacb4f306d5dea2283ac855242dbb66236547666a0699844a85b3edc21ef0b5313ad050465dd2b7184f8cf0b264b981fc85bdd455cde28

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAQg.exe

Filesize
118KB

MD5
fd711a9e4a7016750a3e0a25f8a534d4

SHA1
69dc45c8168ff0235e37a6652aa3a226443af72c

SHA256
6f426d046e2e8fcf6941f71c3ef8dc77f398268b34b917f593e6adb25baa0205

SHA512
a07d6b5fb60150bf874db1cf0ac3dcac717aa0f68df2dc842f7b79535f7c0330cd501fe0aed5bc6fd2bfa63cdb0ef163780a85da0484976c61731a4a08cc3e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYUm.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CGEkwckY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ccsa.exe

Filesize
111KB

MD5
c127b059662a074f19d319772041031c

SHA1
04786a0a31f8d4f418626c3538aeaa1c8fdfaadc

SHA256
990c68635958c0c4b107c02a4ec06a1d41856e7fdad664c42de47809222d97f2

SHA512
e94d2d6b417b251142fe3ca68a5be16369044d5df03e7541112f6e0e0d83bed17d56f3e6bc0e6b2866a75887dcf54b73fa7a5786de673ad086c3caa02f2315c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMUy.exe

Filesize
124KB

MD5
d6c79c63168d1ac008dd12a3b7459c06

SHA1
32d0766c99c37595e0b399615493cfbb7d9a991d

SHA256
510118328ca6ee78b366cce85ff702c16405ea661fd782425d719edb62d4ac09

SHA512
a48bfc6cb0e6fd2ef73f892349ec1cff43546974a4b7421e3dfb9ef7a07fc36c862a5fd8f292223436220692593acad741ab5b1b617a898e06d2c6e84c039271

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUQo.exe

Filesize
238KB

MD5
e3da453c248ae4517e3a216ac4d58413

SHA1
79988a6c08cc12b2ff0ef21f8dd0eec97346078a

SHA256
b9a674beadaa02556686f644756adc792528cb989a74388a0b7feb189766b9f6

SHA512
7e112a3e9facd42c0ac4a046426df0b3c34f4eb50b32b44561be73d1081b2a3a2e583c0ab613eb71724a1a5d607742b36c4a7cd963bd7214d4bb433405f685be

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUQu.exe

Filesize
246KB

MD5
2694f943f85c6f2ffbf6758413d944b1

SHA1
63b1704bd5512d303913aee61a6d7093e97724a2

SHA256
4c7c41e769818c0ac2d61be0b1f982ea88a0f5e76dc47f65a4ff601d32a4bae0

SHA512
1948f7542c0ed2df7cf4a10fa046aad5adc00a643c141ea8e4b40a61761b12f194ff2f16d0be3283efc4ccdc3e3eebcfb939bf6b03b5487258a970d9b28af219

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsAy.exe

Filesize
110KB

MD5
dc027f702f57d388728876514fc2be0f

SHA1
f82c33911633b7817c6334d25727e3f0cf2f51d4

SHA256
edbf72fbb265dafd72ecb60bdd626c5c426fb5959c6e03fb82f274eac8195019

SHA512
ae5f91a50c3d178aa6e8d66c73534c7e61b5c6252fcf4b47f7d4ba624b539260e19d2524f3339391a9a6cf859cdb9f688619c3441e55f1bdf7cd1f2f20834d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwUi.exe

Filesize
143KB

MD5
2335b7dc906eacf184e234e7885ae031

SHA1
f62c0341ae10ec9f359500e65e46b56b9e985708

SHA256
61264aa12a1e40d375637df9cc3807b41de6d4fc29e2c365e45641386377b03c

SHA512
f39fa51ba8d7978559cdbbc2ea7440eb5caebe890d3a0e3e411c4f4252e9b046f90b35db3cf228e3fac8dff379827effba189a4bacc51b408e07e02e5c3c99d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAcK.exe

Filesize
555KB

MD5
ec6be3de730585422fa8c93872dc5b9a

SHA1
0fa39d7328e830c94cfdd9591b0388880ec964be

SHA256
e5c8239956976f69778339f154086f369406b5ab6c77eb64942bb9d702b57c7a

SHA512
40ebf22909ef7de477a8debde4db3046323a0c38f10b52b30885e117a9aa313172b04dcc02782a950714e35490508cb6e36b2e25a23c02e07439e651416e5c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEkS.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYEo.exe

Filesize
117KB

MD5
bb2e01439764e220aadd7c1e922579c4

SHA1
e15887cee4333ca95b731e30cff55b86efd4f18a

SHA256
42d9100ae0c8c960e6aa56d2d29e3ac93163774472f13116c01b3f8f850be5c8

SHA512
47dd016b082e6a4d38db8171677c0674dfe2cd809c9c7eabea9bcb7fb7b7abaedb6f867da2f72408c199ad92037c119fee0274aba553868b110be436a44b2893

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYcq.exe

Filesize
111KB

MD5
8ddc3d6ad688c0b64be47b560f081830

SHA1
d03e2f7b18bd8a5dc6523d0442a1be2b0b8c878c

SHA256
c848b94bc6dcb8a3bfc19dbe24f0a137aa8fc445c879e83f52af6005e86921bd

SHA512
9b72903c5ce4f7e82d7ed6f89c2b435d7ab8709c686d015a5ea6dc66509365646bae55a642c8090b17b73db295ab8ecd65f243e42911765c5122f45ccc751ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEcM.exe

Filesize
113KB

MD5
7781d69a632cd51f2b124353d7bbae59

SHA1
9b7bc9fb2d7f38703f0579c28a420598fdfcae7b

SHA256
3ce537356a63010cb17e6a5b6ba062ec3e0f87c74ef6981ea84f33deace6882b

SHA512
497de88871c0a6589d5e0da208d4e35fb71c10a313f6dfb79e4654d0d4bada59ba8f4289e38248633e5fe1295255f6762dd6a4a6d917a9c5292e0aa256ea18e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEok.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYgO.exe

