Malware Analysis Report

2025-01-22 19:56

Sample ID 241016-wh1cbsxckr
Target 2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock
SHA256 2decc0f00c6c2cf12f558ac9d0d2282124e2c99e1ecc6cb67a2cb22dea5a02f9
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2decc0f00c6c2cf12f558ac9d0d2282124e2c99e1ecc6cb67a2cb22dea5a02f9

Threat Level: Known bad

The file 2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (87) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 17:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 17:56

Reported

2024-10-16 17:58

Platform

win7-20240708-en

Max time kernel

150s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\ProgramData\guMoIwYM\yIAkEYMg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yIAkEYMg.exe = "C:\\ProgramData\\guMoIwYM\\yIAkEYMg.exe" C:\ProgramData\guMoIwYM\yIAkEYMg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\MwIMccAE.exe = "C:\\Users\\Admin\\ZEAsUwUg\\MwIMccAE.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yIAkEYMg.exe = "C:\\ProgramData\\guMoIwYM\\yIAkEYMg.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\MwIMccAE.exe = "C:\\Users\\Admin\\ZEAsUwUg\\MwIMccAE.exe" C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A
N/A N/A C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe
PID 2412 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe
PID 2412 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe
PID 2412 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe
PID 2412 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\ProgramData\guMoIwYM\yIAkEYMg.exe
PID 2412 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\ProgramData\guMoIwYM\yIAkEYMg.exe
PID 2412 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\ProgramData\guMoIwYM\yIAkEYMg.exe
PID 2412 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\ProgramData\guMoIwYM\yIAkEYMg.exe
PID 2412 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2480 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2480 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2480 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2412 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2884 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2884 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2884 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2640 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2560 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2560 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2560 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2640 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2640 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2272 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2272 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2272 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe"

C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe

"C:\Users\Admin\ZEAsUwUg\MwIMccAE.exe"

C:\ProgramData\guMoIwYM\yIAkEYMg.exe

"C:\ProgramData\guMoIwYM\yIAkEYMg.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\usUgoEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rqIsscgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMMAIEok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\veEkokUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIYMIgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SGAAcUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUIQIEEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OuUYEQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aqYkIEYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qygsEMwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DqYUIEAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lcEAUgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hiswAQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWUMEEkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rSoYoAgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UCIYsocY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmcIQokE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcMowUYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OkkwwkIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RQcoQgIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\daEcggEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VAcIYkgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZcoUcMww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wyEccIEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AQsUMgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eoQsEggo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gWEcwwsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XYscQkgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIQIoQkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rGUAgAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DSAQwUQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hWUIkEUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CIkAQwYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\myEUQsUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19826594101817433747176736976-1996868839557040237-2111516108-1819257483-397592045"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IosAUosQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1390387873-9230220021910189429-1520912856-272110753-739077850-16264116431520703260"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lygsIkss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSEEEgYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYsIUwYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VsEswgEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FIsEcMQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMQcIcwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EIsYsgsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OsAEQgwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEwoYwQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FEYUYgQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAsoMQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jegIogIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wyMokEcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EaIkIQMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YuMAQwEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GyowUQsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LGcAQUYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIIMckYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NYgwgwgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwAMogkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SoIkAwMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MiUMsYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MiYoIswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IAsUoIwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fyAgQsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\haEgUgMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\doYoYwUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMAoAAEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OAcIQUkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QOoEYMoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eCwAsQEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CaEsAQkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jaYIMEss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TiwwYQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PEMsMkIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.169.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2412-0-0x0000000000400000-0x0000000000421000-memory.dmp

\Users\Admin\ZEAsUwUg\MwIMccAE.exe

MD5 40fd68483c4fc3c9d3f32684da006229
SHA1 9e3efa80a52f35ae4868bb341e63f6aaac20d192
SHA256 0add44c10a4a380f5561c5943a98d176cea057e5bd5ea124de55133a589bb87f
SHA512 72316f6451695f0929f6a5bdeb767d77599eee34d9503f52161ffadec745415c2e59c97a7bfaa463041487a6f2174ed6b4d01ff4585aa9b2c29c1c986d40bc87

memory/2412-4-0x00000000003A0000-0x00000000003BD000-memory.dmp

\ProgramData\guMoIwYM\yIAkEYMg.exe

MD5 c89877c3ebe3a327f435f5c49bc8e5ac
SHA1 21e77364dcc15e877daf6da9399811a1f231cf40
SHA256 c7054a07571c63983566feaef7a6f6888bf341f3d875cb2e881f7c84f47ed1a9
SHA512 62fa1998d69c7f9d0c74c65d2f3cc4370def22eac16ab4587c1179b003852ef6126a601d30ff80366dfda82f99e84a8b103197e103e95ca6a9ff5224d1dffece

memory/2300-29-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2412-28-0x00000000003A0000-0x00000000003BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\awkUAsMs.bat

MD5 27c66b4f617f751b2b28126607d896fe
SHA1 0e11140d25ab132fae54b10e036dfacfadcd8957
SHA256 3b4cb6d7e7cf0a61bfa7ef2bd32d453c5fd2ced72eea8f2f0772e851759b1449
SHA512 6aa195aa01808229da8c980ee35b1ee30e3d8d5cc1a3d2c82959ebb7fb7ccc94784670712e79ba1a513ea1c97d408be3cb79687aa454b0aed0c3034f12aa1e42

memory/2480-30-0x0000000000170000-0x0000000000191000-memory.dmp

memory/2640-31-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2412-40-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\usUgoEIw.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\LsksIIQY.bat

