Malware Analysis Report

2024-10-23 21:15

Sample ID 240125-v6qmcsbgf9
Target 2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock
SHA256 aac18a3c24ff00dea6849b8a5460a176eab64e1c59e292cf7cb5f1fa4215f79a
Tags
evasion persistence spyware stealer trojan kinsing loader ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aac18a3c24ff00dea6849b8a5460a176eab64e1c59e292cf7cb5f1fa4215f79a

Threat Level: Known bad

The file 2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan kinsing loader ransomware

Modifies visibility of file extensions in Explorer

Kinsing

UAC bypass

Renames multiple (80) files with added filename extension

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Program crash

Enumerates physical storage devices

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:38

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\Geo\Nation C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\jCUkkQAw\rUUIkMQA.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ieYAAsMQ.exe = "C:\\ProgramData\\paMAgwsE\\ieYAAsMQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rUUIkMQA.exe = "C:\\Users\\Admin\\jCUkkQAw\\rUUIkMQA.exe" C:\Users\Admin\jCUkkQAw\rUUIkMQA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ieYAAsMQ.exe = "C:\\ProgramData\\paMAgwsE\\ieYAAsMQ.exe" C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\YyQIYgcc.exe = "C:\\Users\\Admin\\gYAsgMQA\\YyQIYgcc.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MyAkcEsY.exe = "C:\\ProgramData\\oUssUokU\\MyAkcEsY.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rUUIkMQA.exe = "C:\\Users\\Admin\\jCUkkQAw\\rUUIkMQA.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A
N/A N/A C:\ProgramData\paMAgwsE\ieYAAsMQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2476 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Users\Admin\jCUkkQAw\rUUIkMQA.exe
PID 2476 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Users\Admin\jCUkkQAw\rUUIkMQA.exe
PID 2476 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Users\Admin\jCUkkQAw\rUUIkMQA.exe
PID 2476 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Users\Admin\jCUkkQAw\rUUIkMQA.exe
PID 2476 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\ProgramData\paMAgwsE\ieYAAsMQ.exe
PID 2476 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\ProgramData\paMAgwsE\ieYAAsMQ.exe
PID 2476 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\ProgramData\paMAgwsE\ieYAAsMQ.exe
PID 2476 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\ProgramData\paMAgwsE\ieYAAsMQ.exe
PID 2476 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 3032 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 3032 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 3032 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 2476 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2164 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2164 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2164 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2964 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 2340 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 2340 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 2340 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 2964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2964 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2964 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2964 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2964 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2964 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2964 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2964 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2964 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2964 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2968 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2968 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2968 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe"

C:\Users\Admin\jCUkkQAw\rUUIkMQA.exe

"C:\Users\Admin\jCUkkQAw\rUUIkMQA.exe"

C:\ProgramData\paMAgwsE\ieYAAsMQ.exe

"C:\ProgramData\paMAgwsE\ieYAAsMQ.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tSksQgIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XkEQgIUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lOEsQAIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WicEEEcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zCkUYoQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FwEwAUAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oSwgcYMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEUosYws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yowwsoUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\askQgQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgwsMUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LiIUAIYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\gYAsgMQA\YyQIYgcc.exe

"C:\Users\Admin\gYAsgMQA\YyQIYgcc.exe"

C:\ProgramData\oUssUokU\MyAkcEsY.exe

"C:\ProgramData\oUssUokU\MyAkcEsY.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 36

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 36

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1622013401-1604789312430926808-1057466542-1847100674-955527633581573436-664902483"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "440678800-4767653592445005321843080467-2099834461-13328397871807229282-482738179"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jMAsUEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wosgQoow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NkAcUkww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20322298221975120677-81208961114166372711888260101-1118161619-1226830892-161773561"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EYosYgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-821004663366676814-2106208192-1401329610214717706216515407701257690045-1719862454"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgcMgokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qEsgcsEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5228125411996989603197674451054902753-760896670-13975573271710164512331450697"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YiEMoIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ikIwEIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iMUcMEkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1885089342-814866151183420636129144022921186317331187064433639143160-1136947847"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1267181251313298261-26840491014674369531589998661-1333193896-959795480-182528515"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zAsIUsAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19968528485801820941941416239-2018777482-213178048922140348-164913470-1359162306"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1972197125-517454848-14666178298462339211756823966231047688964790831-381354091"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\POUIIIAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BAkAckUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "250364338170774778812722742061506565825033080681844854794-955370420871143781"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.180.14:80 google.com tcp
GB 142.250.180.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2476-0-0x0000000000400000-0x0000000000436000-memory.dmp

\Users\Admin\jCUkkQAw\rUUIkMQA.exe

MD5 a0c33cc811df28072eeba24c5ca6cf68
SHA1 e84946f90107b1fb4dc4b22e0de979aa13a316b1
SHA256 0f72cf04e9fc45c5e29417a5290571c173805868fd60d3dda1d77172cdbdc73b
SHA512 472339d4b70361f76c54ea79df2bb2eefb0e89ed3f01a20b0b22e3564000311eb0f992b89ec1f3d72ff271463aacd66493045ca53a12c951e508919a8230cc94

memory/2476-5-0x0000000000460000-0x0000000000492000-memory.dmp

memory/848-13-0x0000000000400000-0x0000000000432000-memory.dmp

\ProgramData\paMAgwsE\ieYAAsMQ.exe

MD5 4f01eb12ab0d784a13340557d79581db
SHA1 d08038af85b6a9948bbe3187ad880ff6fcc04377
SHA256 6f55944803b25078cce4bb97bf1b97c4866ea86ccdd93e2b954a3afb9bf79895
SHA512 9380202bbeaf5ec78d75e85d4ff331391f70034e455db16ec50cb70d21179275f35aac3b4a1c4dc516442d3bcdf9b7fef6f33930701f49352f5fe0877e619779

C:\Users\Admin\AppData\Local\Temp\xAwAMMkI.bat

MD5 094f51f7e9b1991511593b1184283135
SHA1 ce617beadfdfaa679caeba41ee2ccc9fb49397c8
SHA256 994e7f821fde7cff2275af2ecdd1073b6da868e0a540d2f37d478a56a3d1b42c
SHA512 f44014018798c9310980b36beb85d2066b832a89db751e087ecf988c6a4059db9c4e2c44ad285c41685de91f045c1fbff80f61f85c8c6535f5eb72ff8628e9ad

memory/2720-30-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2476-31-0x0000000000460000-0x000000000048E000-memory.dmp

memory/2476-20-0x0000000000460000-0x000000000048E000-memory.dmp

memory/3032-35-0x0000000000510000-0x0000000000546000-memory.dmp

memory/2964-36-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3032-34-0x0000000000510000-0x0000000000546000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tSksQgIA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2476-45-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

MD5 2cfa6796fc3ef55c4c52c89ffee69a01
SHA1 27f7ec659a880adc68377806cfed8a19a83d7a19
SHA256 01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd
SHA512 68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

C:\Users\Admin\AppData\Local\Temp\RIIQQsAA.bat

MD5 05fe7678559c5129fa3683017cdc0266
SHA1 7116fe7a41f17c75b6f7a3cb9df8dd9b59c2f25b
SHA256 58774e2bb2a84ae32ebb43856b4c9aa66f3e8e1a7a1c28fd68c87f046246dbf0
SHA512 253318aba5f278a07ab9d776062f64eb10a8f6ebf538f86c2f72d30d9918f3b47774c08a646134679e94e5cdacc7bb10ae36ffef99337b29b7f24ba6ae2422bb

memory/2340-58-0x0000000001F10000-0x0000000001F46000-memory.dmp

memory/2996-61-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2964-69-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2340-59-0x0000000001F10000-0x0000000001F46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\pSgcgYYI.bat

MD5 59a991fde1f13a51e6e446a11e1e653e
SHA1 cf769b36612a136048094248f33d28d3b8022a49
SHA256 a22ed0f46f21ab48af7d3aeb6f51140955c93bd9d7be15fb677237130623d1c9
SHA512 7d8a41631e1f5a0b0be224e8fb530782748ea40cd1cd2ed4a4bc91f958d110913998370a960c8ec4f63cae74ec8b0f3ca993d5472ad3e54ce6b209b810a8f768

memory/2996-90-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1612-91-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZussgoAY.bat

MD5 bc5ffc4737aa8f3782d46c4dc01a6357
SHA1 b513fff2fa463c342face82c8a7217232209577e
SHA256 d5a0c09959a5f7bd9da98a58cbf6e4c1440250db4f63e81291cc131a4a6ca4ff
SHA512 27089403e63b93a8855ff7aac8e6377f205e12213d355bc81f10c816deed4221adb5d280a5a930c6c9cace8730f4bd7c426128f8307a327a95d4493763ce6d83

memory/2336-104-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2336-105-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2072-107-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1612-116-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jcgkwkII.bat

MD5 2fc27a711428464760c1d423bf692245
SHA1 b77759590d3fdcd6fc1c926b8eaee3a54f80879a
SHA256 233e337973e89c63a00905d70347f7a4d14812536100d3b91c001fccb7fee486
SHA512 34e5d153516a2c255a6fb41b41125a236b6179f074ef326b21506d466cdf54b44b337b532a89c0295f5dba87161e3a137a2ff7f6588e24aca7ea532bb6913668

memory/2072-138-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1360-139-0x0000000000270000-0x00000000002A6000-memory.dmp

memory/1360-140-0x0000000000270000-0x00000000002A6000-memory.dmp

memory/1716-141-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vmMAYkEo.bat

MD5 febe1ee2fb7e1f266d3a916497c7759b
SHA1 ef8a2313847b7a5d88b68cd5b94835d0bd52c209
SHA256 1548019c4b5c9b42d82f2ef5f052a070189f5b32cc69f4347b1101a6c6c508d9
SHA512 6d4cfb79cc38f19c3c777905ba66c0fc67891c3d219f8ec871f835353ea1587ec89d738a39b4ddc50bf721d71fd367c0051d4dfcecfbcb64f2e83049a7e2b305

memory/1716-162-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2212-164-0x0000000000120000-0x0000000000156000-memory.dmp

memory/2212-163-0x0000000000120000-0x0000000000156000-memory.dmp

memory/1568-167-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wYQAAoEQ.bat

MD5 3ad035521da58b05304cda4b0b384128
SHA1 074813aa355c1957f78695741c593402e0cf013e
SHA256 43d22e05baf86b808a1af3716c48f3e10c28ee02654265a85279f2a6e9754379
SHA512 57ee5a8bb1a2949e14ed5b007ffd64b3360c37e21c7108feb3bcb36c4bece8e9b7973dd533c8ff23f73b5bc578677b6f2a24e788fecf0164885a402c5ce7eb71

memory/2988-180-0x0000000000300000-0x0000000000336000-memory.dmp

memory/2660-188-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1568-190-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JioIEMUI.bat

MD5 cfee61008c93d00571d709f05aeeea65
SHA1 489502ea70c87783e9cb7e9a9822830662239f6b
SHA256 733624bb1b55b7b16a6feaa6623961ed3d6b33ae5a37c5592426bd492be8cd37
SHA512 a371b38abb850f010587758536565de51a1319b8ad09da25fe637d85f247cc723d9d882548fb33304e1ed1f8fc1e4f1317c6bd21dc0ba6e5cecdd8307aa8351c

memory/1924-203-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2876-205-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2660-213-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZCgwIIQM.bat

MD5 60bf700817607f1c8c06419b1fac1823
SHA1 8461afd39e2533c16b8d01fe166e8aef09cfa013
SHA256 b35d3ff73fe7cf7892e873731c4af4b1448b19588fca8a6972468f1c1860e939
SHA512 1ae30c939c2c82e3448876a174856d7ce251aa32c5f9d0a2b2d8717a9c4202c113025b98f76ded51ad3888bea32719413358af0a3cb0dc43ad6ffc2bd578fbeb

memory/2152-226-0x0000000000360000-0x0000000000396000-memory.dmp

memory/320-229-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2876-237-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2152-227-0x0000000000360000-0x0000000000396000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eYUkwgAM.bat

MD5 cb7a4e78a8d37929388c318a54e4f4e0
SHA1 241245fd23fe468f5466833ee253a2678497cd09
SHA256 eca7efb437f1d4dd919bd5e1334bb438383d71e3b95cc11ec857bbf10523c73d
SHA512 523fcb22c6a6755ce539a86d7799a56cd076fc3690e309057201e76e4b69f099e25ee4611082ca32cb33cef6df8c5efccaf9ae86a80df8f3684b46ff74bcb0d4

memory/860-250-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1824-252-0x0000000000400000-0x0000000000436000-memory.dmp

memory/320-260-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bEMkQcQU.bat

MD5 249969e6997aa85f178dcaf9b63a3737
SHA1 106cced98025dac6009b705603bc0795ac58d1eb
SHA256 56c4e29a957246c7d23211404f66527c7707a10165f91660529ee69c53f3a109
SHA512 8b7d40b97b0eca1c74c3bc90c5573ed5832e480b34cecfe69e05c3ed7775b2928cad330465f2193223e0f4b7ebeecd823f18f683df8789e2e0fd82e6f8ebb486

memory/1824-283-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1956-284-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1956-285-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2292-287-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EkYAwYYI.bat

MD5 8370c0055619157ae71ad11a4e53028e
SHA1 1fd5add63133680dd641da7e6929dd34db64cee7
SHA256 fd49d1240fc9da80418bcdef0044349c8e3313f010c2761d5fa0761ab3f751ba
SHA512 fd5a4ab38d886a6e719803766734eefb594bb2c892781f4ff33fc8901fb852730be04f4120e4c5d3d151de4cfc17734a705b7e4076a76c5427f0352643f7b632

memory/1960-306-0x0000000000120000-0x0000000000156000-memory.dmp

memory/1960-309-0x0000000000120000-0x0000000000156000-memory.dmp

memory/2000-312-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2292-308-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2000-314-0x0000000003DA0000-0x0000000003DD1000-memory.dmp

memory/2000-315-0x0000000003DA0000-0x0000000003DD1000-memory.dmp

memory/2788-316-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2000-317-0x0000000003DA0000-0x0000000003DD1000-memory.dmp

memory/2308-318-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2704-321-0x00000000001E0000-0x0000000000216000-memory.dmp

memory/2052-323-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2000-329-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xKYkAgQs.bat

MD5 f02a95f49b90132183ee71af86ab7988
SHA1 bf5a890f7f392b083eb4a402c46939ddb6366922
SHA256 f82f2042711c67b823b65e9c71129d333a444a8dd36b928260a4fe3e18979879
SHA512 40bc404dd69939bd3f7382b2830c43466bd0213ac1ab4376e64c702e00f569bd0beabab6de4519b934dcc5a6176d0935c7fa38df2dc0c9677d57743b2711deec

memory/2860-350-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2664-341-0x0000000000300000-0x0000000000336000-memory.dmp

memory/2052-349-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NEoscoQQ.bat

MD5 879eed56adde8858a9b24680aaae093d
SHA1 c10009e219210017d606491c8fed6e7222ae0f67
SHA256 cbd074fbd8b2217ef944acb82592f7a031c9fde223da73eab49623e769707a06
SHA512 fce43ecdd51a5d813d3471a7f79a4d381a1aa219ad474a5dae5d8be2e2f11d3bc224ef545299674d60ff2a1923e563640dca88acd8a8ff83d7f87eb7ea140468

memory/1740-364-0x00000000001A0000-0x00000000001D6000-memory.dmp

memory/2860-373-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2968-365-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\paMAgwsE\ieYAAsMQ.inf

MD5 778fd9554be2084a91d39f6adda1cd10
SHA1 ad08b310afa93b855cd60c9449a6b74ca5ede7fa
SHA256 b44444059b40a7dcc10f758a56dae88cf98a82d2e7643f279c7a2ced872b46d1
SHA512 d219e20f7398bc03ad22723df809550968b41f2b211fc9947c6daec3ede31ca2f05c0c431d956bcd9501e2dd49e61799f598cdde8a16433a63695947d7c4a58d

C:\Users\Admin\AppData\Local\Temp\MkssYIkk.bat

MD5 e69d8a53b656c4c50e3b2a159efd1ea9
SHA1 f35b1a4878efebc79165e1037f281f753cfb2666
SHA256 72c4bdbdd6ad53f00a230fb983ec6075fafa4759e272410723d7938b02dc818f
SHA512 3604d71abfd2a211c7d2168bd2e8e60aef89e9e77bcac53ceb32484bceeccfea7e7627c2c42588b7bf9a1baf3e620baddd8c35c94118b83d57636c3896d3783c

C:\Users\Admin\jCUkkQAw\rUUIkMQA.inf

MD5 e9ddd264b41f3e5209d4743002c26547
SHA1 b630c7bb000646b1ee8ab225cf7503d105c4ba1a
SHA256 97ac7b33f41aae54f7f9c9313318f8caf0f7e1c3f72e93b22929c44a0a534fdc
SHA512 60592043800cf93d5ac78ea30372a483dfa691a25783451f97b95c9a3680ec80887504cc4917c3866ee1897e78042c3db348e1a970d455804b70dff5423cf21d

memory/984-390-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DIgEEkkw.bat

MD5 a6d8f0b8542cca532f602be7a5b65a78
SHA1 2e40e7b6959806ec8041abdd78333fa91839641d
SHA256 e38fa98776cd9cbf0c1e5893cd974d83cbd33d18cc53de13f44d2dd00a7f6b91
SHA512 a6b5d6e4e35567a6c1df33588a7b52a4d2d2c11d76fc53dd887c50972b278bd452c4659ab5ab909e23c2665a7e6ae9447def7454c90e6447cdfeffd4f9c916ce