Filesize
112KB

MD5
88313be62382ee16bd13d33abd8dffa6

SHA1
341b0fdbab5e77557a694cedc14149e292e105d1

SHA256
408a7e1c97e6619ffe2acdaa9c4a78f1d2bc57f389f4f779f48359374965f755

SHA512
ffb74e49fdf39a2a80c4fb0226c045c21ba53a4272a997f455e50a6e016175d27d539c7cbf216a12d8fad11194b700622b4013620438aa61b4c3c744b3bdad35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwwi.exe

Filesize
110KB

MD5
5b35c04dd52c852ef7dfcb3750b23c40

SHA1
02f284d12770ca9e4e13d7afe6dc743ccaef558c

SHA256
d52a0044fbb32a1b99550680c304f55af01bb1f5731bedd99335b8677bc242ff

SHA512
77dc8b83991bb94bac4b859c335d9d735e257fc1612a8bee2722690b47610c599d84ec92a5ef2c836a0a2bc765eafb5fa332485f8feb15012eb3a906338a002c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIEO.exe

Filesize
112KB

MD5
068c156cf61a7a4508c51024b406344e

SHA1
bbbc6eaa0d2629af335e2cc3e432b24487354761

SHA256
7a0d5f549139cbab5ebacb8259feef5e8181d8419670b99c9818f02c1a2662bd

SHA512
5b95993bd9da27105908651fc1ef909523701455d145a9b02162c93c09f243f7184e71210ded0cdaa5949ab2d9f38a341544db6719059cee07efb2215cb7f106

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mckk.exe

Filesize
110KB

MD5
89906f5b0ea8bc770ff3d1ce4f2f18f9

SHA1
c4a9343bb00d165566a595721a66336e2170f701

SHA256
c16f71525146ae47fab6d0ed97c129e6a1a448682359227ee4ff8a604253b351

SHA512
720d44dd664e6256393fefcba64bfcd81d39cb48415a09a8f38d48a9a7e9b071c6322a9e8091b1c2fbd1a6dcee420c1e09f1cc3eeb898f564b47f7b6dd2fcf63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Msou.exe

Filesize
112KB

MD5
a3b373e337c99a44467f257ec890fbc5

SHA1
ee1f2a9ae081bb5700141fb127a81e0efc498097

SHA256
dd747b5c595215c5b432637a01c4fd0442716a42eb3569bd856e99b7f79abb04

SHA512
f996597a2b0e7f4648f8d75b04525ceedd922fbf70484b23b09ef5c5f4eb4f0b65a6a3a668070e91dd20843e2b9b3a80297ffc30c827459e4af9c3b59658d6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAAu.exe

Filesize
454KB

MD5
6a581eccc6d92e05f3f14a56eb3031df

SHA1
87492a9c5bc5b1c54ec1ca56e6bb538873abb502

SHA256
24cb897bb4a35fb64d457c4552e679e88dae830c8cf430f0995c2cb24dcc3c51

SHA512
197841ed7fe628ceaea13fa3964ef70184e78361a92d173e8d82426e757f5643457f130bceabaa3b7f92724da2ddf10effd889e55e0ed08672b18adee77a1b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAUi.exe

Filesize
423KB

MD5
c3506e69801ddc6d2b422e8e6a75f568

SHA1
bfce079397f662a5a15067832cd1b555c5e087f7

SHA256
2faa90f36662579628a48095ec6fb6f821367e6a20a8cc2f9434d6d56d0b2c1e

SHA512
b66ad587edf4b1f1c22f812b5fb20b46e81d2fcc27fd410d13d35fcb4f39f778a033578d0fb76e3c28f8a69ff71e4bd130c1654ed27e2c24fee632408875eb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQAg.exe

Filesize
124KB

MD5
adda7b7c894c83131e916d3c424bdacf

SHA1
895f1588f467668ace71bd93bf2c2b19d5be1c10

SHA256
ba652f969f0201c8fda1e74e841f6461739bde027662890507c1fb066a96477f

SHA512
d2e3e7c3ca2e95a0bb6846ec97efe8840c7e672c7af74592319a15d988c543eedf11620725d9ee87016af7cedbe1d3c51e9ec4a9faed9113a18dc78230d1eac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoMC.exe

Filesize
113KB

MD5
8acaa6dd62fcd16a40744ffc69bde47d

SHA1
2c9380f8be7b5e3e38fb4ae74cc577b234759e7d

SHA256
6a1022dd047f9327e631b6d189f8f9c51362086d79638678da2d5d7d5a141d77

SHA512
cd1056f67daf139f65d03e346fadf6f71b8f06ff873bc909b1d60a45a4a3e975a30aed6d577c4ade10e029faee204b9fe2082fae37e855671b483c16a84c65c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEgU.exe

Filesize
120KB

MD5
64a1c26f9d9fe67cc18113b3f8b4ab3e

SHA1
3bdd6fc9e73840cb09d6bde2ba7ab55130ca292b

SHA256
63a58e91d14576cd07fbd8134f4f6245c25e33ca99ad889614e5c592484e55c8

SHA512
d600d3ddd6f9d610a87c5773e70e3e35748436a1641ad7ed30a2a7666480f7c29e8592af583949cbc1fb614e91bf0729626e314aa51b5f6a6d5825f5245c0ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMQG.exe

Filesize
185KB

MD5
7ad562b5a36587ff35815e6e628fd66c

SHA1
75fc7cdee95c1548318581add11771cf464e9643

SHA256
8a5d6fc2460528be4493efd09a25a6b69a461d1daca91a4a300951409d38ac64

SHA512
bbf02e0e882d99cd738eb91e65de2db39c9f9a815bed10f2d249d6a19f9b25726e84932c1379fcf451e5e28d0daaa98c35d661afd50b8b62b84190b8f1e37c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUwK.exe

Filesize
111KB

MD5
c66425ff77db1b4c7dc205e570b2bcc3

SHA1
65f5ad71cd10a78e254539802dfcebe355d4b807

SHA256
c785a7d7fef0ea270e8d329ee8cd2ee523fab0ad8ebb4bfc5e6869e9bf104304

SHA512
b8eb2968baf814c7a855fb40bd83c227072dbd5fe9ecf60fa55f3e8207ac0d3d83053d150b738899d3261e661e8c4cb12d7f280cf4e8c1f34b772111e0157e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUwg.exe