MD5 41436a6f58bf0f252912505a45893f96
SHA1 d97dec0ff5e33591e7a5862d7b603d910446b046
SHA256 6ac79d8e2c363d27c4d77bf2fe4e2f4622a93f502b2ee3ce207c77d193d4d912
SHA512 e36ce17bf98d6a1a798eaacecfdd2ad4eebaa8b758f69cf8b2b93c74c9748ef8ac5603f1ec0d14582600c4033d304f696eb1d75b34a873ab0cb5016d98290f2d

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

MD5 f598e9820ec2badd9796e258a2906231
SHA1 436252684b0b285ecc2747aaf1cdf1e4e67a6eb7
SHA256 49da8c24946900bd5af73c70099b775d1142033a25b347dd5a21ca68cedc7c0d
SHA512 e26c4b70ca14d0790d4495d56adf1ba87b0f4a5b86e87a9e4d3a9466443c6641e48f493fbbce29e9610e39ec0c150ed8bddda4e898760aa9f8b83bfb51df1f86

memory/2604-55-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2560-54-0x00000000001F0000-0x0000000000211000-memory.dmp

memory/2560-53-0x00000000001F0000-0x0000000000211000-memory.dmp

memory/2640-64-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zQoMEMcA.bat

MD5 0950bf686c62c1c344e7a29f566746ac
SHA1 dde130a3138701468fb26ce27e404490b8e86157
SHA256 99666ed4a5fe714e2b526d378c8838b2c27d7af980a9ffbda6fcb3c6543b9d16
SHA512 56ff45cf7ba3ae0b2420632176349966d69f0230f3e636c0e42ddc1aed3f0e93a44ec410de96ce022df781ee8983179a0d18323c583cdf6dd00dcc8347763fd4

memory/1956-77-0x0000000000260000-0x0000000000281000-memory.dmp

memory/2604-86-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xiscEkEk.bat

MD5 b0e95e482f0ffb9058bdc1675f0ba8b5
SHA1 1cfac075fcf12ea623208844a329b3b7ad8217ce
SHA256 e83ab55c90a23d863d187a33ffb92572dd0926b7ed4e69deefae7a9d0b798162
SHA512 f2dd205f4a0158d76e1ddd0f9c571c4c251fa01df42a98ff976716b300b01e38097d507bac9dc6acd051057f032712606f7d2bc3977805f5096cbc3b9c3422a8

memory/380-99-0x00000000000F0000-0x0000000000111000-memory.dmp

memory/2744-108-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\piIsckcI.bat

MD5 b5029211db01ad323424ef72c4a4816d
SHA1 875e9bb945046aa8f5c52dcd3d3d9a049018a38e
SHA256 f26ebbc13b93550660115e331cafb91776e6181b9a1cda0bb5c6277e56ee82aa
SHA512 72d7bbe2e580ba28a710d9bbf2c0ae37777ecd36b203bed3cb4a4fdc45e7eee06773d187d1bae164fae3f935ae19d767a4618c4829b6b0ab5ba10b9c897b20d6

memory/2252-123-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2056-122-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2056-121-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2160-132-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LAUsQUcc.bat

MD5 7ca1151ca7ac738f520c2df5f22b76ca
SHA1 46497f7ae54a63bb81edd3644c94102e861a3459
SHA256 d7e4ec82a93d7ce3c8afbbc69a0e561337e089842a97ee15ea7cdca8b2f9f65a
SHA512 4bafcc1571a1dd91403bbd5c9061409a4278ee6daf68d6b57d72836f77539922103fd0b95bc64a16ab8e1c9fbcd82ad55cd5c280e7348366ebed6325c2011fba

memory/1700-145-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2252-154-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OMEgcQAI.bat

MD5 2478c5e91188f0c4c9318aa7f61539f1
SHA1 ba2b523de86a7abb70f3e4b56c331d1f681d74fd
SHA256 50599278e73df75afb4bb42069266d28647d9a70d7d0721e34121eb94cc58466
SHA512 e82d0fe36eaaf48d94c2bcc5c8d0daf8d6c496e3d1b260fe7ba0bd609a81227c7e36d87bd27a7d3ab46f439f9a07f20442c06b2aae8e241b7aef6b290b23857d

memory/2656-169-0x0000000000160000-0x0000000000181000-memory.dmp

memory/2656-170-0x0000000000160000-0x0000000000181000-memory.dmp

memory/1700-179-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iQEIUwEM.bat

MD5 4986c1f1a8cdf7f3530c4d0a42451c6a
SHA1 e9d61eaacf1e72e145c4f01cb4dcb49fc4c9bb9d
SHA256 684dc27d226ad0b89f0759fc5ec48f7a1207e9fa3fcc5c8efed77e0ea16ed2d2
SHA512 6819fe768869a7409e48626cc863a9e786ff14723c3ae4cc8b190b56020eed6f7cf3994885261817295d5cbee19c0ab647db1d0a92ec7a79b36a3da418f2c6bb

memory/1596-193-0x0000000000120000-0x0000000000141000-memory.dmp

memory/1596-192-0x0000000000120000-0x0000000000141000-memory.dmp

memory/832-194-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2808-203-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GwIoMMcU.bat