C:\Users\Admin\AppData\Local\Temp\JucogQwg.bat

MD5 f853493937f2298326d29916345b45c1
SHA1 9576f14945e347e75115750e1ae634a8a9d9e25c
SHA256 1e178a8770f5d95c3bbc63a19c6e9840b81ea8ad6376bd2a6933fca1f33def13
SHA512 f90bc59348aaf18c3b36994fae6a8d95fe822d4df768fdb14d472df724187f532e34b93433d97e2a4f5fa8b62fee740a4c54c853c4e16862daff5532c832cb10

C:\Users\Admin\AppData\Local\Temp\quEwwMwI.bat

MD5 8439e09b3e0f142dd0da532dc90354d1
SHA1 4c453ebd711257ba94f2780bf58065c452d6bbb3
SHA256 1ebc1ebb08521a6aa345694d577fd901b9771d1b75419e39aa1f66fb7d8970f0
SHA512 8d3dc2ac1f248ad892cddaf310217fee916500fd4cf32b6d34758b056d19c3109e4cf4e168acb8b1dacc8122ebcc0e1abd8b0c247defb1ba54a4050176cb43b7

C:\Users\Admin\jCUkkQAw\rUUIkMQA.inf

MD5 77510a5d33886e705291ad6476b66777
SHA1 2bae7b4287066033bb949b402d72055b8971ceca
SHA256 b3ac516b34a9cb3e5159cba9b87e8d8d7495a9ec1ae41dc83eaf6963c6231930
SHA512 dd04f37d1fb96c75fc995f1956111e33d9434d576e2e383a02b16bc55f9084ea48b0f7d19b990c5d0ee64bcce7cab07e48b24a5f89c766a550e5b884ff550da8

C:\Users\Admin\AppData\Local\Temp\XKEAMAkQ.bat

MD5 f4c05e485a78e5634dae3a1732ccc3b4
SHA1 5f1740ae0012200cfc26e696d0cb9cb16b2fc863
SHA256 90e77e2469713f27c978d5d6134aaf6b45adb5d430105c4e0e7a8073e03ff4e2
SHA512 92fe3540992719c9d7274e4c3ea08cd83d6cce4cf839754c8789ae2d9c1820bdc94d8c80e921d1bb3248df380e634555da13e7a7fc582ed933fb2e4c3d822f31

C:\Users\Admin\AppData\Local\Temp\RgcAowQk.bat

MD5 cd5b0d8256e5129f5275bedcdd348189
SHA1 c533b5f8acf93e74ff35826d56efe13b13f58acb
SHA256 0ae082417a5c421610f1db9e2df4b7886793d8ec4dc226892d36ae1109dd253a
SHA512 ef655dc5d7399191a8cf5ee3e4d02992e2484a077c679a2554120874d16da23cb79f384bdd8f6f0a8ce54a94f0f686f9c916bda45344152841cd52e127646634

C:\Users\Admin\AppData\Local\Temp\uKUsYQkk.bat

MD5 e3e7693b19a7e3d891115bfe4401d8cb
SHA1 cb7b20a73def9e961f23cd96aca75def284f222c
SHA256 2859ce862520c0824b5ab7f802cab4edff22398b2095a74af13093fe4b8343fc
SHA512 e6c04ee4666b60faa8ec2c5efabcde14595f1c759534b02757f3f4bad28fd444013a7d370f820e66a00b9f802866569487ccc9a0462f3c34a55fff048d57d10a

C:\Users\Admin\AppData\Local\Temp\JeEsUEgc.bat

MD5 540057535c98e9465e0ea3e84ba94dbc
SHA1 07c4d0de8b2bda42684f058687b58dd3b9664d38
SHA256 18aa8a6ebf21d56656b98dd0a5666c549d4cd239e769de7680e0137180e3136f
SHA512 11193508bfcbd83cacd4bd82ee3873735872782d93202ea2180e2e16ac3c3a848d7847bca81cef0c3c10f646516c86382f23cc69faf937eb2d6f6140e32c1b06

C:\Users\Admin\AppData\Local\Temp\uuIcokgg.bat

MD5 5d54508407c8725fdbd29514c4614af2
SHA1 519c7c6435c017859a00880adc6d826a7964c6ea
SHA256 06418c5270369b78dad96a3c54d6d51b2b8c5f37f7f9e4998b536b6549059ed9
SHA512 acfcdb56785a5d41840709b0ee755ea8eb9fd995e65f36640e9e6e147e34aa8a831a51cf95faf7e4a43a5c333c518e5c479cf7d42ebe0e6784487da1d12047c2

C:\Users\Admin\AppData\Local\Temp\pEAg.exe

MD5 43927c9fdae07f13cde58f77654227f6
SHA1 d31b08be8dfa4a0ab54d7c969c2e5cee26604a0e
SHA256 d3a4a6e50c89b3fa4e8314edc96c94cf099e91e73f1ecd124eeacceb3bd3bd13
SHA512 8a9d838201985600d5d06be126aae6f0c4b7434ae5f8028ae8bcb3bff8034cf6cd1aa8a2b32b080d022950b54ddddfb53185bc13eb89bce4801d3af040ce55fe

C:\Users\Admin\AppData\Local\Temp\sgAc.exe

MD5 457483af72ef8324678c2b023c844744
SHA1 8f621a446bee58e0ff8614f5b08fc9c60ba5ed2c
SHA256 2e6b7a0c53b2f04a164908f64235730cf77d63e6a97267ae5368206c5ff9f8a2
SHA512 5a2d358c193cc1b4a09af024238db50ca636232dab691c5e79173cdb3e7a6877dbc437fb257d705121105a848224b4c4e659313485615b249072334637a50b91

C:\Users\Admin\AppData\Local\Temp\IIIG.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 bf1d8df12bd8ad9c788034f196d9719b
SHA1 d81ef7966c118a5bb848c5dfa9891c5acb31749d
SHA256 d8fc194bb8e4a4d61bf0571604205437f59d3e2af2ae9394baddd115ec2f6b5c
SHA512 80adab46aad4aa6a38c09bb40e0ba2cc43fd32e7a27576c6dba6e1bdbdd560f8b1d58a965b55dda9f625613934c3c38ec9e2d0a0df0ddea05cd55fae7e0d005b

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 1ba63cb8533dc69683063f353c2db9bd
SHA1 e8fae6bd5ca5e1d3345f21f13f51ca86a3fe667e
SHA256 7fe39dee3b7f270afb39d316cdadf0a857ce62a15e4663330b1292f65d06d9b3
SHA512 80b2154ed268dde917f200dd1f56be6ce10deec1ee19923db693489a7d4522d0264ccebba9c68a56a358eb907670156f6e6b2b1b2123c695972568543cf81198

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 83ca9f6f1eac8b4f8e4584977bce980a
SHA1 5a33d8c6d347c02cde88cfd5ded1d93a4b291582
SHA256 d1dd1aabe5071226116491dab13419706d1d4557d9c813ffec8b54c961eb5243
SHA512 95b638b3a689ff639f31c0d1510c0dbd35dd54a808cc13b353f6cad551006e077f7736548a06407fbd596ff959d003aec0807eac6aebed930b2d1e2b410d19e7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 114127bade5d1ebd2a9e4ddb25431a79
SHA1 de30fb0b347e5f8490791ba417a2e250d9fae1c0
SHA256 7344f436d0f2ae28f1eec0479123eb341d9eac21d1cc6fff84eacf4de032fcf3
SHA512 867009c14a5a13ca4223d55a6418dc14b0e084fe380bb18fe7264639193a9ea5dedb890e00b020ea36b2af262eb51eed093f81f78340258149efc83c4dab68c6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 a4cd59d4a66f54be604812e1a7a9491d
SHA1 7d09e6a6f67899f1d86f7a98b4d99eab0fb2308e
SHA256 b8dd22b42aebb439224608b698ccea129205225d6c7018b0b903d005daa774bb
SHA512 7e7b640e14a4a348adbc821c61e5a537f09d804d1a19035f741e056d0ee956af1b9d57276e263139fcb5d98178f26f02218dc07e186f1bd960ebb55defa223f0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 a9660386f417b0773ab63a8ebecf6c02
SHA1 01fea8cee0f30e94b784c5a822953b3975f0a49d
SHA256 2a856e83c5f27ad7d8c0b0ab962f09ba3f6d37cbd383b835072e8fea18fd54d9
SHA512 6067b9625d3db8383c4077a3a5858d5d07d475793536e93306ad9c1291c5a42d697f7ce19b951bd3aea94ee2644556e25c7d485b407061d74beab27d72532de3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 ff61b178a174349215e575955134e853
SHA1 91c278ce2f24315b79337e3e10afbf0fae8492da
SHA256 886872b401bd2085d6d5db0f1d00a30647da073c511c6be1ba92a31515851f7a
SHA512 c331ed706cbd46aa4e4b03e4aa4fd0a7467b65f3e2870beda489ba7af9735657d5cbca7d8c2377f7a63de4e2d4eb2d1f3e1e11bcbc269228a8daafa50fb2899f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 4c4dc478665e44f86b5a8468d14d2cc2
SHA1 1fc0ef7e39d33aab2d171ddf6eabb156dd94ab7e
SHA256 10a023fe21fd2bd43fa855448c29f3b21d11137340170e6882ea9eb1e87d7b7e
SHA512 dfb2a1f20ecb255d8612753766e9edf6fc0592d6256059bf7ac46cae39c1eb5d35c668019caa26d38df1780c985bef431b8bca2ddb5fcb9b2bc9ec12300ecfb9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 b7ff30104e4dfa1578762c566a6d2fcf
SHA1 cdd3d88201b42d4ed51be7fff8b4d82252b6c95d
SHA256 a3fe40651eb65ac57b656888928bc499730111b1d26488215b67d513c49e6457
SHA512 244687053f410e3534ea0aa1473c128f7c0a3e8e7ffc92dc98cc815be7e93bc9d94132b0ef426d4fc16ed5ec0092096d5e7d7fea6114d25487faa29d6bc7f30a

C:\Users\Admin\AppData\Local\Temp\uIwe.exe

MD5 2c0f74c245eaa19a301bd33349ea01a9
SHA1 c377edea718ced7ef9fab112697bcfdce404d966
SHA256 c2a933fa3d031adb73fb38fc2d62acd5c5eefef40f06849942c119a3bff35fc3
SHA512 89a013e31cf2cf5b5002a2077f943eead2fb2f8fa8c6a5a9bf860614365cab8c37ea54bb7e44bbd21b7ecc7c3f732d921ce020e3a16a8315fd17364ca43dbb52

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 2503fe56200b4037be96b21166fa953b
SHA1 ea89363e629d5df7e9bcce960b079a20fa4011f4
SHA256 5992fb2c26848f3bf9afb1bc44f79e6091be59d8106e33e718269358173a939e
SHA512 519db177dceb421e89564947e88f70583931b3b2785497351de5b56a9db8b5f8fc3113fee38c9a90d75a5181d2b3db2c95a90b790a8929fbd471f29338ce2299

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 7901d5d7784eb607016bb6194c6b5e0c
SHA1 0379fc92d19e62d39dfc986855d7d5baab092635
SHA256 3933d8a9e00257801a1b06f289ada7fb64400967a6987183b6ebc1be3a17d9f1
SHA512 191525a0fe4a082e9b24c0059d2f85bccd5bd5af0927bd14c503913c7c49cffc1dbeeec7d4c0c25b89001a3ce6a7fa1eb61e5741ead7fd515296544dc2490de4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 477454a3e6cb0b8a356ff355bed972c4
SHA1 2538505eabf2680d0785a0d9096944deac6d92c8
SHA256 7640c01a6b69007ae2c3a006c3f1d9b9e66a5c5ccd113f680271907b7691849a
SHA512 17671630546848c10e817cbca736e6f9d06ba7b286395055abd7e16a6e7f5576e006d38100437a4055b892cc148b71c19790c716cb462da1eda631cd5d8e9cea

C:\Users\Admin\AppData\Local\Temp\sgsI.exe

MD5 bac02743b86f2ccbc970708f4abb900b
SHA1 b9604ef9c58605842d13b2c4d815eb3c6cdd3e78
SHA256 6736dc7b80fd568a481f448abda9c02306c32ed953b31168bed96c9db977d3f2
SHA512 b3f07856899cfbe92fdc462f2382df02c4a86ffd7116fcae683bf8839a14f194b6f0ef16d994a80e73f876e1080e05ce3928aeeacfea33fb69dab24f8da7dc7b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 0bc5708957d0cf103bc2bf0a26e10289
SHA1 7e6308bb923c8cb0c7dd2ff1b56cd52455cb606b
SHA256 a444baedd4e1ce69fed96fc43f0b4b9e5efe7245112f3ea8e6759d232804e89e
SHA512 0cade0e7a616953a0b5058d385e8e787e596e290554be7a2e15e7d4ac5bdef13cc431d445bf6972651d2856130bb81e3a43ec357a6fb33b00d5d3f38f821f8da

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 28ab671c0e7373e513c2aff90323441d
SHA1 fc9be65cf0e69859883e64e6eaaf4f691d801828
SHA256 f5656d41adb0284b98fd40572a08a189e1e5db8bcf4b81eafa22876b0e8f423f
SHA512 bed70ba41aa462839238db1d626064846f55a06765a868a9fc59b718785172ea039db8e57f4f022bf3055363d67ae15dc553e9b8bf2da31299d1590e074de833

C:\Users\Admin\AppData\Local\Temp\DIgO.exe

MD5 eaa9ac1ef34253bb54914ea1da75f331
SHA1 c3003b0966711697acf20740df61f4468b1080f4
SHA256 3c175990f0f001548ad61105cd9fa2f96d271b8c040d3c24db885d14378e16f5
SHA512 233c55e40b91fd36b47d222c698142ab45d3573e648472e3a51d5963463e9091344b2294afb244d27fd1b44650a5a28cca1722f58c0bb0b59addd2d85c00122e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 243905b5bcab41572df9f46990616f97
SHA1 97450f9b003f74d7e2ae6bf9988298a69fe92692
SHA256 4394462a1759d9a945d99717944e80dff9c6c4b4acac844005aba9172568c9f2
SHA512 316591491a206bc5a9891f663b874e0aba61fd81286fcd9340a109724c4f9d18a0326f548585512885fb9d4730b76206df200bada173b389531a051a103ec307

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 9c76ca8860b9ccd78091dc304b3c19ef
SHA1 2af26b242eb473c6ab8180a2363e53f389972b14
SHA256 6b557dcd51f75a43d1e9311211011750a731678b3fae668b0af8eedc941693a4
SHA512 5fc9ed2e181e6219e85726a76bba9a19ef19334ac86cd7e81c4a052097a21c8a3dc747ce042c54d2fe2c2028956c3ae957c7402f1103cadc05ebfca438932891

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 e7c29dfe14f7867990972c5c39a047dd
SHA1 20f3af81fbcab09be6949a348ec341eba4b53f29
SHA256 8b0ae87bffac13242e579c9690ae62e3907b46f508df393206e21a5156ab6838
SHA512 4e1cb2a22d758f17cc5ce82afcb28047d7e29983511fc39087e4c198f5cd8162c6346c54f95aa9900f6eab68cd97ca068defe51149c543f327fd743ba81c8f10

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 b779f369cd989da0391d48da00c40f29
SHA1 8e6ce392564391968d1cb886755f523403f6a0ae
SHA256 1370010696dc49ace6d97fa98261c17c9120b69c3971fb596182309ff1a051d1
SHA512 7ae070b7b48b08912200ba6dc6bf101a82bfc37352f6ace88faa09838ce4ec0c30c267ed10649d7987fc6acae03cec69aaab4bf11e7fc9d8928c7eff4023511c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 d14c1addcc8fda2b0228f6144b796151
SHA1 44d5b8188bb979f475d7b17f79c673239295da49
SHA256 2a018be4ffb034f5bf28ce3fd9a8d7da787f53ea941fba6aecc39e7b956cddb5
SHA512 66d49329550bec35c6a9f5f8d266410178c24edc29e2e8aa07f3dd4ed115d3879b22ee5701d3a8f299a72f9f311fe71b1b9b9d0c0787b023708a9a248c6dc5e2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 e60acff3ec82279a5a7d483dcef634fd
SHA1 8f19c57673a69a7070e542107ecb133690e7d87a
SHA256 a70c87c7dc63ba68b287154429c161655fe35e72cfd37028ed3341276031306c
SHA512 d33b7f4710fd36649c0a4472780526e8389b4313dbc0e71d23e5d13fd74aac60a43ac5041c92a558222069355375188b02a823c14b62aefec92517e77d205f7f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 315a8e77f9ebaed3c610e5ca950d1838
SHA1 421800d731cdb4e68eb8265b10f3b5134a22968d
SHA256 1a6d87942c4ffc019d6178ed234195c712fff9ff680b80574477ee6f5da7c72c
SHA512 34fe31fbd6184510cf7c60bf58b2c95d913d2fee0320bf660ede3058a3f2f142039dbe775ff4ae954c6cfcc413f4b67f78e95f7358d7dafcb2b51071b8cdb315