Filesize
1.1MB

MD5
f6e504c9a08348d0de348dbc48b5c118

SHA1
0153f370fbbe2310b97a9774ac9047b49819d9a6

SHA256
de62a8ab831437297c0cee9fa50e7f5fe82a3535abe4be64e135e49ff98dc50f

SHA512
dc46272b03a8d1973072d6a4966504428893ef9b51c6861cf1dd795fda49d3b7e3b98cedcc2b3182b85fb0914bf93108f4a5972ec4c90c559e0920f7bb8ec798

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qkwy.exe

Filesize
110KB

MD5
5c637e043fbe82c1fb3dd19413acac46

SHA1
43c633aeebb7aefedd1ae8952e80cf7bb6bbfcbe

SHA256
85f397556b6eac78ca0f6edafd347aeac741d7402e18beec883f31d404ca17a0

SHA512
7fbf3feb499fd29cb2e6876e02dc55e6c4197ea3196d6f610bc51595a7b6e2aee580ef6d9de2809f2daa49a793712689fb0843fd08dc575b8477631fa4d6913f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEAy.exe

Filesize
111KB

MD5
73bc649f001c53c585d863f890e99117

SHA1
45acf49549f2ae795fc8b1a4e714d41d66a82d2e

SHA256
94d9c41fe03fd55d4b39fdf6cd16554a7c3ff9e29e2165c7d74abdb6a4dc3d79

SHA512
b894a1a59742358c5193ab3bbf5510e4107a64bb654df37d86d648ffaaeb16d25bd792acc446430ae18b101eca2ab0f4e2bc7e7cd710be8fe27e13716af89d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEEI.exe

Filesize
117KB

MD5
fee1aa7a880eb8aa6c62c8ea386aff4c

SHA1
5834ce6aa86650312a2d43e59f3027f1b95d0b0e

SHA256
a2fe2108a8049315a0ea76e3e8962f46758047ceeb681c47b36883db169c2f0f

SHA512
36ffd28b1bc7f7e9977f43983e908732e5dd83a2b4183ba9fd794b4194310fba00cd283aa070fc4ce3286af53f3be52cae1f4224c3dcb507910b562ec3554d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMQi.exe

Filesize
704KB

MD5
82910c2d45382a1a9d0d1bb4141f3c07

SHA1
98c757d904f68ca95718b94e972d5ff0fd755f66

SHA256
48a4cfaa63366cb3a272ec99ef5bde25d7cf811e087fa64a7fdf5d4ef849f27a

SHA512
076c3620bad0a91fe5a0e1019aa8982b4ec7c1b49297fea7ad77f8a8b9b537a049c4e4e8456ab11e51183cf577a3dcf04def85c062c46e900801daea1047cb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMgu.exe

Filesize
1.0MB

MD5
a2cfa21cbd05a9df0c8ccdda09929d79

SHA1
ed96cac535df15f9c5f7a22cde802b623deeae93

SHA256
5336bb63431925a834075eb193bd3a6a2b76f8eec27ec1d8dd9d8909b623e127

SHA512
b27d191f1bc1d99983fbfb9e81a6e2c80bebf5da5b27877e5599733c92abba27d5a1860128af5d31de7e8b7cfe540a749bdbd00d209baff796023e3886e356e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoMY.exe

Filesize
116KB

MD5
1c2a18e5f3d3813abfb9868380656bcd

SHA1
10e5e396ea780372d903032f5a282316fc0ffd39

SHA256
b936469c195b370eafdf8a2ef4af7f5d2ac34ce733063fdfe7c5d7a1103e8e76

SHA512
c870030077cf83392b39cd48f610cc98753e98ab66a84edc983893b444cbeb14db17948b2f7a59c5b22e8793ae0eca44e4fea251783c0db98766479b00508124

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMco.exe

Filesize
115KB

MD5
d4ca57126ba28052f8513d2f84519a89

SHA1
ff7e06b469d372914d2512da39774d776ac46973

SHA256
c22e612f872eecb76c3a3cd434a292c36b49870f61220f685e614cfe26a5abd8

SHA512
8351bd14799e3fddaee47327aee940c13d7cf473cf4037759d02bd0c1809ce79bcc006287ab1422a0d6e4e5572a9785ff65c567eef69edb9cba301ec4afa8825

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEAS.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMAg.exe

Filesize
111KB

MD5
0bceff7a6518ec1a97dad2012e26752a

SHA1
ae60de7533ccd5d1d1f44052fc18b9ec2199679d

SHA256
3096a50564df0239505fe2aaec89a6f628361f90ace946a3096560e0227bc2ad

SHA512
42cab156c9fa0223d5174dc800fd16505f89c73ba19113b195f03f34b45f8570889950a2ba0a671c97fb3b231898522eee29ef7d028f085e317e6c8ead174df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMgs.exe

Filesize
111KB

MD5
5cdfabf7a054d9cde9cff8e7bfbea567

SHA1
3fd37b5af7154bab2e8985a96189719f33cc8b63

SHA256
ac5e9ca83614c26a012f514d95f09f11f5353a244d8f80502d7f43dc9364ec23

SHA512
44d91d3707675a33ee21f32de584717f1928685ac4115881453d75dafea44143d266cd6c6f5ed6277ecb28f245c31ac08c3ec158fa67f1e783ec89f2ff20c9f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQge.exe

Filesize
111KB

MD5
e259e43df0a3060b939cb63fdf2952f6

SHA1
b33434da3e38c4988f7616e2d98349b7a8413d25

SHA256
0e478f0cc3d53269d2382bcbcfe82b241ce5884375f4f54c843cce6a4f3cfc99

SHA512
43e1ecc4df1f972af700bf538ac221dd6d851053f3fb76b0ac07dd0d44f0830b4f1eadde550cfeffa68ba34a82f08605198f53a2854c3f57e9ad208c059a6f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQQG.exe