MD5 1b70ba81a02023c20dd374c87a5274c6
SHA1 71862735f2145d672b45e0cb592fd03c5cd8036e
SHA256 b1469e66490b54869e4d73f5042b409e4369ea1335f2f1f163aac2a166d138d8
SHA512 abb183c0a93dbd603cca3ce44e93ceac74bd394db7ef35cd7c468b98aac7bb3dd5d7d13ee2b01412a0a844542606f91feb1a26608ec3f6a754e2a3304afa7632

memory/2872-217-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2900-216-0x0000000000580000-0x00000000005A1000-memory.dmp

memory/832-226-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WiMkMooU.bat

MD5 96f77904703b3f07510865e63bf5e52e
SHA1 f7b9edc2914f22beb400548e6082e3b1b5b7a19f
SHA256 6bac5a6c1016b762fff21283cf8c9a4c612da66cb2e514d0da0ae595517612ab
SHA512 072ea8e53b2ce7b2c1640a03268d66e7d6ac05b3b095088a808d14617cb28ad3e7f7db66229e65778bb29070c01c6f9c66a3b18cde686b564359d2fcc45346c6

memory/2952-240-0x0000000000400000-0x0000000000421000-memory.dmp

memory/736-239-0x0000000000160000-0x0000000000181000-memory.dmp

memory/2872-249-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\luoAAQkU.bat

MD5 b9bc8444f2e13385e2cd8786bb6b0a14
SHA1 bac78a4bf20e2e4cf7361c5f512361e0075ffd45
SHA256 0e4c0d73a6c4f31bac9e78650123b384a6f406601d0f46085501005a7270f11a
SHA512 f8e1e223069ffcc7afccc2ad60640c4edffdd61df28b747af47f22fd3e67b21ea0a381864e938c4ed013aad1e61914abd6b93ae36881b2a3b9874ce7abaa1ac7

memory/1748-263-0x0000000000180000-0x00000000001A1000-memory.dmp

memory/1748-262-0x0000000000180000-0x00000000001A1000-memory.dmp

memory/2952-272-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nggkUoww.bat

MD5 333b0bce0d9d7c3965bf9a8c992dc55f
SHA1 3b0a5d92d54dc42dad3d7c296faaf7537893eda2
SHA256 cccd68fb6ac509be090bfab3a64a2c96a28a95580b5783d1830fce6ee4d366bb
SHA512 e655fb5fd2451aec5abdfeb7e38fa664b705701376cda5e0bf8131594f14811108d60f9d1e037a5ea98c0578f8a9f69144e8bca7ae6106a30248e0f491b75d4a

memory/1780-285-0x0000000000260000-0x0000000000281000-memory.dmp

memory/1780-286-0x0000000000260000-0x0000000000281000-memory.dmp

memory/1600-287-0x0000000000400000-0x0000000000421000-memory.dmp

memory/344-296-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hEgowEAI.bat

MD5 d9ac5c7bea97f59675ecdda802a6496a
SHA1 424e4ee8e5f714391651cb1af2fab51ba0664aeb
SHA256 999901e8b210bfb68148c24836b512f3e0242cd6804ac1914b23295f9f2df4bf
SHA512 5cacaf58d553497cd09128e1139e6f66224ee6c1be905437b66debe03cd38c640e888a8b5f302bbdbf0abe9a761cf30d533ba18dc05cb7f8d4e7dab24b332734

memory/2988-309-0x0000000000170000-0x0000000000191000-memory.dmp

memory/1600-318-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VOQIkMgw.bat

MD5 3070cc4e3aafb7a238c7d1ea94d70c1f
SHA1 775f6aba80e2298a8b853c2cbf003ac16a958edb
SHA256 42a22ec0dd42d4baae95dce5fc9ca42f5627eb8671e5ca0f2bb8979e1f4567e0
SHA512 92f1003d20aa81690fffd87873a91877016ce8fe36ef4c2731dbbcf2897c0899cdfd5f8026bb271848729ff2dffbe7fa9d67866e13cc1ef62a3ca6e29985539d

memory/1340-331-0x0000000000360000-0x0000000000381000-memory.dmp

memory/2596-340-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BcgsMAAk.bat

MD5 0e721d6214de7fc9254eb7901b931b30
SHA1 3697a2360d7dc6e013a801e2ecfc10b28df36bd9
SHA256 12aba1991789a7a32ac224b40bce798b685bbc54ff0a3b567dff58cf898e2d8a
SHA512 5a5c70e61a8e2c168ddff92e801cd4eed8daabc686f1fbfbeaa61e6eabcb8f3a44b125742d027d49a436850f4939211428e9fe496257ee5051fec9bd2e5442b9

memory/2776-355-0x0000000000400000-0x0000000000421000-memory.dmp

memory/832-354-0x00000000001E0000-0x0000000000201000-memory.dmp

memory/832-353-0x00000000001E0000-0x0000000000201000-memory.dmp

memory/2600-364-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QAMsoMwk.bat

MD5 c1f13410e6171587e713ad0ba050dda4
SHA1 edc503191446a0598ac43ec5fb35b741116a1a98
SHA256 04383ce9a905c910ed6e221f2fc56176194c67bfcbbcf0cc2fb229208387231a
SHA512 444cae9e6f116c3ec68e737166c43b34e6f1a85cb9ec2e5247430f8538477b010d732d7f75ec1f635bd1e8a3b13597a3581e1b627a4912c8264a059b2110c41f

memory/684-377-0x0000000000380000-0x00000000003A1000-memory.dmp

memory/680-378-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2776-387-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qqkIAcgg.bat