C:\Users\Admin\AppData\Local\Temp\IkEo.exe

MD5 21302ac463975c8fa5301e8708fc948e
SHA1 5bf856cd96da28c620e4c6143902274f2c273e97
SHA256 15d9b4762d55d7ed748dccd7ef309374e994be57964967364e3f10e2b714448f
SHA512 424d8500408c16b3272c0fb42331bfbd1707f7ab4781b19fbb21acbd1fd0d237d660c90d24dd2240838d924e74cada452fb7f90d7aec4e0a7c7d6db06f88fada

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 1d754363dcb3a4f68bcab2312fd4d6ea
SHA1 44a94a97367e85089a3f0bc3376cd648620ea263
SHA256 7b83f0600e0edc51447853f3fe1fec6093cf8ac383008acdf301a63f44b79897
SHA512 07fc5bcebe9d369543cddbf1b34a520f11a1a79830cdd845d776896dd22ae165483eda7f69c2653e7a85d308418a0aa3647ddf5a0a097426275656744845039e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 65fe1d97f250a2a754650fdb7acd7ffa
SHA1 28a951691a26c58999a566b7b82a990cdbe96a4f
SHA256 6f4eaebb945f33ed5dff0fd64e514d8f74126d4bf3df759e3c7919fe0888fff8
SHA512 1b6454893ecf2da501ed403db1d71da913009c6e5ee4dc46b1063c9271c2131edb60811d6c25626919d9953d8090562ccd3c31337b17f96822d177af9678541a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 abe2cb9f3d9b3b36dbc2f3c6900d5862
SHA1 259722957f04b9e34d411d74037e0508bc628fd5
SHA256 47d7246a8ebaedfbdf09f2d65e6238d458ad446b7327bd8ca5007d44c8ecdf3d
SHA512 69a241c02f45429a9aff22c193f1cfade85d54fafb8debbb59652a5adf085db7a8db46143e5c9f38e65471b1d65a2e49153afb67f61958f9f168134457953e78

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 c1337a0cf445750672caae81c4d4f8f7
SHA1 bad79fe9fa9c13004e989266100d51f5ec3dab4f
SHA256 a10dbb892160a988b4f14ada0c76be654701e81e7502555861978f7c16728ffc
SHA512 1daca64cee1767fa5823ad20207fcef1e4c4944b31b9045b990e57a6f5edb7c9f4c4553358979fc8bab5d627e26a93af3c5107a9d68d4e55058f37ae5a416c26

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 a635bfe3665d3f48e62876feff38b878
SHA1 6fe97837c676167e131641ed670e72071034a787
SHA256 0fb0d5bf9b23dd53eeae8bbae382967e219d7f808e117a9674676ac1e0367f6f
SHA512 fa750d71bbb9d8a003c46ced13ee7799e8422eecb1cd12cf57cc8f14b77aec4a5fbf6fb47d2cc22f7bd63ba6b1f98abb3b7cf87ca627dff6d5bfb6ba865d01b4

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 5ab914a50ac524625d902d2591933c77
SHA1 e6e8a35f27d06cc1a9e1f48c2b2e0d523819f86a
SHA256 5d68f7bc95cecef2c64be22dc003cbcae33d96ec6f3c0452ad4d3988698bcb2d
SHA512 ee7f24ec88369faa6ab97df2c6496cf312ec0ce9d6158c76aab9f66669ade06f291ccd1d86552b50e8f399b2a25639d8f1795c62ddef814943007bdfc1a4a854

C:\Users\Admin\AppData\Local\Temp\qwEw.exe

MD5 7008ae44d5a99b05d251c29aeb9aef16
SHA1 64af093ef4b84ee260923e9de8d946f963849348
SHA256 9546193bd58fccf87a75162097a83570b682e41ef01629fe9656ad21087234d7
SHA512 369661d57b594dea8d8c3f12137b9a84e5901ec5ab82a58dbf2b5c1fe79d5168b71c277d91f1fdbc47565ded400134686e11f37717f8261dc232e9276d2d9cc3

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 6e5488231bf78f918dc9635064ff1e5b
SHA1 5c590088797e1401cc29f91e5cf8daa158ba29b6
SHA256 bd0b12524c9c5ad003f2a32b6a6a4c487677eda6a0151519a73a7bef32632ac8
SHA512 28899ddb2a0e268b998f2b66c1dd2fb38df5b78cb3338ab96fffa5b9cfbd8b91ed553aa6e0d89a319181ec2eb36254a2555ee944a45fda1a22bc035efc068503

C:\Users\Admin\AppData\Local\Temp\AgUe.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 d07964ec343f203c288bbdc7cec9fd6a
SHA1 5d8392f72cc3a796d366f8d78d35bb06e91530d2
SHA256 47d0abba6534bd7a4f409b082d1429c0b67b57afcf951fe0eca06d239aeee697
SHA512 15a8ee0a30c346b5ff83bfe722c2cb85f07f01f50b477183c570dd7e1cd8724988a9ca60b61c6a17c9273e27582c18f9cedc3c3472ac565c96988d1aef815bdf

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 041e02dfdfd951e6c3a61416d38ae308
SHA1 5cbcfa46f6aef17795040b3056b416bf26291711
SHA256 0f3be1cfd8d1c9ac94a46b559ab3b912cecede96c753556b864ef0bd2d2de8eb
SHA512 7639269870e8c33f801f86e6846cf5e8f596ce36379203d0ea39842ad83e662a8fd0f976cf1c70434ee75c55c8a10b176fd920ef7bc0747794052b68dc90d6c2

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 a560181088b956d3fd66a17d6b273ff4
SHA1 f2d4a1d1c717d41150771ffe2346bd5aba2d659e
SHA256 ec43a72e2569e5a90a70d32f27ff33c809b3736b97c49600b7f363cf27788d00
SHA512 1ab60e9872ec622bdfafb534e324dab4011f7ec638f4e2c1db4cf03aecfe139dc25b100e86f78ec29d96b6df213fd97cf1cff1e3b431959178ef39ebaf83dcda

C:\Users\Admin\AppData\Local\Temp\CYAk.exe

MD5 a12a7069aa8f74699f64b64f77040481
SHA1 21bf199fa136653295fe3ca8b2d7a729ba88ef0f
SHA256 ccda46df2f46447fee2da3d632df7595a434ac2f230c15f1962801e71adad8a7
SHA512 f949e801058af8165459554b6f0c01423b0ab5161d538534bf3c9de372d8ddf07e2d77d19ccfdf8ec406faf767cafa3c4d44376c5d2565d45d1c14fadd1187c0

C:\Users\Admin\AppData\Local\Temp\YAkS.exe

MD5 49955739e35658fa68ef759e969bcbe5
SHA1 47c5a67b985e5008cd7970575943652437b85512
SHA256 30e6f571169e60dbe07b4e34acdbacf31219a747032a4ed29c7a0585802f8497
SHA512 bf900f84b4d525e180293d1ce7ffa7af0db1db1e46e9c5c05511081d56b116aa298167b8a156f76e389756b9415382353f54bc08fdca722b8b45ededc5f0bf81

C:\Users\Admin\AppData\Local\Temp\QEYk.exe

MD5 314405b34bfae53a922ce104daf512e0
SHA1 0bb7defdf1d5847bf307f0af9b87c4bdcc1058f6
SHA256 6085047dbe7db17c87be951cba9d51687bdb6e43e2066ebfaa2d7ab82c259873
SHA512 16b0fdf25274e19a9c779a2457e7f4e955a709ed53bdaa109c8fe36f2c0672210621fc5db861c589f023e7fffa16416da6920dc16f63dc496d112b2a3ab4e134

C:\Users\Admin\AppData\Local\Temp\nEwC.exe

MD5 ac7281a676f3681e760561cf38814e2b
SHA1 5d9ea40070676ccf062c37e3451f26cae6162ba1
SHA256 687a728710ab22dc4d7334c767490d6f470f9c6151708699c5c0385d97c4c210
SHA512 965d42915310b89eef026ce64ecf7bb54fafacacfade73ae57a62d89581613729d8479bfb7e6f1308fb5946faa6963aa96eef760c1eef7919601d42d6ca42710

C:\Users\Admin\AppData\Local\Temp\bIcM.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\Music\UnregisterJoin.zip.exe

MD5 6d1428067adb4c72151e9e792fe45967
SHA1 b49a6367b91e4328979078854be035fa7c6b7c6a
SHA256 08290d679b808e10da7e6fe9faa16e084586eeeab41c68997ce2c21816d895fb
SHA512 3a417ff81f27a7b296dbbd14262f2fb7af30d88788b6a15ecbc582ae5f7d12fc2184157ac318dfa6b39a50a251fbd436ca4779fc85eef973b90c0270e4e8383d

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 fb40b6b45cd47556cc54bb39c3dc9460
SHA1 3b9a05575e30a1a79f805f45b4d9840ed0b6147e
SHA256 07049d266a61229e8f9e3b080524cb700d1192ef3acbf852fe3d90330f156da2
SHA512 7b445fa6e8d384d3f349a341e7d7cf93a6bfbc302c0a3acdf61429199ae013fd8f6360dc81ab56807469b18960b89d417432f36a5b79b93cbe6b2c8a17003855

C:\Users\Admin\AppData\Local\Temp\wwIy.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\Pictures\SendFind.jpg.exe

MD5 453f2cbcc99f4dbe555ff1fe6c649f18
SHA1 0df1f71360983219a2623ad6de3a2cb4c0bd7bc6
SHA256 9acc55a5005e1dd3d24117c498955d17242df1edf40a4f24bc30fd63f643bad2
SHA512 0f9f5fee090b1ec6ac0924aec1e282ce858442bf246754fdf8d674e7a477479a08e93b0fe70bb85d7706bac6e6667cd45bac7db24b93d545981a32b825f0c013

C:\Users\Admin\AppData\Local\Temp\GgoA.exe

MD5 0f603d0568d7827b83da3b2bde1ab661
SHA1 e2e736086147330bcfc2199cbea81416973ece68
SHA256 c335c45680e9fbfb0238d92811db128dd09ccdc5e1e4d5dce37795f2d80d7403
SHA512 1d7150888dfa752eb29f2dbd7bc4b07affeeec13551d82fc00b8f6ec971ac157db6f7550e2c68a62b57684aecd6c1084528b8eb9508428d9c18227df21032b76

C:\Users\Admin\AppData\Local\Temp\owEM.exe

MD5 0dd725927aa954d29f23a1cf7520e9c1
SHA1 24602b8125c901aa7f1fb6a6f9b873b85a7f7fe3
SHA256 8c5cac4a6c2a4cddd0738e1d7c8625a495b692c299c4a4c547a34ada94801682
SHA512 e1dde2197f8dcfe0c008699c189d2417aa778b627705e3ebe039bfb76f942ebe99ec01c04ffdc57cb2021a18229adc662fe39ac1b3e6801e0294ff4f702574fa

C:\Users\Admin\AppData\Local\Temp\pgAU.exe

MD5 fc3b4393c0a41587a4c470d491e5094a
SHA1 2ed8c1324825ea675fbc3ccc073392a6efdd02b6
SHA256 56aefc4d8dc1d149b6ca4403dce3194cb78609a90d182440132ba853b11fcb5d
SHA512 ee5640e0a44bb07449a62e54862b29ae4dad0c5e9f2332d25d99492be75fe6f8ec7fbcd40a373c1df9c3ad10d538f99120d130c63f4f74d5ef3692f46cfeeb31

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 53f8fd117007a69880279ff21df847a3
SHA1 86ce45128719ac492fc2d246daa7260e83100bc6
SHA256 227190a465efb065c970e2d5d22c5989589800c46ef9b1bc514e6f3040c4ccc5
SHA512 bcad4b0d25f377ba6c7f019473066a91cf13180d31e8552f41dc1ec500435591433a172c9ba96760ca5c00c3aba534e6523961a7dd912c28ab730dcc8426c686

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 39de43372785ba103f6386ff450b59d1
SHA1 ea7c71bb43148be846eb3de2ac2615234bbf515c
SHA256 f4a0c304493581dac5b7447e400228827378b9c44842a186dfe0ccb0720786b5
SHA512 8952c3d7372f35dc719bf1f552e1da38873e641af62da8af8a04dedc0ab3bfc28bafbd53737fd1d9c43f6ad27c2d4b3506198405e2ee4ab4672557156c6099ca

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 5993fbd01a8bed31abec5b6807264c03
SHA1 0759b32e6047330fcde62aa897f63ee87b189c48
SHA256 64614adf62b03fbc8273343b96b7686e52f3506bb948513dd9863d0465fe2735
SHA512 d75a3690d7aced3f6b2d2e1ca295ea77bee45ed968f3556443a013de4be3d3148223e863ee1ddba098f65c3eff326ab46545e50cbe0b0eb28b6016686dba99a0

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 eb96c7b834ce864ada38768588eb9665
SHA1 bed5e9dd3c7ca3aedfb0a6ff17b0f41ba1328270
SHA256 49f396fd6da3a7edb20e435345fdcdcb958d0144e3b92d1f08e9ae3c1d82a96f
SHA512 82d25a5476ac1474a3efa3975d882a7541491be7d19cb5da944fbdf42aabcfd2915ee8f55f319f6ae78824f81581189c2ce1dc0b95c151c97a79c921b6f10ec7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 ed17b232c472f4c69290b0a013309a97
SHA1 e0ab217eb22e9e14bf0bfe79ee8a1949d4806ede
SHA256 5ec3db62e057cf2c8cbe67874bc7f7a7f895e2fa1b48e0a89172e1106d68c339
SHA512 b547d5ab39fc6f3fd0cdd831418cfe147839d1acceffe25003875f4edd58156a3c85fa33bb46882849434763959967c516788a4d665f99fb7d92fd0fa4d53215

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 f14ecd1dd708b3ea26918cf1c9b17de6
SHA1 b1915c5af4c400dbdfde828f15d65208f2e78533
SHA256 0f86cf0131302d9ec96a0c6d169f82b5b49087e44aa3aaf89b128feb2f0120a3
SHA512 63230755e89f39369ed13295753d0adec50c17539cf719b484cf36b3aac9df377015d55eabc043d3d36d253c0f0c100a9ac098f87cc73d6b65291fc27b86c906

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 7f1f447dda90b676dbd868f9d1627217
SHA1 0a0283dfcd53e67dfadb69ca1b44995c76dd1b31
SHA256 380ffec5e9982a86c916375fc79caf0f375099290c340ea2de8addc83d9c714e
SHA512 02f38628fbf11a808a0d507cc84d32097cbde0a9dbafe2b3c38589001479330e0d087da82760cf80b61b7f92bbbed37e7d2945ff8e659b839b181987d4e64bff

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 1b34cd3e614e25f522c270f82289deff
SHA1 4e585daefa14dceab4ee456d94aea5400d01a3ad
SHA256 6efb4f7b916ed66cbedb5d9b9dd93d01d0a032fc2f84514542de9195e5c388c9
SHA512 c535deaaaf51de0e88f518f95b39a633751ad930b5ffd321fe04cbdd28a5b4454e6d415118c1c1d539ac014b5d5a37ceab5839ccd0b8fc517f79daf0b85fde43

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 9280bb0f434c1b5dcdfd99a21ff6363c
SHA1 13b901a8187953c9d3f9b2ab8ddbbfba977f5c43
SHA256 acabb546682f21b3d9f3d338b8bdc5cc072ed7e9f9fcb65cc9bcac442d1b996f
SHA512 94bc2b249255f1668bcfe264b016797c10b546561ce884b57fc26c5a74bdeb60780ed68848c15d23aa005fc18e2f3f65b637c8b35e2d99da1648f8b90c291a17

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 5b8ef12550b0968f966c83bc78c03254
SHA1 98c44535792d2145a21310b31225129b5133d578
SHA256 f72000bce2ab55399bd26a1602b59291429346d301953e75e7dc4b5fb581a7ee
SHA512 3d0324035a6d0a1c0564b75553188712af8199cee8b682cadbb08efec053faedb3e0d062d845b17919e3fb1f8283172f3d8b3bb7bbdad16ede9128fb44f795df

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 be069debbab25b2eb5f8fa21f15fce6f
SHA1 fb43da26dce58e9781cc825080ddaf6e72e437dc
SHA256 692c14e3d100e74c938ae0af48692c1ac9e5783bbe518530638b10709eea3ac7
SHA512 5517d7403b61403925cc37d11789a34ec4ff24c15847c9a1d482fdfbba0e4d3446dd5e603e4b61fb7f495651a7877c382c893a7779fde7836ce6d0afe35c2fc2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 e1b86eb4ae29874a312444d884ce3448
SHA1 5dbb03fe39c0af6477ecd7b5354dfcc4cc81387f
SHA256 d85681de24e289cc5d838399c3f879c1d1a62e9c20ffcff6d0ff57ac5c731c99
SHA512 9f9bc6d83914b97b19ad8000d9a549e0ab1dd16062494a0ef91fb5c0dfb1680c960e7f365fdf602da710cdb0804e28e01a3c60f9787559a22dd2cc535539db47