Filesize
118KB

MD5
9fea9ee10cd02f054a055db79de6295a

SHA1
34e7f79796abe54b02c7e748e02ee6f9174da22c

SHA256
39ef377903ce608375c24b5aa882244806b2c81b375aaf1b8e6c742aaaa3ab3c

SHA512
b7f476021a6db801ddf223d0a4bb48c22e247ad55409d2e2a48700040b450fd48d47ff2340a4357e6ec2afb455b90cd609546a7ffb60426736016c56ad347d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\YowC.exe

Filesize
118KB

MD5
3940a7d35527901cc4ccd935b456eeb2

SHA1
36bb455144bb9f15ba799deee03ee57e1498efbb

SHA256
95d08c58a0a88f4baf219f9dc1964ccbf023daf03c6ae7f2f8226c492708c780

SHA512
95d44949f3cb5322f21f6738ae2a6576816b05b27acfdc009929529c84cf2e5f7d0289b9514afa29d80212e32c31bd9889bef0d762e197a680a06e7a0747d682

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywww.exe

Filesize
358KB

MD5
1f8fab78999c4da86d305f3724461974

SHA1
6e29add0e367f605a272344eeed3358b378ee871

SHA256
e9cf4ca714892d0f729a3fad1b17a6d0ba2654b1eec639618486da15830488a9

SHA512
20ae3e7201e494857319459954c10b7f682523fbd74cf4b7392026188b8c48dd79dd683aa2672bd4a51a7a8b62c96c3f9a313bc6375febd3af7fd464fbeefc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\ackA.exe

Filesize
113KB

MD5
ef58377355131fe0bf01db90e96c9a58

SHA1
b92e68aa2e257cf5c1c68e948b0e43d495353028

SHA256
e29bc7b5f0c682c1bc8f12f70b400d6fa9def47108704607db8ad2624e3adde1

SHA512
17413a38e1284fd0d529f4b6f8a58cf2b60b0f80f00a8a180dcc88a8fb49d096548ff9640a77b0870b7111d81d917249f2770ef20686200081ad7274567fda1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAEW.exe

Filesize
1.4MB

MD5
f04c14e9bd8ffc6aee380d75f5cc44e3

SHA1
f397e182b3b52c245c421df27baa3bb54f077fb8

SHA256
980e6d12f3e20aef3690e10dd15ff498b57c47ab299c344a522824d825993d49

SHA512
62d99f766a689716bfd884286e97f8263b00f684c746c6151e20aa9a3842043a3aa5a3096785899fa5594e0e10de217dc1bc8297fae0cced7bbc76ab8a9b7f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIIo.exe

Filesize
113KB

MD5
194fa32867a4ce92da265147d6dc1861

SHA1
d6ca9defd15926b6dea680a7eab66a63ff22a45f

SHA256
b0eed59c9bd86594c744930129aa2d53b8c6e90a03206ff399e3d208d6e9cb82

SHA512
4a7ab9e07d57ad033991796ceaab580c4194198cd27b97103f22c53a2add20b2e09ace264a610b945d85510a9f71335367d87f816131203adcf90a6bf49f07f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQkA.exe

Filesize
120KB

MD5
2041649c9cf218142ed0a04007cd618c

SHA1
204cfbb32dc1422e3e4848d2cad94e8fc66c4a87

SHA256
06303659811d18a2bb42889b05ac08eaeaed95b6eccdec492e901b6455cf0c16

SHA512
abc29b31dae045b97d4b95259fb4b861524bbd1dbd18e72644315defaa5208f5699711572f374d0e9a99aec5877e6c47ef558f2f270056eff7da3fc95585bc3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYoO.exe

Filesize
554KB

MD5
3244def28170037545623ad873f8bfed

SHA1
f5c86b4b75e51ebfd13efbe70c63493cedd0eb45

SHA256
4a6b2b66ad3081402259ba017aa240ea30365abe0c5a85da1c7d39a3a2d6598f

SHA512
f68f6caa822ac6b95f0e4c32b47ccf0187e85f0ea461c2e37709a8b474c487b95d5dcb59a46b65de2c3ca6e66fe49784477275998ac6eaa055b77841769ac865

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgUK.exe

Filesize
122KB

MD5
4dcc110133b8141f6b68817b789de203

SHA1
b44f75f07659a26e6653a66564697b08f13ef563

SHA256
326b038f27fe5e064f3d92921987e0609b572a1b253609e4204ecfb86487dfe1

SHA512
db5561c43398451c85f1f6d2e354366dd30adccb2919608f4725c0ff2288c0baf15234b4c7b4c964de2d00feee7aefe372b28fc72dace49efdf1d5643eb209ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckAq.exe

Filesize
110KB

MD5
d689c5ec38d8104ea7618e95c6767b26

SHA1
aa7099ff1330c7e52d8eb365745b8f171a7e2dae

SHA256
e98e11f6d25036e9b6bdae741d8aa5a51fa034163503ad339c9bbce9685d530f

SHA512
0110f0f1a70d013eca8f4301844a1e1cffbdcd5ac0d20f23d8b75d2a5681c40483b2312ffd2a2d81f8656c572f4d6d2f4e3f85e164e0a3b0d11897fdef5b975f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwUq.exe

Filesize
111KB

MD5
7aa0d3e91b414988a4bd5ad4ff2263b2

SHA1
0314a85e7d68840a3a63cf90b013b6bfbb086058

SHA256
485b84be42ac294a260ab428894d2380782b0c5010e581b32ab99c07ab6393cc

SHA512
580ae9697096356979cfc8801ac833efe8016df1c980a231fcdbe5094dcdf7295731a3f2c4fca895e735ae8c742c81ca087c62c31c0821b17acc5951824de212

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYwY.exe

Filesize
720KB

MD5
71f34d94d8599b12b9a9e7c7f41885ee

SHA1
8e9b5a9a7e04223cb84adf7c8c27438b3795383e

SHA256
4070f37dfcf126af56bf484892ed03e9349d00547144630bd42aab71256b008e

SHA512
56c9ee92ab39da73a0ebdbd9bee4e96e1dd1b28fb94480781862ab67ede85e432235329f61f592d9b530df2bc76c0b2fdfdf9777f0b0163b9d9e18c436f7c0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecwg.exe