MD5 b3ef00291e4abe5342859c524a2bc528
SHA1 4f472d4dc752ef13f5d016c8d47859b91b0469bf
SHA256 5a17280af4795c611465bb2f414222daf3eb152f7f362611e2ed16c77bb393b1
SHA512 4df13db6d0a600e758c3a3ea64a5809cb816e269149f7de08707660b85a60c135872688e2fa7d0604bb5bdc198df8bef2deec2bceb0bfe650158774ca2cc1649

memory/3004-400-0x0000000000310000-0x0000000000331000-memory.dmp

memory/680-409-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IAMsMooI.bat

MD5 78fb82099fca5286ce89dd6f8096ab21
SHA1 48308f4f31e587c7d817949eacb3db3f2ee21f91
SHA256 9df7211437a02edf6f10b9967bf0278a1e78057b8cafdaafdbcb72c7032b3225
SHA512 a3b30bd57d3929053321d3fbb45d9a3abd075e68f4025afb848e2619878930db0de66881c6939ed2de84ba228daed8faec9836b75ad3ff7c21ee5a2aecd62390

memory/2688-424-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2664-423-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2664-422-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1028-433-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KcYcEMEU.bat

MD5 ba7c7e8da674ca135890e5a6e5a427da
SHA1 5f23d27b37f5b54d9e68b3c33497e5adea6cbb81
SHA256 250bdb99dc4caffa7d122d671868a26a2c5ddd5104c7ad069bba159c6aeb8c11
SHA512 99584e585dfd082ca3ba43867d697526b20eb2d0b3f5587c9b5500f702c5cc589f1a20a5ccebc4ed73cd43cb269199233fcb71c650f8f8cfb5fad0ea09312a26

memory/2880-446-0x0000000000160000-0x0000000000181000-memory.dmp

memory/2688-455-0x0000000000400000-0x0000000000421000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\OoQC.exe

MD5 cf351460977e2917068b5b56f076412f
SHA1 1ddd5d70f02671d8475742e0895fe1988f79d93a
SHA256 56338ccde50f8cfd7482270b94ccbbebf23a1cf08e442403a1da14aeb03e6afd
SHA512 1d818d693d14f56616915401aec40ba97b62092467fda91db3cc5951a74bd9e077bc5d6602a28dfa3ba134f1385f5855cc603e76840bafe29f2c7871153301ac

C:\Users\Admin\AppData\Local\Temp\ZqYwUccw.bat

MD5 e14ec36f4857603053773162fe360f66
SHA1 fccabe8ad33c7db62647a92603726dfba0a4c206
SHA256 b40ea4da264837e3abffe33b67454edb206e09711bc8be55aaa11a85650aeb6c
SHA512 574d843c5f17f6738ded39169cd5133f708510b2589b5486dfd3b7d5b37a3c67bbfb236a3bb958cb48d445da6369bb974e3824325700461ef2d582ce9ba6d6f1

memory/1620-482-0x0000000000120000-0x0000000000141000-memory.dmp

memory/1620-483-0x0000000000120000-0x0000000000141000-memory.dmp

memory/1052-484-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2760-493-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qQEO.exe

MD5 649c5ea0d61e8a7c2d664634f0a66a62
SHA1 78bb5af3c44e75017bd917bebeb5b8c2f42d6543
SHA256 7770afa5a5aa20f7b02bacd90e92091e212222999de0e05b0c7a5a80305c1f27
SHA512 5d0cf702190f9932dc183a6d06eacafc28dbe471921c9a49a31fa8f807c5eca95683500fa2c6f5a7548dca3d1fe049bca3bb3c970af6bfe48dd0add7d0afdb6f

C:\Users\Admin\AppData\Local\Temp\EQsG.exe

MD5 b2b383c6bcac130079db5b5c6f04d5dc
SHA1 afdbde335862fe93c6776eacb39b379e567a2fcf
SHA256 4d8e861330af975725eb65c8519f00ed11366d7d3dad270003629c85eced27be
SHA512 4be853f0311df5cbed407612f46cf81a23c08a0e2dd6e654e76c60656e9c3bf62f05d1df3d3c5058b7b405e83bae4147c45adedfcda6b133b2722b51dba5a825

C:\Users\Admin\AppData\Local\Temp\oQkO.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\ukcO.exe

MD5 8bdcbd07beb6ab1c467ded9c2a308e17
SHA1 e73b43f19c71781ffcfde00cdc563c1ec55b8aa5
SHA256 dbcc7d6c7a3f535b06df53097d767fab0ff8fdcc6a394ff5c63875e23be8f07d
SHA512 53af2c6902b86c04201ae4266b17d1e0d3f23402d8ca27752f79aeb89a69652b01a21ad73f53d150647aed555684563d949b4c0415289c35c8ac7d7ea39ba6b6