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 bbe29d467f992a48d1563a0d0f735e4d
SHA1 77a493b65f17f435020c968af20e68f3864cf315
SHA256 8a42832786d2cb3acd52b393f9f32d50f6e678d2690aea3c05d3edc91fbaaf6f
SHA512 7846be01d457c10225a660871ab6006880fe862d1f4af12bfbb849a3c00b7212daf5a802ad438116d96f36c0bac013fee63fb2e0999c8f10350695769c1b2934

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 e220c0f030a88a44d5077e7f8da2acae
SHA1 77a8888fca9cbcb5aae8b9f4a3d04b96c12687f8
SHA256 f369a08cfdd384ed07fff15579db8c4334ea094a04667f7f90064e20bf3699f5
SHA512 35d90d3cde675ce26c67750a068ac5877db90add09a7df8a9b3e660e335df68c1e23ff00156c5ac09bb7a3d13eefee9d7cbfbd5965a84119302993b0ec647cd3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 8f6cb406072e08cfb59214919261b9fa
SHA1 1d84b714ae0e7f22d2582926bc10e42435c8dc35
SHA256 9b8be63a95d1960df7174b61c3557c1eed6ca10942c7df5614ea2db431e2e68d
SHA512 5616ff7bd9e6ad3d15240978cd7a1a59d1207a03f00dd8927856afab3ad29ac7f8fefb21552448b29d4f25ecc16f883a1bd04e514715dd5ec0b067bec0d65961

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 c99085e8de1e3af1511ed8120c9b6ad7
SHA1 4681490ac59b44e92d8648541a07bcc9368b2f2f
SHA256 ca1e0ef547a7c2da3a10122a5b92e186f40f65ddbb28e2bd164f39ab362f66d8
SHA512 0c13810012a44e9226464e6755e290a51decfb650111edea3d21aa2ef5b9b1f681403f28531356d8bf2df3b969126067b1e24ff0bab970fbdb303bf566089462

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 d3e501d6aeacb8cdbe211229c5da6730
SHA1 c6c981eb36dedd02811b9d7004596d99e11311d8
SHA256 d0ab9c082fc100c818f6bc3e2765b7ce6f0eccf2d9c7e37b1f40476030bf107c
SHA512 c17fdfd70780ffc97a2617804498bfd37c8456b8f490b3c66407a2ab8e120240199f725b23616df878f5d874bf5e4598be40f7750cf63c5e7e6822d26be906e8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 e8333eab03c08f756466049a08fe0344
SHA1 fab851fda0742fa9389a631ae9d38be439ed5649
SHA256 ad359727671acb9d9007accef53dfe468e4d2c40904c5fff4e4fdf7f7be6da68
SHA512 425a2fe2e3d554d0f9820078fa90d4e9b17a83cc98dbac944c7fcfbb787cce0e829c356851b4a1308d8c9f1fcc1fb29095ce1331938ff7a6bfc284bcc634c546

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 12e9eb50f4ffc4ee0f9312f9e8f9254f
SHA1 90e85ca32194627c4ea1e6d9478ca1d5f8952d67
SHA256 ef9831ea9d9345f159893a781d4ff1509645c13932312f65b2570c55ba369048
SHA512 9109a85309856f9fcf3eaf79d944cba00d7e9cb387c8d1c12811919e6f1ccc29ff8f0aaed1c60ebf68c8698c8eecdf49c1c207f840c9337322476e468b887d29

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 6fde4b6d55849bd30f9a888033700eae
SHA1 d4f520c2baded8978473dee46b0a5ac9df19458f
SHA256 cc43b916311a9e60c3ab901370247c76c850e21330a3cde1356cd66a85c376c6
SHA512 0f37bf4e43f714f651469542efdcbc643b056f48468b7b3d680d60b29df48df2f49d5db9e084f805628f95f987c696df5497886f1110749daaf7419a8f7ca120

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 763de7b55e2bf5f9fa3471892baee341
SHA1 2a2293175c46864da8c96b88a60b1ea1b1a4c542
SHA256 8d62143faf6c9ade1dd3abd97dc9932a4a9da01fd1193a127b61cbb93f7aeb63
SHA512 790624677785ab7a1e8c524cd637e42c0c4334b719f09abc5e7f5c01757e392277505760fabf7c5498fe325e86bd773b508fb671af6be69003fd6a081f7e52e8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 ebb100019f8bbf58293d48d915c77836
SHA1 ee1435ffbc7b502a091c9ab60a1c49da255c9ec9
SHA256 4ea25205cfbe120c6776d78323e36aa52291c4dc035ebe52da310c81d6ea46fd
SHA512 b3bfc8a9ef8bb283222ebd30b811334e298da6fabac5decac8d1619754a71fed3494e53b09014f7bd535636fe27ec9f3865491838c83927746a39c55f42a8b27

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 bc83941bd52febcfd6166e0dc48be554
SHA1 9ab51b9a40e8b701d3b146046389abba84c5577a
SHA256 3f35a716a5b8ec3ac61c41064cffa57cd96935266d89429a7fe3c813c3c1090c
SHA512 0614de9e7ac42d93d6b91eb09a56f78c7a0741c0f41d7a384b6fca531488ca1073c257e1bfeb976445dd6d7246f871af57c61e370e6b736e9e9a23eb230674ab

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 65ba36eb60d6dc6e7683e2ccc5ebae90
SHA1 edc1ec4ae0d6c102335ff465cfca57b7560010aa
SHA256 54dd7805f61b367cd68f1cb4d637464cc3b4a71601cd323956518b1c8e541e4a
SHA512 4270c573922b9259b40e89a7de7808e5364b86923abae130f166e3fcc1d72dd02047920af3d53620b1d23b0b31f46156b6f0a051a55d44f516d09e6ff84cf1b3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 fae35e719b73df4b8ebef22cb7174da0
SHA1 f2f78001e150c20123ce6e656b148b2c380a223a
SHA256 ecce60cbb0a042f7967cff518cbc8cc0752ef3c2649a37189c430dc37d0a01bb
SHA512 b78d1c56920835360ecb3dac8c70d05d027400f7c83071537f6fd13defeb551f63dac1ea1d885fba4aa9b32386a32fc387aaa0aa09abc39133c9ff98c1fccfe0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 48d228fe1df207cbfbbc864508e60fcb
SHA1 b9f05e2ab7adae5b9dd58204c64568d9e3bc92f0
SHA256 541468adb060260e9878052c4fc636d8061eb9b2e46224d83219b8c4469073f1
SHA512 3fe2c00708792f3e01cddbe75acdaf8506d5cfece549372ae4d04240fb4de178e8d6832724d5335f15670c9a1614438ff9d529af300273aa571b04250bf4f798

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 883e05ecfc5ae6a4b050d203cda2aa01
SHA1 58b731aea4a188d6b7ff7e7382588d08d4647788
SHA256 0dbce49f8ee15865fbf50b75a50302ef65748614a46012a0a9851585ec7737d0
SHA512 7894f3ca5111b57c3cfd04c5275bedb6562f3a965d2657a21c5277b75097bd900e8504a32a6884b9bc36c4f0f8353c5234e7e1e1c8ac2836e837eb0a9cdd0f57

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 cab4e61a339b703ef92e6f4e84b5ff82
SHA1 b6de9da5380898b981252bcd7b16cffa76fb420b
SHA256 61e486081de112c2218e99250fa72b5279c9224251826c03e01666470d077257
SHA512 75c73d4c7b55131e7c1feccf6d0d8b56b18cb24822b8bb4d20778d330197d655d0bec00db08e41fc8e12f5b727f5315c8e1a153759e27fd9e1784d9b05b65b6b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 8b780786e14a913612e393e0ffad5a7e
SHA1 135185e66b64079df12e64c0d3210d33fe12329a
SHA256 7d3e09f70faa7f2e426d6a801d62cb241ff74c1e3a535241975e09a360406952
SHA512 91a24df22a145722b94877976b89ed718bdb98d8b0811b0d15058b8e3a199809e17a4413ab1400e8497865f3f0965d19270920eff987b27bc36ce9107ab73142

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 2a86fb17dea1c71d65bf1d04e48e954f
SHA1 8d5495a69b2d3099791e5c93af8e9d5d0b4868e0
SHA256 3d8fcd57d46824f47c99707499c6eaeeb78b0a1734c4763eeb395043c3984370
SHA512 571d0eff2d07d17b23d19ac03583e5137bcfcb6c4081a17a008e438e5e4c0c2e019c4b1f8685bf32744fe6e8b2973aa95bd9b8bfbdd2027644510cdeef5e0769

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 b78c2561fa07e39cc8a3bcb6bc4719a8
SHA1 fa5476921bfa0a475b6bbb005d4641cfadf3bf1d
SHA256 141c947e32cedba94e55ef14114e38b18659a17f781a9494633ffb0e586947c4
SHA512 cbc1ccd773f431f054568e953ea5eb05f5438267dc9e5e734678494769f9bb9729913add51066b40623c48375a4b3c5087cdb44817702bedd8b87206e387314f

C:\Users\Admin\AppData\Local\Temp\HcEs.exe

MD5 37ed0dbe241cc7ab8a36030fb844dcf0
SHA1 fa119f5292ad37f1f90683663d0a8eceb97f3b65
SHA256 4bf7b98ab4fa16497f19a7589a89a061f740b183cd04b827bc61d5f87e9781f9
SHA512 652457cd69fad46a827d1c8d3b1854030687c885bbf73d0b73dd24d4a1293787add461a9ec4ea7b5c85e5d4d468b9aefe751678c052e6e2427015e6eb7055e1b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 f1cd5115d6f2aa2fc1ea29951cf0bbdc
SHA1 b8fbfe7a407ac3c2c1c18413ffb3e714da0fd71c
SHA256 ba0e002232406d524c6dc26aef6d0edfcf97d2fc8f5f8603af1f1fab46cdf11d
SHA512 f2659a92521fa9e4a054fd8c595e26d8abb1b5595f4b5d5ac2419534cf6018a07c7aab00ab0cd689c794c40080cce0964aded6977b8195f8b1ef4b3da735742f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 142057e4af9dfb9f463929753ada3a73
SHA1 52a01ef5efaa424643e28af4d7b0e09f356e6cae
SHA256 e428db952b8816e0e90939767660ffe769b55acff77d4fd8bd78c0a764e5b51f
SHA512 ebf543a3033763f75d8966e8933597235b6f9fc2bfc26fcdec2fd1495c9873c9d01176b9da508a703ed971ea1d706a253db1c90153b1253889dc0e44fae5fef7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 89be6e41d02b15764c4e56e0e4ea4e1a
SHA1 93d993928c37b9739df778ec21b4e054d9d420fa
SHA256 c8c58a50a548f2fa0fec098f4f6a89b2ac676b73caa8e86e0777254f60f09f62
SHA512 d766b73de5631bbc0a07d8b9c38c113a64e5c3431380abf4502d9becd78eaf0ca64a621a2fb113735f1af6ac19e0e0e7c42695080c2fec1e2cb02c0aeac2dfa7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 4072b99e46fd2045c74c713d9c5bb5cd
SHA1 bd76693a098d7f6714c613e2d886e4795ca49625
SHA256 3b5ab3a9192c3314775bbfd5acfa64153e72590c1d5eb1bd62bb9bee622aad9d
SHA512 4474ea8b53dbd35fbb3dfd8d6e12f4c6f2325a5df48f847fa0115c82c6ded6fdecfe9655625a4d9d0df754895723e224f1c29696afca7fecbd1e63af71a0215e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 e414cff76ad8c59caa3b6db6e4f773a9
SHA1 b8c5377cbd6201d79d75f7ec0a1d1be6c07998c0
SHA256 3b3e0cb84dd70490d2d8a1a865d108cee4638d79aa8ae1d46b8ffc2b02d6016b
SHA512 04a8ef2521d591a3d436b27818922323511f63408d015c34d8678ed8407f13544d42001d74d6fb2f0b685dfe5db11fe2bf8b6e4f614011f61a0af597c8a70232

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 d800dafdea27a6ceede4b499c02df68d
SHA1 9abdd14c2db8bb2b2a077b1c9d10b6500f089248
SHA256 56740b108a1bc30405c0c7c2602d8d680a9511ac1ff0c239a8b6e17156bd3d59
SHA512 561bfe8a1f548a37658d60f248be4953f16b539f2497cc5fe8c025197ecd8769d459cc15cebea925ca76a262f0f84a224941b5c4ae2728aad4a2a33e8f09e11c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 d9cc66014fa6f73542909dfddc08a923
SHA1 314c535471f36db54d158bd67c2fa5256ca1b32c
SHA256 eade36ec183826af1f42b2345221bea0ffd5946dbbfafce2c82f7075f757efa0
SHA512 bc7d5c0326c833958d89d53a0fd5359b46f84396df3d2c56c11cacfbf176d984ced081cb3bf863199d9a7013698278243a6b8237fb80269be6ac5fa0832a0804

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 a78843025ce016104bb2101da1f69ef2
SHA1 3e641b21a1b5033c1641f658d0eeb81878510736
SHA256 236b2988432b9a6fdad5db3402e08e7964040f225019f58cadc446fe69728e1a
SHA512 eec8ee23f40d5f3819b82c2daa62774485db5b2d1c5c8c3df81384706d63c6b7c26a45c0a9b11cd42435a7536e813cfb1ef2a49c71bec96fa9ba8918f1a5bd74

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 6b134748eefd2485fec36a11ddd8bee2
SHA1 6c83d0df91d61ac405217230cae9fe69814c46e6
SHA256 41c3939da200948dca5288568930977640278f41eef75617138093fcb4dad7c5
SHA512 ad83e6b1f157e48be6266e95cbd2b036c87b4cdde699c708dfc8c42a5e95898d9f83eb26b3f9276bf513868c78cc2b07dad3b1b99f8c867f31e46db877fc1932

C:\Users\Admin\AppData\Local\Temp\bQMe.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

MD5 d7dcd5c2b7c31a6325ead1c786e0f5ec
SHA1 4a81e3ffb1a97612555b092deb9fd9f459ceec2e
SHA256 70cc3abd79bb89de85fb677e58b41b5522ac0362b4b789998432731381437915
SHA512 3bc7c4805f6d7cf7c047572cdac9c4a36e2c0954194b6786cf0f7232c2f1a50b84670c22860b0dad62020a4f6803c8c840ddfdb5d8b77f2118cd77d1bd46e5de

C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

MD5 39dff88c79f6d9d437525ee3cfe7154b
SHA1 52fe2a0e065bbb1ed5fb8d4ff710cddefc794419
SHA256 56dc2fb880ae7bb839d701e59d80c048238f3b1bec7f6c51d031fca5dd1bbd33
SHA512 a94abfe5f54d9883fe3630c16635dce24ad3dfa82f2152c1f0b96e051ded15018a51da01237d92d1cae7b1cb6cbc22b956daea878ad289e86e0c1fd353a1cfbf

C:\Users\Admin\AppData\Local\Temp\hwsY.exe

MD5 97116aa2f1263766bde85587821ec06b
SHA1 7d15e1452af04ccbf334d61874734b7b3fb69224
SHA256 f88c123b8b7ea3ac9f19a28602a4b0d7b039963e0df2f0bfd3b4db2a892a8ae2
SHA512 3d3d3fd0423138c52426d356154df7b66273f316c1e678e06c051627d7d781a41b87fdcc5fb05125de263a3e3f4177914e10d09fa5ea8fe34b154515cb790e69

C:\Users\Admin\AppData\Local\Temp\TYQm.exe

MD5 31f24169e49fd7539ec2c28d81535376
SHA1 5cfac7fee7ec6948a2ade63423f451e20365376c
SHA256 fbaba727c0a97fcf633b65e19d2e3a574ced547fa82478a38a23b47a6a6545d6
SHA512 058770d169f802706f53317efdd9c7be8aee31b82f2cd2e53fb9e88adab0d8e15db1c9ec2f21be335d8f6f71e2eece8211d9ed6cb8b3b18733c4bc3c5761648e

C:\Users\Admin\AppData\Local\Temp\WsMs.exe

MD5 dacd49afb4a371ceee19563c59db9378
SHA1 112f2e24c3963eff8e48f7388754bb7e85dc76a6
SHA256 de977fe159794e528b69d605a5f19a6bc63b7f3db69044d21a87f60b639fc64f
SHA512 dd93a4925ff1bc6868328a4ec1090b1473281c05d934801f754bdbb8a5933e6c90d6af3ca2b9fea39be128783a9890bcafddaf1f21c5c1ff7cf8af57cf0b899c