Filesize
112KB

MD5
5890e1a73e8409733cb4787ccb934b78

SHA1
2a64e739b25698c016f647dfa1d55f0bb4286a7f

SHA256
bb58882d0dd508a571173f53ef4bed4f877e4b7e45447aad707a6e0785d0b4f7

SHA512
0105cbb030b1c7764294c86fa41bdd29d1305b0e1e3050f9d12cea442d57644eb061c52e5f0104999082cd72a5e4bd4a38ee789ffb06560781bef31e920b4391

Download Submit
C:\Users\Admin\AppData\Local\Temp\egYq.exe

Filesize
151KB

MD5
5c606664a7d743ef357d92f493702c77

SHA1
947de0a372f60758d22ae0a6df14659db5943aa1

SHA256
3a6085f22f0a7c1460b356bd559b0f3a72a3fe2a0515426c58c7c4a200dfd671

SHA512
b1248fa20248f3aaa727afbfaebce4e91ed67576c06ee7297e276b0bcc8c6ac5bbce205e08a5f467a85073554000cb6d0f425a35ec6279afdd211717386d551a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoom.exe

Filesize
112KB

MD5
00a8c41f79bfbef0b381953ccf0df1db

SHA1
efc4854a9c980a0e24dc82b325bba2926dad8760

SHA256
2f8c58e32b36224ec7c4ce80a56b067635f06dabf1898cd5b042b2345319e561

SHA512
8c48b3675bde8abed46a28a7edfc2227293d932ac73cfa0ba485c65bd428734cceab5c2b5deb668a07550474ce3fe861519dec3aec34f6ac40043b216699c021

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewAW.exe

Filesize
111KB

MD5
d2faeb5c1ad61aee1471d745798bb112

SHA1
2f2c129b83b054290233a866b86ad0bdfa990b00

SHA256
2d567044d96646bfd271c0801c7c423db36cd41227348047af59d38e2ff2f041

SHA512
08af3cb3c9a10c50a225ec93091a46c06a2a4007420ef719d6d9b6f6689aa5117d63a40a1086798d291bbec311e80e130bb72da1a00ff811d7a623c5f5c120d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAgg.exe

Filesize
485KB

MD5
2bd84d2cb1cad807f69712b89d93d2c7

SHA1
621a44f7d2060e92b10ba34584b0171eae01faa3

SHA256
e8fefdbaab32f3b87f1eaec0838128091a77a0e2a7965cea29250166b41f8e7d

SHA512
3589207789537b6c4b4a942238b7eb07d3e1c70045ee2691a56244bbba98fe60b41432fc8b1f998e864b108f4653de1b8d30ba4d42f1e04275686df37bda72d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAoo.exe

Filesize
202KB

MD5
bd2c7e9f6d04323983ceb6d51e6d3948

SHA1
122cc1aee3468331e7c0c39bc9db58b8dc4a3ef2

SHA256
50f671122c322b38d667d678f55dee53e46b0ab985ff95388a477b18d3f9a130

SHA512
69a23aab0602b7baee98e8ab7e4b842b01836866fc623b6bd04ec3f70518de2268787719b4a483fd0968b431536d48c981044e75826e9f2c74bab9e4a94eb35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEwE.exe

Filesize
115KB

MD5
9d18aa5e41df3706957690507563cb1f

SHA1
ad6f46125f30dd7b6e7b23434658db9c85ce21f0

SHA256
db53899840fcf0eeb4fa6843f468d1dce1618ad40aa4a29704be66236bdf9095

SHA512
71dbc529d1b57d8bff830b5ef062ee51b0803ef26f4b9ac00d997276a4bb0d4979e7082d02e118d180b986210370c57c0d66c1d02f5fb8fea410520fbcfa4f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIou.exe

Filesize
564KB

MD5
e1d5a168244099dbc4ffa6f65caabc5d

SHA1
4a32138eeff09d490ae346e5d984a51d6f362816

SHA256
b3b8a2e24d8d0940a39b2889655235cbe3f965935a0fb7bd0628b246b14fece4

SHA512
4af87bd9b8704ae9058fefe2f2720746ed03ae02ffdff5d44dba6d9aa9415594711df7baf2bf7937b3cadf2d648bafa910276bd29b1ba08a524e922d9ec62f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMke.exe

Filesize
122KB

MD5
fd388ab376d319e398e82b292ada47cd

SHA1
67e790d33cbf4308c5e6967813de8b354671359d

SHA256
f02bae041750594b675545baad274284267230e8b016868c58baba6239e8e7ad

SHA512
3b90fbc91b47d706643bb693ae23a5253059b00f10c661b9f36d3bc71a72423107e253cabc02eccec97868bfb262d28587498093ddcdd8c045ced730753de7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkoE.exe

Filesize
113KB

MD5
0da5fb185286bad87260c8e3090f1882

SHA1
edb9e39b69f4b6a5844cde1236c6061281ba6bbd

SHA256
4fad534aa597c61052906623ae6bb42232fe2ca6bc0092c7d84a7e6d89033e62

SHA512
6d0d1dfa6210148dc6f4fa827977118bfdb1fb8b7a94009d87f828715b56209fc10610af40cbbed3146a2c3b900f523483a82a4947083496ac16ffd52e61a5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwAQ.exe

Filesize
112KB

MD5
b2a13c3d5b8e8b51fadd3c26ae2178f6

SHA1
826b921beade6f69a8de874fef27ceb2fd86a9b7

SHA256
021fcc0628f1ad662d4da1bbb0ca0d9e007b290bab4aa809d25c85499029ea17

SHA512
f928bbefe0d5e4f416d1662029f4ca9169aeec1f98993eb3e47a3bfd71f3fb07a8d4308c18cec696a5893d4787e94085739baafb97d233354970c5a158d7b990

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwsQ.exe

Filesize
111KB

MD5
a24282647f9f44c88b4087ff6a7ff43b

SHA1
4162c130a0e5051aba28f93d9bfad0fa041e75c2

SHA256
8858ecb4204e62f07f7ad8a0b8023e06a38104fb648b48b53166d0c0419c2b63

SHA512
115b4bf48f213b7be07fa232a43ef84f34a5b46a3a8b718d1606f3c8b7b7834036b9737e88813bc701b6383c2a7984a1030bc7979c1123f10240dd626530a3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYwG.exe