C:\Users\Admin\AppData\Local\Temp\ZisoggQE.bat

MD5 897b08e3b5257e0764b595ae9662ec97
SHA1 40eb62b35ad731db6d2dbfb3b1512ccecee892fe
SHA256 a0b2511a2ee7b059a593f149947fdb3a4f8fbf8868d9986ff54bbfde786da2b6
SHA512 86b7e7ee6e79e43faffb874baae19fc85600443e42203da69df0ec66dbfded5f6092990228bc22ff9980eb2c11f929f3345268994c6ab8a8a5952fe21772afb0

memory/2248-543-0x0000000000260000-0x0000000000281000-memory.dmp

memory/2248-542-0x0000000000260000-0x0000000000281000-memory.dmp

memory/3052-544-0x0000000000400000-0x0000000000421000-memory.dmp

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 d653581b7f49a67011cc2ca12456b7a1
SHA1 824a4b08077613281a7f755c4392eb06a0162aae
SHA256 57d088661f6679f970f8cf4eb0de7ca5d0501bcb481fc6f04754859b26f8d617
SHA512 70ae47f230ac45c24a8877f8a4bd7e2017fb479a098ab1ec4bf5b31f08793215d50e827e747e2adc81bac0f72f8801d616ffefed3abda1293df747a8bd411c2f

memory/1052-566-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\agcU.exe

MD5 ba4b6171c807b32c025c17a4ebd0bcf7
SHA1 ee15d9c7e09580f7cd6e33c7634532621e2f7ee3
SHA256 17dcbee2113ec1e79ae65f863b10b8fe797ad425eec89c72f6c95757a6e9c853
SHA512 b521f028f9b1d74daec5d296cc9be82ddfbd82877e572877d0b0a43d6001909573224bddceaa341d7255e088a8aacdde5bc3e6ff30f95cb2cc42ddd6ac7a6c4a

C:\Users\Admin\AppData\Local\Temp\UgQQ.exe

MD5 f8bc5f39eae6e24223e852ad9b84f057
SHA1 ee3d1b81ab92d0774effd0cc89d49390ffb89ec7
SHA256 c2ab7ae693da382d0b68121a0a64f18265b9152e1a7f5e3c6eccbcf01d08c07c
SHA512 fa350a8ed7a186405886256842767c9a09128152e9fa099afb86bbc09805f1262cc00aa86b26bcb573af7585025e4f0a4ba5ad9e4400fe73136eb4e05eecb7f8

C:\Users\Admin\AppData\Local\Temp\wkMW.exe

MD5 33fb77679f68d5d8e6bbd9acbcedca74
SHA1 195c1abcb4bdc646706428a5522a061b172469fa
SHA256 d1944e55b1754848e61b5c5b462b224601bfd7c781d1dd78c00790ba241f1abf
SHA512 269a084e042b38c21108a2c6284754165143e77cd6a9cd8fdd3602105018e54b0c09410cc45f706f25e699ff0fcd4e7ef7fa3712e83e0bd809b4f4c0d0d8c186

C:\Users\Admin\AppData\Local\Temp\baMogoQk.bat

MD5 ba27245067325d683009f9ff81840e4e
SHA1 8653091626c63448344508473ab2d307fe7d42eb
SHA256 0b6776240780d122fd54653288e887122d6328c09de00cc9c894186f667918d4
SHA512 08258fc01eb1129fee4a66f15012d6965a7ba2598da4164ae90b00e19dd66dd53470cb15bc74717e9d6a1c91f2a55ebafbab30410bc98c185ae590f7db18ec11

C:\Users\Admin\AppData\Local\Temp\IkEq.exe

MD5 cd2d6b8343ebeb6a970446bfa76c5ec0
SHA1 1966fd28742cb9f8ddde2e9cbd82c19d0423366b
SHA256 eb641ced44c999f08d24350387ee1d8126fccae83210eaa45f8e4bcbce2287ad
SHA512 3bb26fe8de8ee8261158013090946890ead804e0d03f658ae24ab36160d61426826ab4387dd5ef59b9da39a9ced5fbbfddab4f0e5890c270d07f15406c4c9e4f

memory/1976-629-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1976-630-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2216-643-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\awEI.exe

MD5 1ef2938b799e2feda552b25b4c39b06d
SHA1 68d8334e71c4190f06b399ac2155281a3fd2cc7b
SHA256 9aff0c56c51d7e099aa3b16febb00db01e15ab08b676aec730163b59f0e21d0f
SHA512 71e5b92209742a0f6f9dea227397184e7a023cd6cd811a652813fea576f38fe90d2fda20d0c7ac48cbaadf4a9d4151dab815542e2f1fa952ead5da3968a2c159

C:\Users\Admin\AppData\Local\Temp\eUEc.exe

MD5 63e30852f4bc988206a82fd7e1826256
SHA1 f61d50804a703e64ec0afb8509316c0f44f2a9b6
SHA256 bcf178102791f5406fa5aefaa65d8c2e28145c56ef4999efa1cafce8e86a5d14
SHA512 124ff7a01ba7e27cc24c1eb308990f37be9c13da37f32ea4520dcdac6a6b1739c1b36ea051ae8edaa3f01948fb5887d5d455332c669b8c442cfe91e462d04297

memory/3052-665-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coAk.exe

MD5 abf18e6d583a20e0040351986ddbc6df
SHA1 14d20db7cc19704263411d672a108c6b2262fbd4
SHA256 3b19465ca75f472d40d53cea182be7366143c6d510521e0e70d5f498c3f85bd7
SHA512 b1fbc2387709fdfc21273d4a7649868fedd86df4f8c986c9baf3fa7e871b35849c737e3f0f1743cc735c0738e5878ab05db9bad53520fb2b6474443749b35e71