C:\Users\Admin\AppData\Local\Temp\wUIe.exe

MD5 489dd7d0b99c9a52c99f501546481412
SHA1 db8f97e63f40b591e43a619fd086e5dbea327a6c
SHA256 3ef50249ad40b85de51234fd324009d28b4f234ab86c01eeda72484b64f3a2cb
SHA512 2f96c6f853ee76c5fe73a1e75041fb86890bf3d254834460b5a166beedf152a73cb45e93101d952bca3cfab986f0f2526a8b50ca06492f2656ac235f2164a747

C:\Users\Admin\AppData\Local\Temp\QYIy.exe

MD5 9d25c4771eab6fba5766992372bcfded
SHA1 bdf99ba5fc4a4a608d20da6598e504ef8d23b1dd
SHA256 701b0abc4d525e981176d3c185bdcd18054ea6aa9fce8cf36320c9d2d7436f13
SHA512 b1a77cab6e73ba05e20326727abbd5f1d51cf4fdbff3aee2af4e678033f5f28adf1e6695b043a789a7268cc024e485ca8ef244e9604dd323d1be79a9d6df891c

C:\Users\Admin\AppData\Local\Temp\YMsM.exe

MD5 2a5b368ea66d5e65bab149f6ecf9d8c9
SHA1 f67d95b425b243fce75942f299cc711a7ce7c484
SHA256 2df099660d06e521c9c8fd98cfed83ddf72e3047671a1c4a0527f4b637cb1c02
SHA512 7fe04bc40d6f66d1212df61ae9848fa5e2d805ffb81afd0038e4363d90c7681c2438a1483c21747531063cc20f86eb5c7f85d3a1a19e35f2379b0452b173472e

C:\Users\Admin\AppData\Local\Temp\CIIS.exe

MD5 ee92741f527a8cb772862aa1625d99df
SHA1 4e8ccb5be34846632383c10bfda611a3fea2f6bf
SHA256 6690d75e1e76e6fcfbe945da4ce38864989b974da506fc2e82666048207bd676
SHA512 d9962bffc8bb6f206bc2462d8e4c2335a0a6012b895ed598c85f00c7f1f33eeb12f9488016bce294e86d1d11533e7ad0840bbb51ee5f480ad758532eb7c6b199

C:\Users\Admin\AppData\Local\Temp\EIwm.exe

MD5 ee4449ea1d4b206335aed3d8336ea973
SHA1 be882ca897c5cb070e6a2175c7d830df4a827e52
SHA256 4ae6a01c02cf0b3240dc3c29b8fcd4b2384fdae2957f235e5d488b20180f2c7f
SHA512 8578a958de0aa2254fa2917ee5fe48a935fec56274a926a129e7ff0224b5baf23bb40d244579521de77188c0a3e298c2f0367a9745ba3ce126ef5769a36167b7

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:38

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe"

Signatures

Kinsing

loader kinsing

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (80) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\ProgramData\ZGIkUAUA\mWoEcEAo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mWoEcEAo.exe = "C:\\ProgramData\\ZGIkUAUA\\mWoEcEAo.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KkoMAAgM.exe = "C:\\Users\\Admin\\tksYgMUw\\KkoMAAgM.exe" C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mWoEcEAo.exe = "C:\\ProgramData\\ZGIkUAUA\\mWoEcEAo.exe" C:\ProgramData\ZGIkUAUA\mWoEcEAo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KkoMAAgM.exe = "C:\\Users\\Admin\\tksYgMUw\\KkoMAAgM.exe" C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A
N/A N/A C:\Users\Admin\tksYgMUw\KkoMAAgM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Users\Admin\tksYgMUw\KkoMAAgM.exe
PID 2888 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Users\Admin\tksYgMUw\KkoMAAgM.exe
PID 2888 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Users\Admin\tksYgMUw\KkoMAAgM.exe
PID 2888 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\ProgramData\ZGIkUAUA\mWoEcEAo.exe
PID 2888 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\ProgramData\ZGIkUAUA\mWoEcEAo.exe
PID 2888 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\ProgramData\ZGIkUAUA\mWoEcEAo.exe
PID 2888 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2888 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2888 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1820 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 1820 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 1820 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 2888 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2888 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2888 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2888 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2888 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2888 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2888 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5044 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5044 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 348 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 348 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 348 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4368 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 4368 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 4368 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 348 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 348 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 348 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 348 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 348 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 348 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 348 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 348 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 348 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 348 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 348 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 348 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2824 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2824 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4652 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4652 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4652 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 4816 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 4816 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe
PID 4652 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4652 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4652 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4652 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4652 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4652 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4652 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4652 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4652 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4652 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe"

C:\Users\Admin\tksYgMUw\KkoMAAgM.exe

"C:\Users\Admin\tksYgMUw\KkoMAAgM.exe"

C:\ProgramData\ZGIkUAUA\mWoEcEAo.exe

"C:\ProgramData\ZGIkUAUA\mWoEcEAo.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwMwoUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgwskcsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\issUoIoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zicMUksw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fakYIAMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUIwoMAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWMUUAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAIAQgAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcYsIgow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqcsgMYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqQMogAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWEYYsEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEcMMocU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYgUUAQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQUQoUsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKEggkYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWMYkQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSIgYwMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYkEswMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWcogoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWscUMkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEoQUMQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSAssYIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KocgMUsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkoYYsws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMUEYYgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWkQcMUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwwsUcgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PokUsEAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqQcskwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgcMEEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmkYEQgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWAsEUUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEQkoUko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voMogUkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmgksYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAogUgsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYQwcAgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkYAYAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dioIwMsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViUUIYkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyMwskkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoEEYEAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umQMIEko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yyQYEgsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMUcMMEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuMIAUsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIscMUcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcMUwogs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgkYIUgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAEYYAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOYEMwgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWcEoUYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neQMQUMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAUEcocw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYEAMwcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsQQcUME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYYEMcUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\coMAckUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEwEUYgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcAoAwok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byIoYMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSYIcgYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIYYEsIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emIUAock.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EswgIwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWgoQAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiwcgQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hegEAgAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYQwMQgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWEIAIII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsMoIkUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKYUEUgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWMgwMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyIIMEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmYUEQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuAAQgYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIgsMIQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwwQsoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYkUkkYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyAsIAMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqsUMsUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqkkYIEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMwUkcgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgAsYIgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcUoAocE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqIUMQcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwAIggwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWUcEUso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoAEIskE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vakQQogk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwEkwUQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIkEIscg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMoEkAkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmEcMEIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsUUEEsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seUYwcEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuEgEcII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyIQAkAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuAUQMAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaccEQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIoQsEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmUoowks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cokYQIoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcAMcYUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcUMsYAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liwoMYYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DscMUkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCQQEkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McIQIUIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcYEAQYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgIEpEkp.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOgEwEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgQwAYMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nygsQMQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUkEwocU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSMYgMck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSUggkQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcYwQoYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DocMocwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuAEUQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmgsIoAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayoQcYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PugkUgMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GucUgQAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKQQwIEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuAkYIko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUIYEIMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VicAAIsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSEIcAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiMIAwcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIAgAAkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIEUoccg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSYoQogE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUAcEoQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMwAIEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCsgUMAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOMYwsEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIkIgwsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 142.250.180.14:80 google.com tcp
GB 142.250.180.14:80 google.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2888-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\tksYgMUw\KkoMAAgM.exe

MD5 4b19f64b179a827c700ff6159a87c626
SHA1 b18e3237ad77576e0282bfa2751164cb5f6cb5d4
SHA256 16bb577c55a8f3f9c847c3821785b63acb562ae279eeb5ea18c2da992705f7eb
SHA512 0a0e74b2f94db7c6e35fe62c4e590d1351edf5581af5ab39bb5d812d0c2e9e53891339ca71d69b9ffe255952f77f1dd124ac38bcc15d96b021113b0fa603ba27

memory/3896-8-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\ZGIkUAUA\mWoEcEAo.exe

MD5 6d5e244b7df065e55995b36c6d6fa878
SHA1 a9a9cd45a41c9d0d4118838083313ec1f546acae
SHA256 68a7ad71b87ba4be0d28687ce4b7c017eb1b30b3494721b73cbcfa17ad6ccf0e
SHA512 6cfb51267108f4483396bd3d32fea94e7bff27945ef43fe68680e2f518bf57d904b3994cb57ca23117145000c62dfe25eb8f832862083ea8441ca06119f3097f

memory/2028-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2888-19-0x0000000000400000-0x0000000000436000-memory.dmp

memory/348-20-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wwMwoUIU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b7ebc7978b4245497b486e41bfa94b85_virlock

MD5 2cfa6796fc3ef55c4c52c89ffee69a01
SHA1 27f7ec659a880adc68377806cfed8a19a83d7a19
SHA256 01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd
SHA512 68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

memory/4652-30-0x0000000000400000-0x0000000000436000-memory.dmp

memory/348-34-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4652-46-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4760-43-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1304-55-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4760-58-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1304-70-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3224-80-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3436-83-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5032-91-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3224-95-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3972-103-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5032-107-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1924-117-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3972-121-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4284-130-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1924-133-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4548-141-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4284-145-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4548-156-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1548-157-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4168-170-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1548-171-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2720-179-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4168-183-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5112-191-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2720-195-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4800-203-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5112-207-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1968-216-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4800-221-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1300-229-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1968-233-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3604-244-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1300-245-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3604-256-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4556-257-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\ZGIkUAUA\mWoEcEAo.inf

MD5 1f0f8d8f66f7eb102f11d442aa8854c9
SHA1 ac58f3c0aeb3338c9ebb1cbeee6e8fd3b4287a3e
SHA256 3a2a08d12d20b1d1eafa5afe2a2d82d2ccb1d05090d08ec4fab57068134bd1f6
SHA512 0f05b9d5d8177fc2c8ac64ad8e493867b6428d89baa4a5adb48a1631888fedbae0630fcccb3a0f1360a8012d5de90e090b0b9a24634e2a8b698d09665bb27f82

C:\Users\Admin\tksYgMUw\KkoMAAgM.inf

MD5 768540a9bf356d6881a6c509e0cfcb13
SHA1 e03b4a30083ddb615e0183bcf1abb63510306f23
SHA256 9abbbcfb7c6a571386d634f69454f7317fa213b4cde164863e7670dc1e9e80d4
SHA512 307905e18c973cba7278a693b4256a65213f9630e4f79abe329c541bb55695bf4e72d626d3bfc57a0e4185aa288d11fdb4cd5bea73b0a8424dbd1a14cf3a7192

memory/3588-267-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4556-271-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1348-279-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3588-280-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4408-289-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1348-288-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4408-297-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4144-304-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2748-308-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4144-316-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2164-317-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2164-325-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1928-327-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1928-336-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4940-338-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4940-345-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4744-346-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4744-354-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3436-356-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3436-365-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5044-366-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5044-374-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WcAK.exe

MD5 aa493d581579d56a5f9c52f22a9b4d73
SHA1 bcb93f82aef04920e6eb707b7b83039b85a5405f
SHA256 2b8cfe68a89e65f7e5e72acaf2da7e46811a2167dc6874b1c4ee521881bf79f9
SHA512 5738af1d66e23b99b5e238d608e7a7b8568b297a23abf8618612d8f3603daca6c3080fa72022bfc76bd8c6fa9a887d9e54d53fdafcc3b3b8bbde645451c7cf6d

C:\Users\Admin\AppData\Local\Temp\EYYW.exe

MD5 82a0e5e6ed59db8390abb926b169b56a
SHA1 5a8158b28335849d18e53eef00b08d0dafff61a8
SHA256 93eb03c360e0b5eb018808c12759ef2ae70f07fe99372ee23dc9265bd04254b6
SHA512 c41eb406221b8fe1b171f75ccaafac20d3d4a93d2b5fdb0292e9b698f6ac75273a18179ccf6ab7ec00e81aaa511ba9cdd4af138d6aa45cb38fcb978b1cc09f78

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 e25114446240065d50bde0245cc3898b
SHA1 34c43eb4869d7d83ef51104ae9f68f82ea9e7a3a
SHA256 5e0f50876dcde7978f5a6f2fcbc5bb115d467fba86a69df7c82300e8f431761e
SHA512 b7a7aeabafd478d0dc398e9cf4862c06f4cc2b333480a49cd5d801234975e15bbf485c6edd24e45533c2c8907369a3f8aaebad8fc2a8f78f0b891bc4f284f4f9

C:\Users\Admin\AppData\Local\Temp\kYgw.exe

MD5 d995b9602736ea136cde1787c354f2c7
SHA1 7ed6de032ddb4ef2f160e9e1f7cca54f2cb8a08f
SHA256 8ca0c6d5ebf29436aee94d6b3773f92239bfeb3937b8ffdc1b0cf0edc81cdfe9
SHA512 fb3e742bca134c10fba605b38dcc41777ab8ef3f9d25b8450c518dadef5e799e0f0e962b9f16606b9b358e730aedaf49a1689658dc096d8cab48f5397de40c6c

C:\Users\Admin\AppData\Local\Temp\AAUO.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\eUQW.exe

MD5 7f8ac8ccbc710c4f538ffeffed678ec7
SHA1 94a87cecdb3ac543eb034d98282bfdf782a8f55c
SHA256 23c8e31378db4b7c0bad40c75a6f90c7ad97e9b94a7874d0ca69d62463f15e58
SHA512 137cfb9715f9235924a388c7f7e0392319fd06f41f3c5a9a6b0baa80455255cf77ba0c149f0b152077f71e557a7ab531dd0a555b7d767d1d0a4f0d1f552c830f

C:\Users\Admin\AppData\Local\Temp\AQIg.exe

MD5 7b29f81758795b1e17d97f430b40c12c
SHA1 987bce12d0aa0297ad72373fae6788aa3a602c4a
SHA256 d6b37456dc89724c588eba517ce92b62fd412a90b7a8d2f8b084cdf4d783e864
SHA512 d5e1cafc9b9679786a2b4d714e803261ffed6ca392c77507de1a675257ec1f221ec1379c46634daa1ffed47f85f8b5587922a0e73598634a5b01e0b28453de6a

C:\Users\Admin\AppData\Local\Temp\ywQm.exe

MD5 55e0083229a9beebdbe8809f1f914ba5
SHA1 1f59c606fa8efb861b8d748f702086fa7212c9a5
SHA256 4575d1a1781c241ee32854197e74cc6ba577a7c1b85530a44e9944ac6c6ec0ae
SHA512 c814b200958857e23b4b9771d4f98a48940930a104951a5d32c35c59f34809e483b4a215d8639f41000779fa9cce27c48d6f85a8b337e163c1a8970d7fea8b29

C:\Users\Admin\AppData\Local\Temp\cQsG.exe

MD5 5dad204af4412ec1ef0d85c51c3180a5
SHA1 57d4437c960999a79e239ebfbdb6ea078794310a
SHA256 6d9f44a30a81c0511ab19001333c9c7846c180a988a37c8b606f79e25c05a6bf
SHA512 e25abe4f9aefa166a3115f70fde0688f3299582cc362e7ca66a9230e1c19e7899d2796c56307671253b863277c8549fc81d4a2ebd8a6f3d2881b42848f4327ea

C:\Users\Admin\AppData\Local\Temp\ikgA.exe

MD5 67febb52a1716cb065d3a7d29ed2cec0
SHA1 3469a89faf2110013817535bf1d7e62dc02c6842
SHA256 a81b5300c2ebf54b5893187d432ec5735f5edcada8656c07be0b6d20f5f36403
SHA512 ead66788bd5204174a51cc893cf26a3ec4b5df99597b502be3c77174a8bce3ba6d698b3110ae92d5e075049de1f2399813c812fd171a63cc5b62fa9b766095cb

C:\Users\Admin\AppData\Local\Temp\YgES.exe

MD5 30c5a2fbaed315dbd51db075013f31a4
SHA1 1f285d0a2eb6142134ded7b45bc19e234245d523
SHA256 642897425a97ff3cd57b6ab01270885b387e88288c2f8e37adf5573def30a645
SHA512 8c1a4bcf8e0578577d7ec4893e2e1d9aef3016ff14c36d6a33078b59279a0750d8ee58d13f68c84a6c2706aae8ce557eb1dd35f6e1f272a5e5b89ff0d69a105d

C:\Users\Admin\AppData\Local\Temp\MIIS.exe

MD5 479337aa0b8c2cdb1e8a08df3fd1ff04
SHA1 447fe9cc7f4f6b51d1df1cd713664f8583af766a
SHA256 3b6f6ac23776ed11680eb7d95e77a401ad0b43c9c45c497c1807d99f91e56704
SHA512 e6d95cadbcc5271a1b0378da506efe4be3ba7573940535adf49d90c151647f6b430c3e277945040f4ffb6b252be415da6634cebed9a6a2f4d32bdd6f82c952c5

C:\Users\Admin\AppData\Local\Temp\ywwY.exe

MD5 2026fabd541e0c75c46d0fa2e05303fb
SHA1 681907b65f439d7c5e7e7d68c179a3386fa4113e
SHA256 12623101bb7b30c22186f8f4c9bd2a1b2eb876ac486ad1b2f9354c3ccd0744d3
SHA512 031f353d51cb1467cedeab8d43d027e6712730ac59073f8d780d7a12a01c46c07238c4b13f3bd86ee1984828e9872f7b954810eca833f8dbf86ce3358d813b60