Filesize
564KB

MD5
4f007a689f2e74e0c0623118e0aa33e7

SHA1
68fb6ba5cd8af47bf5bc70a67b3138a2b5f9ba71

SHA256
37867f23bc981a8b65a8c9c3aea1478ebe0ff688490afdbb26dea437e5011e6a

SHA512
5bb186f233734dcd9234927c24542133c827ea3e2d8be0c790b7ebc0c70aa205f05366611ea83cad99091132c0f61785e6aca1f5964dffb05445fecfd9d3df5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\icAW.exe

Filesize
112KB

MD5
8a521e9667f4c72c0447197c3ec6360a

SHA1
6ddb80e65294d7edaece420199a8129be03b37be

SHA256
661e88a3e1b104068150dd2ebbbe9e5af8aaf44c23863081f22909d2185edefc

SHA512
a0ed50b999decf98a4c199054f915ac54d14140e01953cf351dd8165ce748bec38c465856afec01e3d735d871ab3f93879250e2fab77d51996a0ab769ec9d1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\icck.exe

Filesize
4.0MB

MD5
452dec80998c9a4cd8e92fa16221c3cc

SHA1
787d0acdd42875312c89c1d796b8be166d9baabf

SHA256
eeba4c61390849bf330d88ce2c2d22c230735d49d52d561334f0421801eebcfa

SHA512
87e9165e195e485782ab967e866af8e2b62f88be096f391520fe6faf1e2bf1037ccc10222c5731360233ab1504fa2ed9414485e62dd41532f6a19df3c16457d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEMk.exe

Filesize
117KB

MD5
273b4961000b747865ec415a2f0790e0

SHA1
bf2cd8d64a28175e1d6b30e5fe065387ee7a9e34

SHA256
a2673cf605b0550e4ec36f63095a7e14a83d195d4c40d213249b711e0084885c

SHA512
736f3e050e89cd255a8e3c6aa40b63524ad2428f9f855c100a522d380fbd226176a2669d961eb74c89a54d19b915f9436f6c45480f77f9f97a7ee13233bf0b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIkc.exe

Filesize
143KB

MD5
f675998fd59a02267b1b7f5969b085e5

SHA1
9c50408a9e6e8098ff46a8c14e32ab84218cabbe

SHA256
6e62d7b25a78b2ba16ca96e01c8abe622eb34bb749589ebd18111e1799e6c4ff

SHA512
b8489df9f965a70b8752194725757d327930b41319695f820ebc81fe5be5be33ff794f7276a5befc08be4c353082cffc0f1b16f7add31fdaa9fde658055070cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUMu.exe

Filesize
112KB

MD5
c01638bf9b7451b2981402919816143e

SHA1
be8253fe27a81636ef354503a8929f189c6d62d0

SHA256
22bc3bf65f782947a87f1ef0d24a91110dd87216c2ef702962344519dab247cf

SHA512
54a7a88430a6a1070c658fc21cc40deeef78e1ccb35a2d9245e89cb42ecfe1501fb6056b020d50edd7f641a7e1fa9306ebadbb6ba05a04f36cf690fbe88ff6b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYsU.exe

Filesize
109KB

MD5
f8b5ba0bf51f18d9072b59f2ce7da3aa

SHA1
98ea729eadbcd70d07a38e67864c931c1a19b991

SHA256
db363d3d08c2ce66c45654179c43ac8b2df3f43a84798e928848e05084f36b0e

SHA512
254ebcc4dad5d2ce59d985edaeb4b02a639d8fd4083ac9ee9dd312eda78613594bdb035eb7244c4da41df1386ed0e4db76b8f1f9a2b01732d9039f33513b391a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIEG.exe

Filesize
115KB

MD5
1bb24d217b321b146f8ac63fb4a3cc35

SHA1
ef940d90302c8d4dc194211b6bbcd88b18074fb9

SHA256
267d6ca374d09513b9d9b76b1e76c7e49a6cba482dcef4cc7a29d7018b136897

SHA512
c60db003d75308deedd672dc5a066c8c106dd3795c2964bdd99f3840639d9078f1911b65a80684eca15a06423d2d47167e738d9956b60e6b1074bdec14782cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQMA.exe

Filesize
110KB

MD5
32720a44dc4ccd428a60cc20efdbc5c2

SHA1
f8c1e3c62ca1adb8538a7b5da216f66587aaf662

SHA256
715ad31bef9557ceb54b77829bdbff78715e1e5a337a8e11c38c986f98a66c70

SHA512
b95f1a10b77a5f8e0ba941ca67dfdff2b6910b082bb943322574847c0be14439fe2a2656c4c8d2cdb567d00949f95fda34ea5423508b1937b7f2d4a26ee87f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAUk.exe

Filesize
745KB

MD5
f436ed036928bfb3a4467ea52d9c9732

SHA1
bc7e8f9a18c24af02b5db4fa7433a2bb007c4c07

SHA256
f8218cce7a5b4211b79690d3451cda02d6e6f52d54cdf16ba696f2331c7ecfef

SHA512
b0575af88e9ef3ea6b88b9895240705932fc530aee86283047e07ed049b40559e38650ab6e894bbb60feb0b09d4cd83e7e7d5a3127e893ac61692e9c15ddc91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUco.exe

Filesize
111KB

MD5
1f284a2ba83011f454ee34c0a0e1cc4b

SHA1
c29d95735db52833b600b357d6f71848824a1789

SHA256
0eecf6ddc117b1618e4415291e478d57f9a13d38c2f25638976c7024734d1b75

SHA512
268cbf12f668734cb8609eefe3ae37dd5e2c86dd22eec68cd6331b5592ac45be8d485448e87cdd4254971b4a34ee794814ffba0409678e87669409b04940ae3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocsw.exe

Filesize
112KB

MD5
6f68617ba1e8fb2a3bb9f94bb586e375

SHA1
71599ca68280811f0dff69820828513264861597

SHA256
5fbcc0e7e8299eb20570a3ab38a6a064979c142d93e1ebf89e94b39428469ee7

SHA512
cd24364ea958f64b1d0a40d349a24d117c7d6cce8e1111e39fddbbcd95615b39a19174df40aef6aa0153d0c0ec67948bba511055761ce2c947529ccfd61abb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\osYa.exe