C:\Users\Admin\AppData\Local\Temp\KgQo.exe

MD5 1676e98927832fea66b9750b9aef7eb3
SHA1 78cdce54292ab1c59b44a6a11dd1d41be498d3a5
SHA256 773da295ba2f6f11f72485a6f4354bcbb13997a5807dbf13f43cca0d5ca71d09
SHA512 3ee982dae9605ed194472000ac78712d853355e0865342b0aeecf80fa5433d5c2bea9a0d74d93b563db0b054b93995400c8a6e6c09e33c22291ee6ec59a3feed

C:\Users\Admin\AppData\Local\Temp\fIAYgAMs.bat

MD5 196005021861844c19df1ba163f9daff
SHA1 5b1fd2d0cd2e5a6f590465dcbf537b4c0aa5d120
SHA256 ed4e92ce2fdd7f805d62b7262f11f755ea81a7eb658fe5c9cb210b5820ef81c1
SHA512 15407dcf55920a0c7eb51b3639e7056878078d2004398967bfdeaa2e4e7517ad8bf77c1fe578ffcb9955b1ab63b922fd4e57e6ec0d144cdb2d07d5522305f298

C:\Users\Admin\AppData\Local\Temp\AIww.exe

MD5 fd1189abd999c44ee59515225d89bee5
SHA1 e21601a3a3dc8535b140fd6abd1d6249bdaa76b6
SHA256 fa085fa33e4475c19c48a63d96b4e098fbc067977eb94546617b1894ca8506a3
SHA512 99c325f0baea65bdc403651a7b3c59d625def1b3f1d95d64bbf87cf27b7656c902399987b5470ba25998cdb2a1690b2b706059312c1b33c73341f7176dc48945

memory/1820-726-0x0000000000120000-0x0000000000141000-memory.dmp

memory/1712-728-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1820-727-0x0000000000120000-0x0000000000141000-memory.dmp

memory/2216-750-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UQUq.exe

MD5 8c69b57d32075e0c875f164ae2c91d48
SHA1 3619eac5ad2a19f5f8d946db647d807a82d9d33e
SHA256 00c3e8b44f2b0158ca236d692bb2f2a294c93abe056e8573eea6df0f50a057a7
SHA512 4fca9ece84a862c97b91995a89353a7d9f299fc35c739ed7eae9dd243bbfa9ea2d0b190405f18dbd6d78ce3d2e3e10ed7eb69c0f4948fdfa37908fd3c68ceb18

C:\Users\Admin\AppData\Local\Temp\mYce.exe

MD5 e249ff4138dd937cace0b11a8eed8b6f
SHA1 cf2c31ae088e1feefae4107b3b2caf16ff37ccaf
SHA256 7b7b83127d9d0b7167ea87c43169dafb8ff7bddc7d3d41f191aff896fac3e606
SHA512 3b25371acb4684993860708162048776c19daefe1cdb5a55a472b46146bc154f94509261f77e186e2a14b8677eb3476f717ad6e90f9abf7918217bfae067a803

C:\Users\Admin\AppData\Local\Temp\WYccoMAw.bat

MD5 9e29d2964196cb15be8cecfdb6a8bcf0
SHA1 5d2eca3571fef2f5a5dede7d2f79e4a9c05cb4c7
SHA256 d74476bad6112af85f1e739811de3eea002e4007f763afb29bf3989fab8027c0
SHA512 03a6a8a5a91927aa837a425b233a489e818e81bba52bb28018807b434613e25d8fa16af6a00b334263fd68cf85f976a3717e1b35c63daa7b8314f71a5c745920

C:\Users\Admin\AppData\Local\Temp\UQIE.exe

MD5 39549bce74be21e28ea7533d2df19d56
SHA1 48a70de3aadcff6f750a5d9010e362617b424192
SHA256 6ac07981836642b7f23ca60f68c74e2bc0f0121e0ecb41bd9f75721eeeb0605e
SHA512 6d5a891ac1ec290eff31dc627c6943ac83364e4fdd1f648e7e73c5095a1bdb52e7931d7077aac564f183679d0780f5f6403924f043362f21cf204c51be7afc18

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 9fe5f9a467cf5dc99439862ae7a07a17
SHA1 ce46b2b98b6e5fc916a857eb942908e4437f261f
SHA256 ab70d81089b040b70a978db91733d835cb15f13597a2a6864e155fc2fee4a55d
SHA512 af7fa53616f33be194a75c67c444ca3854c0aec33393f18fec404f72837bf4534ffd50a71ab814448c8ba8862f928cf9c1e47c441b2f07339b85ffd82b59647d

memory/1052-787-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2748-786-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1712-809-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ksoq.exe

MD5 9230dd6b5e8104e99cb5877a66ce227b
SHA1 91b343238d815c8e8204af67716e9fadd497e6d8
SHA256 fd6a88b585d2ac7d9ed2cf1911be9838f8504cb0d178ecb6cc4db2d5e731ae09
SHA512 115931d5e9153933331362f73743a532d9141179e872e29a2f21dfffb63a9f9843a97c83aa06ae1f9b075337ee055449bcdc1974c115fa9048094744edb98b05