C:\Users\Admin\AppData\Local\Temp\Oksg.exe

MD5 c1b63bb59a4c203234f11b74825b03eb
SHA1 f6357ca3f9d7b69ce6610f825696eaa9b1d560e0
SHA256 2df6baf2b031cc445e643ac44bb607db5e2df63fba1ed927bc1ebea27b4052fd
SHA512 9232144e690e0197615fdd51cbc5fa266d689c6eeb3c31655263dc6f87079d392ad50f400e27551c1ebedc410df15835a65dc59ba9251c36a1e4e4fe74df1991

C:\Users\Admin\AppData\Local\Temp\MYsK.exe

MD5 2b58e51e6b2126328b471f2eb0508ca7
SHA1 c861ea9326fe3598b9225b6c912c2dee519b4397
SHA256 caabeda4bd7d65e9d8d5da8c8d3a757a44eb5960d3646ba4ede167e4da660b50
SHA512 a1a7d7bcad185bc487a55ec3110a14808533a887f8fa14b3ea69c4cfbae803949a02fc852192a9c6b436672712b3d4e3f3194f470512580a62949f8b550ccb81

C:\Users\Admin\AppData\Local\Temp\EQQY.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\sUIe.exe

MD5 a94cbcc237ed3652fe6116c7b076898a
SHA1 a01c41d188a4fd73037792ead0595549174c2292
SHA256 2661910dcc18bb8c91135af9855172603d1bb3403fa31a95e2e55cb06867f151
SHA512 575ed9de2f5b066407dc812f55bca21cbccbadbd096eb2c484ecb27131178627cc68a6ac815cec7db206f252bdd4a78c73debc406fc89c100c9bf0a4797742c8

C:\Users\Admin\AppData\Local\Temp\IwUO.exe

MD5 56c33af05bb6d6da07f9e656eee2a7ba
SHA1 957e4744950f7516bac48ab22d40c74a20002a65
SHA256 0978bf55755a136171ff5b27175e77a698ca28e706f1b20415b8764fd4b32ebb
SHA512 f0fef850ab8ca09831245884875a89bf54b8b1bc0e7aae2a921db337fc92c3162df55dec55a96e0a96af32b85dbea3407a115de12564a9472f0c4b975455890b

C:\Users\Admin\AppData\Local\Temp\IQAg.exe

MD5 88923fbd8368b61e5fea098165aaba63
SHA1 b225cc016dc6434209e69776b397710bfdf4399e
SHA256 90c1fe17b05bfb4043276ca352e6f7625385c61823012f089dad5816a6d40679
SHA512 0aa58ceec856cdece7cf0a79286202d08e0186d64aca8dfc7c2247a31c336fff1ce0ed0048b2139960ba304aef8f1cbf07bfb2752d9c1084e1abcab718820045

C:\Users\Admin\AppData\Local\Temp\Wwkm.exe

MD5 398c280120ad79b50c1ff7d390a2d862
SHA1 6529104de7514e107987cebfadb0fdeb548e2700
SHA256 fae15f19509e7a54f4a700d9f6ba9b7f287fb2204860b821132c463baaf00176
SHA512 6c4d309e397b046975fbab7e1e88445719520190f6700256b2682def64a79bd464e70af5cd1e1d85ea26691ae54ee2870e5ed70337bd9d6624f921dcee087714

C:\Users\Admin\AppData\Local\Temp\ecsU.exe

MD5 154c5e8d155d57ee42503b4f96cd4c6c
SHA1 3586e1efdf23ce8fcce62e02926cbe5989180972
SHA256 7bcc9c47a1f1e6627d34b223c8fe960bc1c59e65afb70d4557a4dc91f8573da1
SHA512 dcc8568bfca18b9e75581aa56e505d63cd43d0ebbfad3b59f16a3c33be64d2fca44256b7d222b8b8eeacf036afc7fc79815c18ff029c65307cc0740f8a59ef68

C:\Users\Admin\AppData\Local\Temp\Ekwy.exe

MD5 0d17fba14442c0354f181399e9973771
SHA1 2d8ab77d8ce2a1ddd891598689a378088b09f732
SHA256 35ee74aaaad1e2c85619d44a797969099bb3d5c537397b7f99ac79296f4b9134
SHA512 d5b11be92d362160b2ccdb4c495f0e115ea1760157a2bf1960af4b1100d63257ca2fdd147d958c6b3e5d2de41ac43ceccd298ac405a159aa324641f9d97d9ea7

C:\Users\Admin\AppData\Local\Temp\MoMc.exe

MD5 9a136e7f475e78132dba638febe412fb
SHA1 006030ba047bbc22ce3edbfd3e1755ec7e7f87e0
SHA256 3c0720d8988d3ba01e10888390a3bb152de854b3e216416fa1999283e57d62f7
SHA512 4d019093d5b7799001bea1fe0f644096434cf633bf4244400d570ff041fd87404924159daa44af7731931250e491a5fe2d6561d8edf7b978603371f16a2a32e5

C:\Users\Admin\AppData\Local\Temp\IEAw.exe

MD5 373a46655dd62cc4d599a70aae8a8b3a
SHA1 b23b7a87805d44dc7d8bd1b2c76d1f8434660cbf
SHA256 a55bd15cbe5fef73261b078fae6247055c6d58059add52365aa296c656e22936
SHA512 2cdf5fb0973687c2b654d43c78fa127ce94257a4002a0428f9f9c694301c9b08efbf5ab6d680134aa7309fd09a10b7f1615a95a9b7038bd80270ef1a7a915def

C:\Users\Admin\AppData\Local\Temp\SswW.exe

MD5 39e5600db3ed39b7467a7c61e788d3ed
SHA1 016f6b35ed2fd4d7e2520952e8f121bec0a5d8ca
SHA256 1cfd5afc5a914423e1e8e41113038f284b062f13847c99087aac5ebb83314f59
SHA512 fd3bb8dd5263babf3eea78594750a76175d320540ea759a5fa188ded5877b92568447c05f5954ad9c00c7cad4e6e184283af1dc97d0f3566051eb90b8fdc102f

C:\Users\Admin\AppData\Local\Temp\OIoo.exe

MD5 a1d6225ac3bf3b9f60a4dc2a975efc0c
SHA1 354ef6acfbfd77cdf49e309402324933101de5b4
SHA256 88d18049db3d917c9db82efcb0b2aafb3ec516c2a1df0086b975b63e34ec6842
SHA512 fd698860716fbc04a30c08013ab5304c757dcb17f5db4341bb73bc6ad19d968f75b2bb113cadbf196dda919a3c6999fcad244c07d45b81ca712591882ece27c7

C:\Users\Admin\AppData\Local\Temp\CYIc.exe

MD5 c1605cea24b6c189a2d4aed135df1284
SHA1 d3b835b6155fbc85bd939dadae5e7a2c364d9dcb
SHA256 15a1ecdd899f6c87bafe768e71118afb1747155e970c4b6b0a97917c495380b7
SHA512 0d4a43c7c54e164721ba371a9d72b045ce08224f4c96e4ad5da0f1b961937c052fbec312ad6edde0130baf8d86cc02a74c220674eae998dd7be0ccf89f0ab2c2

C:\Users\Admin\AppData\Local\Temp\csAe.exe

MD5 8de6fda890c312d6cdb4bda3dd765027
SHA1 b09a801efd9237994f6576589fe07624337f90a2
SHA256 b9c98375f120c12102eb5cc683763a60b60f1902bc9bf5c82cecff3788cd5a44
SHA512 0d66273ae1a2e48bfa16e19039ce26950824d008d5486f6d2052ff3d7f1060f55ffefe527674a9b381f840cf9cd8eddc98cef8310c2460dc2bd11dc8cd5c5a2c

C:\Users\Admin\AppData\Local\Temp\uIwM.exe

MD5 a02c52c511b3ea781e272594a5097a18
SHA1 373b4d81ebd6b3b398f7e30f7827557b845f99d2
SHA256 d710ce4cd9620264a24e74284092dc38796f8682f083d7e6020cad44c4764869
SHA512 9a7a7893290f6980974d633f19aef13838c205237ca3fb26843653de04e392f5cc3370d1d75e408c90e41cea9336bbc2b380ba9c0330833f989fd5f5580de93e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

MD5 0022dcb7a2738fe3d73d0de30f2322a5
SHA1 448b5cebb7c001c1560fbce92ae64bf0f6e97b35
SHA256 845821d029bbdcf2a9008c3c1f9ce6ecf0ff0df088a296e9ebe5a77ca5178fd2
SHA512 67254527eae725673d724e5f38c96875dea6772efe0207c03eb3a49c7155d21dbe9cb60cfae54d206efd044dd2cf1a467a01ed40116e66307b32efab71c1f292

C:\Users\Admin\AppData\Local\Temp\iIAs.exe

MD5 d1d571baf75bb0a09b89984ac480eab3
SHA1 50fcb7c3321d8cd92805b4412323445f2967cbe6
SHA256 0598490a00aebb9ccfad2eb634991be2b55561455a72faeb785c52752d4df964
SHA512 873148b9216fb0d9d616b7f3d6861059dcc6e898f3eb0898fa99bc3ed4304b8fc1e7ed53710290516b7189a68fd47ac5ffaf68630b25901c1834eab612d7593e

C:\Users\Admin\AppData\Local\Temp\MAUu.exe

MD5 4ca064da83df954ef546b1278ea50574
SHA1 64e8e695e0b052143740658a18ea1cb99518736c
SHA256 95c4f4d44553c668e41d46e6189590bbe1624819e984a318bfe6806c316b620b
SHA512 3d1c60ce716f001729328ec381989d15dbdb2de4da44083beb3b044c27bfcfff863c384e60390168c116095297deb4fb3aef73a16b170beb9c03902f5aebf626

C:\Users\Admin\AppData\Local\Temp\CcoE.exe

MD5 7e966e27c4270ece982a1e6bfb5128a1
SHA1 add6fa68dc2516cb14ac3edc6001808351b4930b
SHA256 6c1470c301e03d679db479bc4632b8c8d8c1215a4580e2fc4a97f68f997a8d59
SHA512 6d85386bd0bb361ea616755b95ceedf94276f31aab781ae77399ed00ba7edf093fe6008c9efce4c2eb259a08b81fc41abe8ae6f01bf5a67cf3a40c9b3315f564

C:\Users\Admin\AppData\Local\Temp\GQIK.exe

MD5 914619b1a5545651d5fd8f7bdfbef71f
SHA1 9af0d1e0a8013d8cca03c19db4e84f3e898e5eaf
SHA256 f1da4842b58f94919f31d3dc0424ee344602a9f5c13feff55127be86e3f81ebb
SHA512 6501841a27d4ad5005e522754d314779e8b4dc2de8f975cc071451d0ec334fcc86c82c4108e81bf799e65b6eb8794dd291d3b56c2aad0a9c0dd7aa11f406e7b4

C:\Users\Admin\AppData\Local\Temp\sQAE.exe

MD5 cb4968ba8dcdb742c98fa6ac67595452
SHA1 c51f408ae1f0876c82619cfe051b158a7794b8c2
SHA256 67c15bbe24772c34aa96aa7cf9198a0f1e087e553b2d36582d95dc6c40a849c1
SHA512 42337a8b213f43d7a73c4cdf4012a7ab1eccd7eeb3760e090a818ab2f819f13bce09e8819db0dd6a5bbd0c35f5b6ed22b35bdea13279f733e4d0448fe8740952

C:\Users\Admin\AppData\Local\Temp\OgYg.exe

MD5 6d0b58bcf2849354064ba7c369c4f651
SHA1 afc9beee454c31458f92c56620910b056dd5c52c
SHA256 ad520aa6353b87f0f21eb2690af21d176d6a042d0044bccf9336d208db0d8712
SHA512 71a48cb41e93435f2f43ec05dd6bede7f33107c3cd3ee5328f8504c28dfb158021c03192b7df0984572a3ede1cf2d3500cfe91805b1c0bc5c5121dac83151b60

C:\Users\Admin\AppData\Local\Temp\CcUY.exe

MD5 6d4f0418395f930d9e58376946a1cdcb
SHA1 6c8d195e7007fcd26dd4b8a9d412b99d94b9e72f
SHA256 2050203ddafb4a5ea578db88da6b34011ac256c686be516cf31b38c93fd8ae95
SHA512 f9f5c22a060069345650bed3f861130eacdea3e033c0b2f5f3f6d2893d9bc3884255e950ead8198f4cd7e2435b8d02d2b2930536970092d0eb52f517aaccd202

C:\Users\Admin\AppData\Local\Temp\uMwU.exe

MD5 471dae549aefc455af65ced8857585a0
SHA1 0ab1d032f4f0adf1fc0b7bc5673e71454b0c8014
SHA256 7768b0af5bdebbe6730a6a3ad60bef2fa97d8f57b8d04bcf914daefab4ae9739
SHA512 f12421cb2d97a43a1ddfb81b52b89b6a23c0df8fc5150af60c335ac47ec4c6eacce92d8fb179955d645fed552f561908b9ed3e087aa740a422cc29b76b0cc99e

C:\Users\Admin\AppData\Local\Temp\IMso.exe

MD5 9cfcef38d1a226eae9eb3c9c0ee685df
SHA1 c77816e8d9dcb75e5c0d0f172af47facb5e7a815
SHA256 1a76ee4a336e15478704af6bbef3c4dd0cb85c193b842e35ae6fec0f5605580b
SHA512 7894dec2d3c32a9a54368e84a0417eecef134fd142ede8220a9cd1a27cb5adbbc9e2bef85b8ab4eafd4e5dd68679e1217ccb838afd3068a4c6d1a2f0d9dd4ef6

C:\Users\Admin\AppData\Local\Temp\Wcck.exe

MD5 aff10f01a11c5a4c11a64f87d36b588b
SHA1 658526ed1f138d1d1174c613dc5d898e4cd16022
SHA256 7aaac9e424a3d166841aae3e2a9eb8dfc090945b8e4d3f3f0ab5cbdc2519ae61
SHA512 16195c8e36c9969573fc63215b25c257e0fa38be0fed9c325e07e0d8b287e825ebeb64ddb5173ab3631614b72b7ad2253763439240618b3f3ed89e1c6c4876ff

C:\Users\Admin\AppData\Local\Temp\wEkm.exe

MD5 121ca65387b93d245fb58205d715ea40
SHA1 2a70a84f021d2ab362c439a07bada32a954ffee9
SHA256 5c8b785cca8ed51cdefb42794c58f90e4469e1101edb969a28ece5f4ac2b94e0
SHA512 970b1311665106e89e8953e47eaa4e315bca2f53881e61eb1f1ab9a946ffa530441a3b9717e83ecb0a481144a4662fbf77a2afc2e7e80329343833b52834189a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

MD5 9453bff786adc6a99662dea4b08b0979
SHA1 33899447f12edf700f8b2126b7703fa584849128
SHA256 b6c1286750a9749af69747b012dbba74ac71b1127390d63dd3bb4c40482feafe
SHA512 cfd36111a7a94cc08af28df89b59753b3b00a4631d8c73c9830ec2880f4b48e232dd6fdf2f0c7d4f7474de062c5bd69895bb08cd8cdf8f856dbe383faa9d933d

C:\Users\Admin\AppData\Local\Temp\QcgU.exe

MD5 3a919a70bed7b72cde68ac101f2d6475
SHA1 66cfb50b34ebc4e5c4ec0bdb7b4597ccc82c6ae4
SHA256 ebc880792480452128178c9b782366efcd03cb3740b5b79353aa94fc53cd0069
SHA512 efba99bddde510aa440415f42fe34459b5d2ad2489e2db1359359cfccdd923f144b677e0aec63b23cf62b1dc31e734906037182677981c9b8360a435ecabf15f

C:\Users\Admin\AppData\Local\Temp\SUAe.exe

MD5 271c2f40fd9ade1ea2598d274b56aca3
SHA1 bffb458f77c8d77112537e8db161acea886f622e
SHA256 ea7124274aa26f94b83d661febef4baf04a86411d7de72ececa3f1f411d48bb7
SHA512 d65b9bcb7d07d7a6e120f53e27ef71fbf897e3175d6fccdbae24bc17dc97c33d2acc3030ff98b10caaed40ea1421e59dcc0d32aff10bb9af4046ec10103ae8ae

C:\Users\Admin\AppData\Local\Temp\UEkq.exe

MD5 ba8f8ec298b622e1f4dea7f67b2bb4ca
SHA1 dcd6b1e451696ed711233ab7734801c4dd8e48e1
SHA256 2eb84689d092a43af81acd08ffa21d11aae7ec7754e905409f5a47669b7ee772
SHA512 f013c823306f6968a62768dac972e7a03bbb5225f7e17690ca42a0b7cdc1a117d8c6148c94a431ba57c0e217099fb9825db10826f9aaa9270b20634eaaf97162