Filesize
118KB

MD5
f609741aaf6a8798ea65213c82f9c84d

SHA1
44ca3a0c2d38db39f8a6e7ab1f377d132a5905fe

SHA256
2140f4699f691439cb1f5f8798ff1caaea5c5b9b131ae31ab95ede3d54258a0a

SHA512
3177feac18bcb10fe05c83b537a5b43d432597aa5b7a4b82efc3ab87cb23038d7d3f13fd7d6fdab628ac8b93df51a0c26effe1a438b9634d11c27a55fb34e136

Download Submit
C:\Users\Admin\AppData\Local\Temp\owMO.exe

Filesize
153KB

MD5
3398b038cbb6397bd6be7d7a6513e174

SHA1
463a822ed2964f0e3e818c8818cda86d2cdb45ef

SHA256
4d252f354303aeedf8a99964c48646cf3c364e9e78dd4d8828447c78d41546e1

SHA512
856cdb3ca8f37f0413c02a4707ec55202f2da93ec5d4ca95153ddeef9745ea32989f9b89e3ad00cebe50df1e0cf020cf5fa7a68294bca38484470196fb34209d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQQs.exe

Filesize
348KB

MD5
2a291f882c7ec774146fdd98b3e86971

SHA1
7f5ffee2c09e03cd81d6e21d5dcf45728e39b960

SHA256
be143f4c9144d48772aec69e2d61b655e27755e4057a871bb6291a99bf952c70

SHA512
abcdea35090325ffb62360152a3bd08e8f156752d4cca03d1177e684749f40885954c0371a4cf218871cdc57c6679108f56b2d07b724cdf14d9184401d7a991a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcAC.exe

Filesize
459KB

MD5
68a1470e872852fcdb5d80381586195f

SHA1
bb22a6625986ca4e79095083119f7f51b5109b30

SHA256
603bf76501c955a32e72875510a36afd031334a3d01e223e96b44a3c845225af

SHA512
286a9b4d6e6c63a7d4c74be510fdebc276b929112b664bf06beb3c1b7628fd15717b98ebb02c6ee2ea91f4a0b1cdc989ad33c27681b0b4948ee928e8e1237858

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcAC.exe

Filesize
113KB

MD5
abc4e379afd857d690af8d0413ce4703

SHA1
dcf46ee001cbbe2a2a2fd40981904e95d1c14909

SHA256
d5a4f08b3f8ec9d58f792231426a5d0e57a35db64f7756d95551fb916880fb59

SHA512
b849da000ff988a28e292637de097e68972a455f294047f412912b4bae6921b00865e0c8b0b9247bc393d0cb9d32c4c73b1d258e811ed295f94a7e3221343754

Download Submit
C:\Users\Admin\AppData\Local\Temp\qowa.exe

Filesize
114KB

MD5
ffea6f67f42a3b5b23e6ea05543a41d1

SHA1
596e04bb56efa1a4a9ea7e7e9cea369f5725f0ca

SHA256
8b21121dd9490abcaa34c50d897eb4589c62082d247b9b757c98962948006ac5

SHA512
22c3098c1a6e06e7c008d46119669f994a6e6cf39ee933d2d097e7a4efcea76ff9da1b9236c6ac110bc6ed5a27f061fad47be6392e08678c18300bcd36e545c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scAS.exe

Filesize
137KB

MD5
f16787e0d3b559c041a5147aa3211cdb

SHA1
fbceba37f92816a3c0fa348a000c4ca9d08214e0

SHA256
6714dee461cb6c4a715ec3a4e076ca60fbb241c889870ca1bb2d1f921c83e8e3

SHA512
dd2ce287417c67b80d040b3d544d6830d5d8c3f52720c65d71d837d396bf8cd0fae61aab51996a36c18b092e2fee1f8120c9e98bde5090031102f6857e08285e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssMa.exe

Filesize
116KB

MD5
b443af730112737c6d7aeacd6c213256

SHA1
aa860bc90b4596c1460d5055ec265b8b783890c0

SHA256
c4bf2f7583a18c251bdb91f0d68d4c0fbea1a50c8f941ee3e2dc17905f5ad49c

SHA512
b7d124074e906791974827af906d57a78b3aeebea6a620ecaa37c8a396063ee39dd9884d3df423dbb66007cec093fb2241e9003c2366c6daac7b31a55440a651

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAAw.exe

Filesize
111KB

MD5
2ca4f475068cfd90484aebb30a6296b0

SHA1
207bca62ae8166bbd73595d5fec257053cde4086

SHA256
7db6e097069fb1f7f42bd99e019e8329efd325f49f4d2884599ac90a65d8af4b

SHA512
6a3aaf1b8823392782739eb10d62ca15626700ac4799c947ad449e8c6109f78ce959ef4c4679b681855ef75394d3420b11ce428ba3b82afdb6c08dbe0f677bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEks.exe

Filesize
111KB

MD5
07c2b05bfbfaaa9e78dcb1cf0ccc7ca4

SHA1
8205ec426b4ea468e647bbb65e581c528903d49b

SHA256
5b1d8bc33c2a0871843e1af0b1cb26d8f4debc2b02b1ce2b2fced65e88efa169

SHA512
63d4b56c98d0567fc82994bfa42e4fcc16aa1c400ebe1dedf76ad9d12cfe8a14aaaf1562f04f046874d7083305538315cd93ce84054a89743af14fed4bf76f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAks.exe

Filesize
110KB

MD5
7e30104d7864bf176a2e751ca8588227

SHA1
f7227bc2f1768e04dd53920302a9cda175872558

SHA256
ccc9a79124f508ecd598c42f8ace9574dc2f72c190cfb13c7e23378e4c50e9e4

SHA512
373ba62a62891a1f3ce94b5bd73e7c4b326d185cfe460339587d7886e2e9fd0d8afd96aec46e0fb3928cb54a13e7cdfec8020d6169027df9b95a07a725136ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIYS.exe