C:\Users\Admin\AppData\Local\Temp\WIwg.exe

MD5 a5a1c5b9e4bf6c0d7a5ddfbf8a90c634
SHA1 7826ddc48d432fe902811e64be332ef7159cc950
SHA256 bb9c77c48cfd4eb26c4f650de7be671dd00f759537c5ccfca18f17c8ec9fc043
SHA512 96deb0ffb04cb239367bb1cf01fd6649f6ae68e2f588c75f344a4d8e3a0c17f57ca07e6490bb1bd414280d5a83a3f61eb8b3e682b9116fa185a72c2dd630cf2c

C:\Users\Admin\AppData\Local\Temp\KMgM.exe

MD5 4ef53cebe3d99ed68c72d70ad9c387ee
SHA1 0b686e0dfb5acc3189aa87856bdcfbc8cff3394d
SHA256 8c285a590f7c77589a7b59ffaf0964c6316a4aafa9aaf900ebff128320a24776
SHA512 e39bcc874a95f74c81a7c8f0a7d0525c5afeac30e388d4e74e5bf41903ee34dc59098621e5ff1092e400aa0c5eb8ca4ee4ee7fd48b529e88b63723a1910b2f98

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 ee4602fda7e813ee92e650594fbe7834
SHA1 9f10b6880299aca49b0e17596da1b229d82aeab3
SHA256 1cc0ddaf944e27efc2e6a6f7f497f3c49cf54223f1ba80c19fec966153ff8984
SHA512 5eb9bc72f9e725646ecb2421bf85f294b6dadaf989a44acf15680b876a1548cb09bf3208dbc9550d5dd64a3769216c261b542d63eb477945b2280b8fd83b7709

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 80f1e82830bb830408d6d78201e9adc2
SHA1 ba5287c5a98ce481d656c480c6d6f5c4acd9636a
SHA256 c2119b1d247f853b722ba19f6d1565e056cbf6255639ef1207ac497f9eb46605
SHA512 97c99c5cc1c0c27bcb0e1f9c7d1088f171af7f22af1b37669159559bf26c90a64db06575453be6948e2eafd24fb239694d4a4186eb1555707bdbfb605bb5cd5f

C:\Users\Admin\AppData\Local\Temp\eGoMkMgo.bat

MD5 30beaf96e24c4a75ad4425d54f145cb6
SHA1 5e054c64ac0848b640b647a556f58fe7b84ebdcd
SHA256 de27385101572a7fd2dd57dabb0dc455fee2a1344b3c66a37e3f2f329c57e9b5
SHA512 e23974367e5da05a37d234b4f9af6a5d8d3b2917dbf241a09851f5e6d88bde1fbe7cc8ecbbbd2ca15c813a2d082f9e7d9615ea485816fa4aa2900e99d7164fad

C:\Users\Admin\AppData\Local\Temp\Csgc.exe

MD5 53e55b15346dc559d43c7887411c846c
SHA1 3b651a1b20c08472194f9ef021e4c7331774d23f
SHA256 41a421feeb397b00c232b279d53420ac082e67e481423884bb7f8fd3e201f543
SHA512 893234558055cf9d4030ba4c37ecc0ef5f131e1abcca744b392b13142207e5b1230f89047ff7df64049a88e51391e13b993f764ea6c739a4e076e6c756784312

memory/1864-897-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2232-899-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1864-898-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1052-921-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aIwU.exe

MD5 3c8126d0b878f86d0fa4cc1392eb7811
SHA1 c3cc37d057d8594bcf629034e120fce8a8f176a1
SHA256 307ee90a20d9ae58e3f350f38d95ce81d2031eb45f011a9a06310ca3a872b593
SHA512 e3f1367380193709908772a12d810f3540308009cf54831167bb8dc526a1c71d5977e5d20828d0d6f49054c614501ee6404e81e03d21293680680a31209ff488

C:\Users\Admin\AppData\Local\Temp\SwcI.exe

MD5 13939e125b32ba303002463995f1104f
SHA1 08785fa0ee22bdf5d45c436883f2edce8570ac7a
SHA256 3ceee6e8eceae358e6372dfcc7f977b5e91f27479cb484676e112e5f204f8bb2
SHA512 3f4b3a2bf1dbb973e68a1643d0d34d337d565c4f976d98798185a15795477cb932af221fd9f6e92d8264f4612b7051f6e831846ae1f602b3a4417073c5b157e0

C:\Users\Admin\AppData\Local\Temp\UYgo.exe

MD5 b89bd757efd352a353feb29cbdbf5701
SHA1 e73fbdee768e9b9ec5c438f645eac8f73d424948
SHA256 e677eeb75bea9d02488d3e96be07915e1fa7ac6f2bd96cdb03a733041fa70c2c
SHA512 056e3f967615edc95b3d98ea6bc37f68e80e9805fedcb172fdc41fadad267cf39c48a729ace23541a0bafd8b0f6471d0ba6f114d4fed1553bb609e803ab77668

C:\Users\Admin\AppData\Local\Temp\CIYw.exe

MD5 e2027f207245e236f1747b50e0d12dac
SHA1 56f275db0b9f8ed4b736ad67715cd76099443e45
SHA256 762588556e00c170839934e44c2636537a0a36cb45c816dcc8e152b8a7c67543
SHA512 c2913c5080e20ff1ee14bc4f60b7a1a6ebe3d3878e98db28579574e1a67639c9023cbf838bbf3b4baa4970aeccdda18fafdc03cd6c5f2d80cdcc55410c783021