C:\Users\Admin\AppData\Local\Temp\qsUs.exe

MD5 bb4fa60262967902817c7922061f1998
SHA1 41e9704502c8be3d10cc13e72da1a70bb3a8137e
SHA256 f4483e3738cafe7e7da01e65cedc0810ea4f1048716f18bc26a117758757167e
SHA512 1605489c74b913adb2a07ef674e458ca6e6a8e0e0a2d9c451310f14657d151893a98cee5f0160ca3436d23470cebc1f75065f2a5c6fa6a2d9eda02def62c135b

C:\Users\Admin\AppData\Local\Temp\IcMo.exe

MD5 67c9db284076f21fc06353d5d5f96b8a
SHA1 3cdeb45333b3570bf55167aeb0eaeba5fb352be1
SHA256 9b4f9371011a2c9d9d492486014637a786235af8d6d2e7771b5c9cdfe23164a3
SHA512 76df597e0cb0290e8747d75581dc9ecf97af3b1b56398b8d8884987cbac3b72395fac761e8ff6e5ec830d56105987a2852627fac233bae5552090dfc40b54440

C:\Users\Admin\AppData\Local\Temp\uMEO.exe

MD5 5b8245488f33480e73aa7bd121b188a9
SHA1 1f01eef077106cc9279b54d50116f2273589946e
SHA256 59b2c50579a60fe5082d7bad977a98063239a153ea79a1d79d00418826ef624d
SHA512 2d24cd8cdafcb42ca25854911fdfd224dbfd615fabb85b18e1a25cda76cbb52909a6025bd6513e5c2375facb2efcee30b07d387b96008fffe20d5cb1d28787a5

C:\Users\Admin\AppData\Local\Temp\WMkY.exe

MD5 b884b0a9a88ef4f2d02766113d6134b9
SHA1 301c1bb43df87bac3c4c775b00b51145f4ea997c
SHA256 d6aa7dbb15567ed2b14f388e67bc5c34a0216ffaf68a43194a73e23c0a402a30
SHA512 418f7c28c8b0662bb53da97571bb15ca576f27fd9dd36f45174a99ff61cba05572fea6f57068b4cf1b887709caa863929651baad81eb6da18c83d4948153b618

C:\Users\Admin\AppData\Local\Temp\Gwoa.exe

MD5 d09f01d44cd0f7f4773fa14d4854e8e3
SHA1 ccb381123d3bebb82daba44601163d84b0bb613a
SHA256 0763af7321d07e081cf31e89f5e9771cb1886999a8d144811a9fcd12fd267ee8
SHA512 b174d012010dd43242b543222a60b0105d0e0ea669a2c826ea8d7df9d59f79e3232ff50859210035128e30a81d5e323c5cd78b7b764e4159d947189c55d8e0f0

C:\Users\Admin\AppData\Local\Temp\EAgu.exe

MD5 5ec6146c2eb15d7fadb2e991e062f794
SHA1 b311dfef9ccd649861ff46f1e3c41b96eb7c01e1
SHA256 ff0e2f388a8b49b88deb503be4d5eb88b06746b8d2b5fa7e0b279404e5c808ae
SHA512 2b5e4809b82c1a6fd88ee8b555fc888108ba1a3ed191b676fa567ae3d7b6e4313ddc81b444e99a56f2134ac0d49ea746e7e89f9f28aa4a24f8d3f7fc68e0d9f8

C:\Users\Admin\AppData\Local\Temp\sQUE.exe

MD5 ff8fa7f79665f72e309b0a468bbffb4c
SHA1 e408d8b588528a9ce0e3a7824fa6645692214445
SHA256 689c00338dfc4b39b7962270fee2c2292f8b2bd96a63d0760668e0a9a18e9c5d
SHA512 c68f600f9673921a3e90765436db49cb8a328b8e6073889c0137372827e2c2d4492748e0b14f8a9efc188296ea36d20ff51b68043294e5ceae94841d16fe1909

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 7214c51909f34505b6c0942bd20e6716
SHA1 5b0493f7b22e53fdaa0a2af520606aaf7a899fe4
SHA256 5595e74716470b571401688d95636c5d210e385c83e9304240b0da3fdf556530
SHA512 c0ee48de8c2c412fa7eed5e39ff6b6f34cd31fee393f2a44ebb23920e7c4450b777bb051972c06d76a6d3987aa6fb23337c2460b009cf64558ef46c002b2922c

C:\Users\Admin\AppData\Local\Temp\uEoM.exe

MD5 0ae8b484713f3c26b48d26a09ff3c01c
SHA1 ef43ff58fbfa6a1fc78efdf68b43c7490ed1e2e0
SHA256 3df105f8e270ca0de9267303b4d4158d81aec67741305e24f7e4529116716ae7
SHA512 9bb36cb81ba55cac4e8ecd211201eb65825fe39a6f757b57e30893a38f45c4c0f1fa86a48b2042d73d28b35263d2111d593130e09dea85a904618662a6654975

C:\Users\Admin\AppData\Local\Temp\Iwsq.exe

MD5 4488784a11cb88568f017b5e40c5ae6d
SHA1 17fa6d5dd14b8109682e1fb1a6c79d8a8251ff63
SHA256 8a34b21973ec23433661af2c63151e7fb102370fc594d06a133590b4c7759b5d
SHA512 d69499fd301ae20c03f24965ca6c3efaa698c0adb5a6fe483ce20261c874be824794f250d3c0057285e29be75902505e4706cff46ccbe9ecd91fa3e0a414a178

C:\Users\Admin\AppData\Local\Temp\uUgC.exe

MD5 21752f13c06561864a899cc1a37caac4
SHA1 9014363591810c42807e2bae57d6ec4590ea6f40
SHA256 5fe73cc75dd88304c3367c92b6a9683c86f119c5a7bea1412c21d107e351f611
SHA512 45c983e9a4b9aff22a419ea88fd449120d90f9073de9e963b1568be311c7ce7c6764b69fd12c43a34ad9e5e7906380a40657ba2bd5e5a7a09c843435dc2199e8

C:\Users\Admin\AppData\Local\Temp\cMYO.exe

MD5 5b59f1e8e7c084f8aefd33c5740530ed
SHA1 94b8785c3886d0f537ba0e43b88f908b16f18007
SHA256 0ab924640b3dd8b892f5f340e780b23952704ff27f8a7f40bfb1d16cdef7fa83
SHA512 9ee21f155b4050821a651c1dd05840b8d8bec95e012f24ebdf025e863e91d0d88f7cfa79e3556c7b952ace91a3093e547af8f18202c99da7bc14f1f59b087951

C:\Users\Admin\AppData\Local\Temp\aYAC.exe

MD5 8783af936af2af971b8f220a5fd6e966
SHA1 470c048acf5dff21f9cf016368cb7b4a5885b1b6
SHA256 5e7a5ec4f17ab642cdb3d6e147b81132974231485c70a8564d181c9dcb749512
SHA512 e920d1d32596e25a953e67206ab0cfcf24dd8d49c59bdb69ce848fa461f3666a904cc3b29028c0658d53502677eac34f8b9cb5d33527807a7577a7da4df3a7e7

C:\Users\Admin\AppData\Local\Temp\EoAc.exe

MD5 8e4e564fa4e5738bdb685c7aa4d211f5
SHA1 d3c688d2feb888fd94ef40f6a624a61ae5d0eed1
SHA256 319496d5c5964220cca7903423fcf7dab2e7e6b77d4fb7320656e226db04f4e0
SHA512 fa60742c99a5bebdac78f1751e1dbfd90d77ed44e869f57b468652a7a6becd583b6d38b405bb8a3eac78c6884cfae4fea2a02f34acc9dc37b4e3ae9df7cc9004

C:\Users\Admin\AppData\Local\Temp\mYYM.exe

MD5 0a8d83736149b4b85a883d8134cc1a1a
SHA1 810e02e954b4f84bb8f6ac21fd55d68592a5c910
SHA256 a2a306d24375bc9d627acd13f753e4bc68334b6eb12d51c70fc00b7aaf29672b
SHA512 b302708ac303e02df2dd4a916fdf1073a79c20a07e1af26ee9a3a6e7e84d6774b6fca5cb46a29a2909a6acd927e4d4e10fc035746e5d961b9639d881042d4233

C:\Users\Admin\AppData\Local\Temp\icAy.exe

MD5 557888d5f75f01d5470e40d814894073
SHA1 ee77b0d718e252d1b680905665862999f3f41680
SHA256 e2c6013c51028a90540149925c7f98eb0c1c13e96fa1162fe132fd31d795a761
SHA512 8b9e9f6617d28b596d5cac538a6a375fa48af7284cd3de05aacbddf94401b727aab6dbfca9576bb70dd6ae6aba59df5d410c5ab9e5e06d0b1818b12fffa9e5ab

C:\Users\Admin\AppData\Local\Temp\uIge.exe

MD5 7b00a7bc66f7d4e7a55c7608a94f8795
SHA1 6fa7b7a8ee46edc5393af61e008ab9dda2d9fff7
SHA256 de71d6ad118008908d5021dc1b3c7ef05455c7315c84456c74a81cefab3bffd9
SHA512 14857739ec659b1bfd14ad57c6f777f38c638e596aee01e76ca422d7ff6e0e2f06d837c0830909c42dd2ae31482beaa53899d8d04760ea603f1848194697e21d

C:\Users\Admin\AppData\Local\Temp\AgMA.exe

MD5 78d5d0686be62518f25748c9522f11d6
SHA1 8b26a7a11bf41458a2851e18e2ede8a332b3c429
SHA256 36b5411de8c43a6b4a9b9054f373a5a6033df2d537784992679bed7bc8fd67ac
SHA512 66da2e606be652df802e431930af932952623313fced92266c9c39cd4cd419ebf58b83806172938f86bbdf245f2f4eef5040d004b6155ef20589579bc6bb73c8

C:\Users\Admin\AppData\Local\Temp\QsEM.exe

MD5 be231bb6fe6ec834eb02d92b274589f7
SHA1 49980ee245ddfe061eb50fa0a6bef0e859e07356
SHA256 8b313011b4891fc78450e91d247e92408556922d5fbda7f16a29289e6448be92
SHA512 a986b1aaf2595c5e043af0a1652399a5b00c13f0ab6a52cd642841770d308987c0e355bbbe1f95590e8fdc353c5466531e370ae011a277b7224bef9e420b2970

C:\Users\Admin\AppData\Local\Temp\yEMW.exe

MD5 44818c701ec0654e2a9e7ad77ea550a2
SHA1 985b2ed553629be90602c27fafd41ca9859c1831
SHA256 1039af094ee3b4c26cc72845f2f260ff2ccd0f916bf9636d45549a6e1ba89915
SHA512 55d5083d4bfbd34de525b53d3ce0759f24907e84aa221b319ffca9cedccf7616c5d25a3c5b8edad191fc2db1ffea63cb9a98c87bfa45a752d14613aff367657a

C:\Users\Admin\AppData\Local\Temp\GcAG.exe

MD5 db88c9b98e41770a61e3b65453fa3f85
SHA1 39025e6c315c51bb01a1082290143a4cfc1ac2b1
SHA256 f2289db230fb0ad55c66c645b1aab3fbfbef7b6cc4d6b8387f93c5076b7bbccd
SHA512 4a64317a46d9f9655843bef87b03ade686ab063e0415971cbaf4b9404ca957f7247dfda6c32f1c5f37ab6f9d5881a74a4af79a4d90da6637a2b8f027629cd35e

C:\Users\Admin\AppData\Local\Temp\AoMC.exe

MD5 86abab8d2a0c6fca7520d9092714e5c1
SHA1 2b98384acb5b4dcbe6174b148747dd40d7502ce2
SHA256 adbe923792619b4e8a48fd1692c25ad193c4d4f2c64ee3a7a7b54d9c21828a11
SHA512 0c5668a8796dc8d6f54538e17fa64d650799bbdf34d3dc824888f17e7a8152c4d11c25c166584b6813dca7f5a0b93410ad46a7ae639b29bbacf0cb91be7f78eb

C:\Users\Admin\AppData\Local\Temp\QsYI.exe

MD5 69b845472c751aefd43c613ab3c196a7
SHA1 5bf3cf8d01006bb1cb3c869f61a7698629616472
SHA256 88d8ed6338a227f1e32001e933784eb9148ff075a28c74fde8c773a32aaed313
SHA512 9daff4f1f9f7759d7fce66e73e0e37d66c28f2abca2eea5dec790875dbe7890811e24195608780a7353340ea19836e8fec63bf714d1dafcfec3262d3971cd400

C:\Users\Admin\AppData\Local\Temp\AMoC.exe

MD5 07dd67d9668d90db516fac6d5df83798
SHA1 b4bfdc0a020eeafe584764f0936b72942a4090c4
SHA256 11a3059c3bbcb2e3908dbe7e467c5b118420423c6b811b7c351ac44f5ac421aa
SHA512 9d19f063035e1101429407cf3bf1be3936a8c64135e60272df0f38333740ee86d2f278e0d2d2db15d46c65bd312e11d7172a32c6617ac1ec3b053cde6bb2dd7e

C:\Users\Admin\AppData\Local\Temp\uYYQ.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\SMoY.exe

MD5 b04dc062bb872abec6e1aca8a0e2860c
SHA1 cfacfa3be959c0fb5f9b220a6d8a0c18871799a7
SHA256 f38261a8b90d261fb9ab010da7af55bb274bc740a6eae3fa2afde00e581bbc28
SHA512 2cecded18b6f0292502f1d3e2bf3a1df14edfdafe8421fe65f3b12c0c9d1e1c2e2e0a62db316ba8091b8663b4f0eff3bcd7d3bf6d385572eb33abfffbc8d8aed

C:\Users\Admin\AppData\Local\Temp\MMoC.exe

MD5 3de218d53b1cede741871510928cba33
SHA1 07db132c3a90f3414f5afc17863619890142cae8
SHA256 d0da5579eaf99b26b96c1f5478cc5557fc01fce5536a725cf3de59ac1dad6b87
SHA512 a8842be3453e8364e013f708e3c28ab496ec4185c976c05e1083bab24073d2f88ac28b422a40af3f12794a88a0e628cd0bf854f9daa73bd7cea56903dbc10ec4

C:\Users\Admin\AppData\Local\Temp\oEUy.exe

MD5 07fcc586f4db3c70cd2b6c1ef4751541
SHA1 f2836e4b8cd69cd1bfd3ac9be0b0aa62082ade55
SHA256 7ea57d7b3ad1efce8a7b454775453ec94d7bde55cb7a266c0eb6413fd64d554a
SHA512 668998089fe57b379a11e1c0120cc25233c0fb824026516dd7bddbe43f0977153d2220090d7a88cc4da1f20c92164f79e19f599d039c4c9f53ac30995f2f2fe0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 d6a9d34ac5926992d0835828d0c9552f
SHA1 3538e09f7d5102bed9b0138a003fdd257e115e89
SHA256 9ebce4c774302b7467d42bd3f43b3c766b796474fa6e176b631457604120fe44
SHA512 577851cedee9564b22ea23b15be053eb27abacaa84fbe5479064c0a206a2f7de12432ba4ae0cf778f8e2167c7889ccee2f9669895024e106104a99f86d9e24b6

C:\Users\Admin\AppData\Local\Temp\KkMs.exe

MD5 c24f1512b09783c8347fc06c3cda78d4
SHA1 3ea8823248a8d2a43af9acc3ecea6c5357af93f1
SHA256 f58de92816b5fee954355d23b6ec471f1ed6a6eaa79eb7c7fee9d72a6197f821
SHA512 d685220c034edb9f440105bb2feba9696fdd65100859db482e2ef5794f48f557b71266626bb9db85735f751e65a9597ac5c6fca16ec98d13471308ac5b9cd414

C:\Users\Admin\AppData\Local\Temp\ScUs.exe

MD5 57253f52c258148fdb8e6e878f91f53d
SHA1 30fde2e46dfc8b4536d37ba6a8230a9d2177bd3b
SHA256 3673eb51d881138ab37a8bee85ee2d3cfe1caa9cfff97832d842fda558a2f4c3
SHA512 1ec7ac37f12d8655204005d224d4a90b0fedf684886ec67608c730275f60a2646b043a42f86412e949613ed9de5fa9df54f49397bd90b95920ef4823e124ebc2

C:\Users\Admin\AppData\Local\Temp\egsM.exe

MD5 2f2eee8fa1efbc6518d18470927cba25
SHA1 674294c9fd09f880fdcddab3df78e1d73b021c4e
SHA256 756be0cd30d1055e84a5fc2c5cf63098ed4a11b9622f26f0c91c891abf8751d3
SHA512 6850d753639bd21421baea58efb1dee4da55ca88adb50f7e224b77a0dce004727616c0df70a4241294564587366a389c3bd8e51630ed3b1e3512fd5eaf70b8f2

C:\Users\Admin\AppData\Local\Temp\IgAQ.exe

MD5 8a6f48dd973cad8a9c6874e94b071cc2
SHA1 9c62888c03fc083905d3b4438bb49fe3d4c62bf8
SHA256 fb189bece1d7badfce49f71e7fbeebae5da7fe1fbb463d33a5d804a77c23fa9a
SHA512 f5cc1bfeb631ff9b8edd841aeedeaedc69e8482fa6d47ce5b5fa82cfd5b315816804454f86ab5889ecb9b38c3c5a65732e8267bf422fc1d99b60637ecc37dab3