Filesize
113KB

MD5
3f31cc0c9cd23aacb58e0006ecd97e2c

SHA1
7c400662687600e4465486d6ab2c9aed03cf6b4a

SHA256
dbfb253b509172ff4147246631c1cbe9baebe0adb4504e3d3a52ef4d842a6de8

SHA512
e198a9c54c5bd1afbb5ba15cf2e32904518ffa471369eed3690267dc5d060476bbf4f9bb8f9f853554fe618e706be45a9e5d924190f570842d253c80d8f5f2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUcy.exe

Filesize
112KB

MD5
19b35350a98b04eba8792f1d15446f30

SHA1
e8bd11114b916a4d8458c571ddce5e1a8c6c25e4

SHA256
21443c045196430f64ae8edd751b53f40f809caaa5575bad84f6ab2850e02adc

SHA512
c82ee46af2fdfc0fc32871757d39d43c9bb3d546aa97bb7af4bcba172201b36a3ec5d9f8b3df4aa596838321527aa206e84970c221630fd1b671459d49814c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycoC.exe

Filesize
569KB

MD5
26d11495b70bde525d5e8c07b0bdd835

SHA1
946b8f014af39a58678390330d7205b5a269becf

SHA256
044bbb5cadabc52c58ce2925f83dced50a15caff21c28f000f0d7b7eca295304

SHA512
6264f7a05d8fa282de5e9934d2aa13919b2efe88c5150887ed4ce4984389ab1a87128328880cc4a6d648ea958572e5eb97fada1a016056fd6ea4e4e6fd54a0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykQW.exe

Filesize
113KB

MD5
f7078fd1e4684acb81e9e7586adc9291

SHA1
d512f85f67c07b3228839a1236b34f97109ce14e

SHA256
ca919c68be127e4c46c1380ec7d5bacd0b9fa83b1192e24962e9a6fa82543c9b

SHA512
743b078bca9b895fc42d5a0ba7f055095934ae442cfa6d2794524c5971dc10a77e63c31280d9b1e5b66caa2e963b37a6efeaa818766aaab59a4f4aca4b1546ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysoo.exe

Filesize
236KB

MD5
7b3a012a9ce14b83a7c2ba9c9015c844

SHA1
6219bd04d59091c604e8bbc29a865b72c8f047f6

SHA256
e9e8b3a662db9d345c1becba3f9fb5b67171c12eeab552ecb5630e48b207fb28

SHA512
da80f603f0961f00fb043059bd53e197134bec53900e9eed009d97a82c38b6617e5bb3a825a13b49a3999f76c5860d0f7a59388049856944dc20ee41bbd2e4e0

Download Submit
C:\Users\Admin\Documents\LockWatch.pdf.exe

Filesize
498KB

MD5
4915786c67655c25d4b7d42f5f462181

SHA1
2d1418c1401294867e719b9b1d8efca0459d1bda

SHA256
73c3778962b49f916d8fc043f28cd57e165be78953c8e36efc4b954388bbd6ed

SHA512
35b2f8021892eeb9da426d26b9039f8eb546f190071e7feb2f72d78617884c6d84899e28a562cbbf8fc9b839543cb638fcb8e0809124db4c79d7bac579e30d7c

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
134KB

MD5
936cffc747ab85c8456e320344e2a291

SHA1
b0b0f105947e1ec85eb41f61c71dab2b3848c9d6

SHA256
52fbeeb03d458948a8310e2eaf42117130dd9a66e268d7c1c326b9ad93568f18

SHA512
a56a52229a99523a7587fb07d7fa5f61d01757d6c49f2d4cd5699eac78d2904c57cbb475e5b8d33a80be1bfb7a9a3f4e6e571b5a71afbf49555141879af6a61e

Download Submit
C:\Users\Admin\hegwMsos\qIcoQAQw.exe

Filesize
109KB

MD5
8d71c882d6cc840a79a41d47b82cbc28

SHA1
9051f7b97ea19889dcdcbc6f387df85c6ceb940e

SHA256
f50d2ee06b84f65dcf6bcf82d3f222319dd85c756d2025441db600fc6fe242ae

SHA512
55393d598308af1233de8da706d8142b4790f6cd8876f006524f84f98bc03e78d6409b2d512aa03a74e04b094f28e139629a8373b94e6c6bb71f716edecac18d

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
1007KB

MD5
cc64d7a705153fe2a83f0bdaa30d2b6b

SHA1
90b40c0ec89d371c8a3595da36d4baaa5d0843a1

SHA256
324d54559800c9fd58b4c5ecfc4bf094a9b94f15337ac921ba2a6b0b94ed5fdc

SHA512
223203a021781bda3c96a45ce2e3a9beab5fd4e03bcb1473d99806f5fdb1e3f94ee6edfd19d36b8031a4b1eb45aba41aed670deb1f170287e000f216dd00d924

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
804KB

MD5
037e566b314779b353d415216f2b4ab6

SHA1
de5ba1690ce68be266b38f29043bcc1d3b68e7ec

SHA256
666dab0a78eb19c47f34f2ddc8b9070b84c41eeaabc185b2fc4b8bd18e3c592a

SHA512
f299a8c7cb7d912d38cd45ff8f7d1478695ec5093df304c9f0b5156d5ed64558889efd66cb2b9bbe6e63124454240b072f0519beb6fceb0cb362e4f272198cc8

Download Submit
memory/460-164-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/460-148-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/756-209-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/756-224-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/856-111-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/856-127-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1384-269-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1384-261-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1640-313-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1640-322-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1660-199-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1660-184-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1672-75-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1672-91-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1876-236-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1876-220-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2284-259-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2284-244-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2464-331-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2464-339-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2724-43-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2856-330-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2856-319-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3164-348-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3164-356-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3224-11-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3436-66-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3436-51-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3476-137-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3476-152-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3568-55-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3568-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3596-67-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3596-79-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3708-248-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3708-233-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3800-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3900-301-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3900-312-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3992-266-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3992-277-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3992-140-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3992-123-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4040-87-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4040-103-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4048-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4048-31-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4184-19-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4184-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4276-99-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4276-115-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4424-285-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4456-347-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4544-176-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4544-160-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4544-304-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4544-294-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4548-172-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4548-188-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4848-357-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4848-200-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4848-295-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4848-286-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4848-212-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download