C:\Users\Admin\AppData\Local\Temp\wwgU.exe

MD5 7a6edef5b451f4f6a81a01565dc73c9e
SHA1 15da73dc6e0b7cda7fe8d9efc7be22d5f0af7f96
SHA256 e9735ace5b542b0aacbb9b781fb76204f45ce6e4309a7f65c0e6be856507f41c
SHA512 53c967c93d59642bb5d72f7f3563d0726e8a3c477e8a006cd221a7ec8b01c3277d8c495a0eda9250249a0e0f87b8d585115b4cfdc394bc0b36401c3036b21e6a

C:\Users\Admin\AppData\Local\Temp\QQcM.exe

MD5 9e08a0d9531c5e056228b7128d8eb5ce
SHA1 8d35de0893a9dccb3b0e574b25539496445dc7c5
SHA256 ec06f8a2104c652ff4a6422ec48f60151c5f6a858bc94bd06f4ebd72740f3866
SHA512 bb74b12959fa0ce4a162d077e51f28c3a8eda8ebf9092852b485ea1272f77ded865cfb50b82398f6aed29e41b94e7bba7b8ce549d69fc1029aa42b5faa6963e3

C:\Users\Admin\AppData\Local\Temp\Ygkk.exe

MD5 a90584179dd1bce0139253d8a0ae93a4
SHA1 b899ac14b562a0263eea0ebcff82d4df2b5f4838
SHA256 524fad70dfa154baa493f4e1345edaeb15d4971ac4dbcfe33027a2290159a5b5
SHA512 950174df4dde5833644c3876172d16d4cc089847def6ec65342f0cc0c8a85f218f31bd4985e46cd50aa8181608c494a49de04431043c6b81be392167554d9c39

C:\Users\Admin\AppData\Local\Temp\UEYU.exe

MD5 66a54cfeab28115c1fd349ebfa7980e4
SHA1 df53c10a0e863f8eeac64be60f1ac560f537a8d9
SHA256 205a6a2414307e7c356beb797828d7c0f913a23291ac9e06e8473b1bacf58ec4
SHA512 2747ce9eec39ab9cb9aa14464111f32b0d881741d33ee4a57e6d1ec6ba235dac5c792ba86f515826d6a1bfd3fbd6c32184b50fd39872cda535e9ac265d86afea

C:\Users\Admin\AppData\Local\Temp\kUQs.exe

MD5 9221981ed4a67ec38d004a21c97a6cfa
SHA1 64274f7bc3f6108f973e48d5e6e4f9123697b626
SHA256 2a4501d39dd3c80ab94e0e9dd7d262388da0998197633b03ceb5409491079f09
SHA512 68129483f7aba7fb9cdf72663ea258a3fdcc3e1650f9a1f9f7db84fac25970a2111b1ac1d62376734cd6fb8f10da0d41159f1412c04b8a6e1f747c75e5b01a2e

C:\Users\Admin\AppData\Local\Temp\Iksq.exe

MD5 337d823d70d59c57ca37233e621e4dbd
SHA1 6c8849d95535dd935c434fe28d7d7380402ef850
SHA256 222055a0a48a1bc98f5fb4452b97a9af64cab26a297b5948a656736b0f1cdfe9
SHA512 a57e798b92bb3f7f9a418d86f2e0450ab49ea3a49c4e84dae47b4cacd1b8fe704045e954f706602d8c3ed576243e7ebe58f2f3ef07dea705b5fa904bad974744

C:\Users\Admin\AppData\Local\Temp\mEkm.exe

MD5 ca017fb2bf144d1ce4ee4d0c5634d062
SHA1 35578aeb54e700fba822822e22b291a41ceff03a
SHA256 0f4c1fddfcb512ca5217e100a56e1278173b2d20ce00ea7d7ae589ffad741746
SHA512 20c895b6c39e52e395f21b450e7bf36e679c22b9a7f7c480c6eddb6030e84f5f35f6f0c705c7f802b01c317bf7d0783a204c48d56275ecd99361ee566a3b6fae

C:\Users\Admin\AppData\Local\Temp\kooA.exe

MD5 a9afaeeba47a964662127549c9f5caa5
SHA1 1d18446ce4ad2d33727e487f7ee9d5bc1888f019
SHA256 233a98ce278f947f5a058052a32d8e579d84073d91671296eb3d5d6887aecbca
SHA512 9f21dd0a41b9e5e117ee1dcee7efcc6d753a4733d0ce6d4dce5f86fe4835343b4a43c1e4ec657ba7b82de59d4cd9e7c5ad82be991dfb387f6782e680fda751eb

C:\Users\Admin\AppData\Local\Temp\iAkq.exe

MD5 809d6811f94e3414511c2f61deb729db
SHA1 83171dcb6051befea73df6e08e199e7b5798db0e
SHA256 514b2f791922d15c56cd7b1de806204dd0856081bffe776b1a1a778e4122c6f2
SHA512 f4e849ee4665ce747c8f7d457a5a7fe765c5b6e26ca9844dd82daecc543cc707a227e6b6581c0660a16f5cf5bc4ea2ac1361cb2eb0738ab0a4d07b482ae4ca04

C:\Users\Admin\AppData\Local\Temp\UssM.exe

MD5 fd4cafc49539e4f77f930d53ab61b40e
SHA1 7d096a09afc77ea227df8f99d62bfbdbdf814ac6
SHA256 96ba3f3b5404f7540048c77ed68e4e81abcb719f149443f7e93944f75eb589f8
SHA512 f91118294ac9118a29370ecbc7945984e5b1bfe86f87e8ed141135d5328ccac8443286d1a35fb161296062bef6f4861a4818c1959bb795a7bbcca37859139e15

C:\Users\Admin\AppData\Local\Temp\yocG.exe

MD5 332e93088f8f1c885ba94815ac7bab6e
SHA1 e4ac393b3f0e2c74980f2747bbe85430bdd9c9c6
SHA256 f893cdb81560e0f4d740f172d6ed4c24aca2d13aa7d9e11ac7ce59f39bb98452
SHA512 b054c48cd66576798826624b3dccbe5d9b3debc2413e6288de93bcd85e326622068aee1ed8f56bfd78fa93fc0abfb77e70c49c723fdf0e21da60abb0d98e3e9d

C:\Users\Admin\AppData\Local\Temp\wcgI.exe

MD5 817ce4741ef1eb7ab02ea64546fa36a3
SHA1 1f2c84d3e039f5d5d1984bd54e28ca25498d655d
SHA256 505d5ee993628b18dfb33423d86f0791781ee507f67cd919e44f00e7c4ba873a
SHA512 d42cdc2aec76825bed32f31bdd51d310e8e992892b5262458e23ff14f01f3c35841fa483ad54770d3c589e4d6745738279059d6d8d07e10f6a5b197b7439e1f6

C:\Users\Admin\AppData\Local\Temp\IQMk.ico

MD5 c7fffc3e71c7197b5f9daaea510aac10
SHA1 23262fb8038c093ac32d6a34effbede5de5e880d
SHA256 71254090503179540435a1283d04301f3d5ba48855ae8c361d4ac86e3abd2865
SHA512 c3cefdb76a9fc74299a7042096a549e019db3f2cf79e81deeabab2f3ebf2bbc9f2924a84cbbbc4848a4bf84cc3a0886c6c738c6bb37c9140dfc57f1f797e9c1c

C:\Users\Admin\AppData\Local\Temp\qIIA.exe

MD5 5e201bcce7112afd4154f5ac6ba6ef7e
SHA1 d11a481bb52f42c00067c224f62228c7b5bf41b9
SHA256 eab12050371e9526cfa0ffb965a4118a76926c442899eca1320c6fc07bc032c5
SHA512 780b678fe4808a2503ce387f342ba19543d905c4ac274d83d7810990cfd6d52616d2d1badfe7791314e717bb3b070b3e530c83bbb16b335cec80488c8abddb0d

C:\Users\Admin\AppData\Local\Temp\mMEg.exe

MD5 08a40691683b4075bc532de0591cf3fc
SHA1 82340ded8d7f7ca1aac763201812c4352043d52c
SHA256 7e126c493efc1ddd702087169d654403ac3a072e73c89acf26b2c62db6f1c5c5
SHA512 cd9a0c0fd26001e63be618b6d04163b5012bf74490572a5741b05e07745d8812ee3b0707f71443fdacf620cf858584d187975c1eae8edd5e41f366fcb0d2f3f2

C:\Users\Admin\AppData\Local\Temp\kQcI.exe

MD5 0cfa5cfee5c5a3ef3022d7b26fba3642
SHA1 a8c841ed3c27aff81f1bf43e7c6dd1a9bc9c57f2
SHA256 1f9918b5008102e75bf1662536436c10b8804803183660b0c3889a12cdc69892
SHA512 0fc6b9691941874e6b50f797906fe34cfc9abc75d32c25a41d4e672e0589cfb1f8af768e66422705cdf21023a26b25685bf801582c6db754bc518d3288a8db90

C:\Users\Admin\AppData\Local\Temp\yUwi.exe

MD5 431c73b3167fa5f68113c7d493417f3e
SHA1 ffe194cb4e44b119f75fa36329ec916785925947
SHA256 576880ef458b72ead9d4cd9bd95c04afed12e748656b25d9f34f4a722085e577
SHA512 e19ea0aa388d87cf6cba482ccba2ca787089febee3ecc16e14103265004bb3f04d9aac9cc35b56fe4be0094b11014d27b0eb43d70c7cb853dcc384ba9adb4e86

C:\Users\Admin\AppData\Local\Temp\eUgO.exe

MD5 03ecde6687470b9332a33fc7a2f27c21
SHA1 7b8b4427337260741188cbc920ab0c61db15d441
SHA256 7ff1003c581ef6b0315664a7944a774b602d7f99a91f512da185bad9ad289259
SHA512 627c74dfd6daefdf8db23af4e926ec374e1c760cba56f71e09e8d3a7fc4df31b665195e8c7ab70f70aa18a91b8824cddd80c9055f78294159194f12ab622de97

C:\Users\Admin\AppData\Local\Temp\YcYs.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\aQMa.exe

MD5 65037b26239b394648fe8c219e037066
SHA1 30cf8cb7075f0e6fc8bee053760978c87f3fc1ab
SHA256 662ed067b8d9c1a3395ff6eb7e4dab1d55dba4c49190d3145b5bb8798728de3c
SHA512 1a39ea05aac510c8343693c7640dd3d3a597721bbdae2c6f2678a2ba3b6375d575aeff68bde1cbfcd9a6475147b848091e0d1906230f025e84a0f8b5fa3e364e

C:\Users\Admin\AppData\Local\Temp\yIwu.exe

MD5 e1b2cb10c3c8b1fd34dbd79eca71cb74
SHA1 c86b43128b436b30e19c0842c89b2ceec46adc5a
SHA256 f04c6c653b3ad278cd2e93e52774121df6a1a8ceb1f973d16e1d75695fb40960
SHA512 64109d51542cfe6c6c71b67acf85aad0324f4dbed15b942fee1863f515bc615f5913816401796a505c406d6837009237b64f97572dc792d83993d78ad225be32

C:\Users\Admin\AppData\Local\Temp\iAcY.exe

MD5 bdac4cf7ed5a6fe183bec5d36f86305a
SHA1 12fd24ea7fcb1bb25690132ddebbad945e4fd180
SHA256 f891c15ba3f2faeca50023269204c00c91ac12f96dd446c1c91ab3215cad80ae
SHA512 569e1fe170b4431dcffba9da770870f445ba2aee8d18c0eae7a235a6028174a61103a515afabc4aacb34ff63730b62ba992aa09bf579993abf46310d513711a1

C:\Users\Admin\AppData\Local\Temp\sAMq.exe

MD5 ca7bcfb4dd619e4aee3a4262f4b0c121
SHA1 25e616c9a3c065bf96131c9c2cd4ce67065a0c0e
SHA256 6ae3ce31542e555d097a81569ebc1f9cb3c5f1317ef211ae41ff13cb51dcee1e
SHA512 c426e757e8ed5711296b0d1e55ee53536131387dfa37853c6e26df0deb93e7783ca07990df6af7d3f3ee423089d8634ca6509ba3a8ba820fd523245d6b3f3278

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 2eedd865a1fcc05d749a3c54964c409e
SHA1 acb8019af96885c202c5e0b4d8de531d0b68109a
SHA256 28f8fc08941c4ebb7286175c02929d9347baac884e3d91a312f49d228ea49536
SHA512 c7ba318fa279cf8b5cbb33af4a6c0f7ed8ec736f23cc791b2c092c9802204852d5f136c872de0d2e6baa0460db2f316673a012d16074c9489d58995d06f0c832

C:\Users\Admin\AppData\Local\Temp\mYUA.exe

MD5 74e730e100cc7cf2ba72a93af7332d70
SHA1 32b48cc13cc9ccf8dc78bab3f9b898500cc10aa7
SHA256 1e402c52db699fae47c7cbe472b5d02a6eb23ecc27d0c0091a65ebcbb5e44b05
SHA512 39728c8c4e4c3ac445d0968edae7f843f9d262f0033b7b5fea5c4fc243c9be32b0e284b977eb666d6aeb5f5d902abdac24708f4a49abd6e0fd73366081c9181b

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 ab7d6111b5e0f10fa9cefcd47d6b429d
SHA1 1c3c9e8d814c5df96ebe960e6c7b8e36b6da9e80
SHA256 914a4925f3b792c7f6147bdefa87175b4fa6f782431a5f4fdc061af935ff1863
SHA512 a1b62a9542762c37e89b0aaf6f9642dd1050c171188e5f02467e116b10cde1aba2dcc7901cfecb7d2265442165150a1aa64784b69e7a701a6ebbe64e153c1d99

C:\Users\Admin\AppData\Local\Temp\Mcku.exe

MD5 41586d12b5def4c74bb318cabc5bbafa
SHA1 8233ad39100e40f5d3f63c1e168d68a7047ac6ac
SHA256 78530cf26234be3b66d9eec39e9941d11fb78a0c1365edf7979934b82aed5eec
SHA512 3ac1fe15f80b7e0d3f2a2bfd54963e20c502a7ea5463b70ffc53a1fded43b9ab3bc8f153cdcbfdfa7051f9a677b8d067f104b99b1dc036b8c90851d8a1773cdc

C:\Users\Admin\Pictures\OpenWatch.jpg.exe

MD5 9e79ed1b76eb2fb6e80d6f9269c5a65c
SHA1 66d141d88ffcd6af822d17613a09829d3daa7c2f
SHA256 19c5d47a63e8f405aee86e640aa118a51b15c0523b0e0420c950976cecdb1964
SHA512 6898738ab32e3d33d74b2a1bd089a28a338c6870405a842adb2e4624fa3345043c43ea743a9521e025852c0417becc373f75cf7c4565b733f0c79d1b5e617bcb

C:\Users\Admin\AppData\Local\Temp\KIQQ.exe

MD5 752ed4204ca02158dda2751b87bfe451
SHA1 a250da1b120378abc4646547a0412dd37cff2333
SHA256 bd999ef0677bf4815fdc5b94e83fa848e1121b7029df3dc12502606acefa41d9
SHA512 09f58bc88a808f7a56cc82644277aaebad80d56a3f3f581db21be21f8fcded1e34e29658cee3b7b1ec44149123876d4b0625c45d48b677c954e40c4e9139c55b

C:\Users\Admin\AppData\Local\Temp\KQEe.exe

MD5 12a0c33bf96506852067dab9074cdcd2
SHA1 5f6d62d1309134f9834fc9769ba5754d408579a8
SHA256 2a3ec0595605eb7307ec9feb0d34e9e80139920be334cdda7e16b00ece04cc45
SHA512 14db864058d8ebecf98d4769ab2032f7b6d95cd7b1eec58d04cad7f565addd7d3a4e30659007bc6335b386a94ac03a93149bef3c425b01a605c79dd8958dd7c2

C:\Users\Admin\AppData\Local\Temp\gUQg.exe

MD5 8cf28023b7c4f2e0298dcd5bceb6c3f3
SHA1 c8e06cff4b7f00e54ba004518bbdbb06807a8efb
SHA256 49dbfd75b07d057800b5085445a6ac4be4c436a88a46eec58b421b7ca4814139
SHA512 9451c7b533fa05eb58873ec9306623c74ff19ca99f099cbc9f70aaa3e77715c4ad248888fbe43dd9dc37c9ce4de338b4e1968288929b99d59c194df012423c02

C:\Users\Admin\AppData\Local\Temp\MwAm.exe

MD5 f4b7e2b046da0b45b19ab5994c0b25b2
SHA1 d568ceb007b30ceecb7faa4bf3aefaaee43c4334
SHA256 1f540a873e91f6c166a5e00f4bd4c4fa7ea69df20d700c78e27358aaa01ef582
SHA512 35d943b14c5088f0e38e7943f5361410ea2e075f3248b1ba43988e593469c7e6a031b8b38f872b372d8cb2a202cce1a174f8316a26df32c5ce033e51f1959629