C:\Users\Admin\AppData\Local\Temp\KMEW.exe

MD5 7173c23c413a762bf336ccaa72f4f87b
SHA1 480fed6865e8f92d516e7ec145baad47240c4ef1
SHA256 6881c96e0152316ea45afe13c15199f0f08037233b3ea81dfebe6354af792200
SHA512 0bdf042d1712a97d8270443e857f62b3b7806b0b5371d4e6b97ca68590c501e29a163744497411cd0948bc96bf81042799e7cae71ef9eeddcd4c965ba721e3f7

C:\Users\Admin\AppData\Local\Temp\UYso.exe

MD5 1c35e160bb03d389451550481371f880
SHA1 0be8aae2bea39dce127398dd2f0b269737b63c77
SHA256 876b55a86e58e8cf55842752d7b9888c29d4291c1fad94f8283dd2a6ef59834a
SHA512 2cd3c30e44c33f9445d345e0636db7783b9ffb49375c59fb5c2be971dc1d521d1fdf0f1ddd0f91abacd9de58ee0700fe7116a7cf9b8d5cdbda162a4fcf9f2661

C:\Users\Admin\AppData\Local\Temp\UyQQAoUE.bat

MD5 e22b5ee106c20d28e4032191d1ad6123
SHA1 132f6a6ddb826de9af255559b3155ab9f807c509
SHA256 191162cffc199674b5eab11900e398713b2bbfd3622a580392deb05aab7391e9
SHA512 d4802fd83dfd2d722bf8008872dcafdef323e07c949dc5a030fdff7bd4cf5e2fccd73772cecc4adb02d314a94f8fd979462d44ebb45b1dd0fdc0c839d092129a

C:\Users\Admin\AppData\Local\Temp\ykUC.exe

MD5 999026b31f0ab0d6228940c52d472b75
SHA1 aa78d17700c7c00112a97d4f7a38f5fe97b1f159
SHA256 67c3560f3755bced4758600ce6e0d08e29999f6d2e77e58a1e71661a8b7f29a8
SHA512 97913c7c9c3f54690cb6d37e5fc95bdb6f56036cf27a69ee3aba07955f3c361d9f6aeee83e0208f278b4c29a936ef034f95fe43250867a9b7676ec8f1a92593b

memory/2920-1009-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\goos.exe

MD5 db32eaebf8230cb8569052e379fe30ef
SHA1 ae7e373b0706f99d6b278ba04478ccbcfaf08114
SHA256 46a30862e3f61ed6c116b6beecceddb7ee09d79bbb9c60ce9a62b8cfee23d889
SHA512 e2834ec130158aa57c672557af0d2eb05eb67b05b16fc4776d91b024df6b9cff2378f5c6b6f22673ecb5d8991bce4a573abacf22c973f657a0480e6ade95aa97

memory/2232-1031-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MQQM.exe

MD5 a2f176b0cfd9116d04c426e1f0b6171a
SHA1 1af13b6f9b2b85d34812a059827b09f19eaf84f4
SHA256 023c1fd4aaf7906c214d38027d1e1e4baae43c528d43478f92295f25b33e2b3e
SHA512 90af5385d8f2ed2746d3d45630e162fa812f5847c62a37982a87058cb8da4d8eb60c41f9f153e9fc3231f990787c147f7fa2046e722d7513db0d993912b29742

C:\Users\Admin\AppData\Local\Temp\YsEq.exe

MD5 5137ea1d172b1d37b50ea565a5af4a49
SHA1 f0f554c9c0bebbfa835f8249c202875de10d3764
SHA256 d3872bb215ba937e8e7bbe0052e427e443a1be23731f572c995d77092a085fbc
SHA512 e99744f68b669e5d6806dc18e181174cd678bdc7dad21c0fa68f61615a7bf104741cb085a5ff84d159a1511794e1a28a222873a0b772a641b18c3b917d71c240

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 9f35527bebfb3e4a3e3035f32c9942a3
SHA1 950fcbace8972d19389c94d1c2d4244ef69ec2bb
SHA256 999609ec164643fbbe67ad6c9291927d42d5ff383d196a4cf2c7dd54ad865203
SHA512 2e2b52811039b3115c3bab62e23744f1fb0e64ea3e9c344585698de55d4770338c3dd9a17a181abac08d5148f46a5b84adbd6dc4dbc2dfdac99fffade3137fdc

C:\Users\Admin\AppData\Local\Temp\Igoc.exe

MD5 688ce9164453bd73a79c7b3ad1c3f282
SHA1 d8088e30f4038ed33867622dd75913a163c8878f
SHA256 b99a5f2ca797bd2fa9697cf10989cdef503e6aa8e0588d275142256e3fcff38b
SHA512 3eb3e4dc0c04657b1b1357a2a2663a6b105dfe08c243a0b9f87b1bcef8a0d58dee6121df1790c3190da391f1869c881f27586ac3716d581aa3e15e6fb43f62f3

C:\Users\Admin\AppData\Local\Temp\QwIW.exe

MD5 d4d8c06cbfce3598008313d4ce0ef1f0
SHA1 a4a84429b675a52d967606c446b34733fa4256e0
SHA256 239d686a208d96a7839c6b3f1185e86fc9529354a20a813c27999128f68e2c51
SHA512 c111d6543ddde686b2d2232a1c598a4371bcf9e86373bd004233a2001d8b2c063f5bc66192f0a1b7252953e7ece1e42c163463cc0ed2c5f3ef9be353d69d1a90

C:\Users\Admin\AppData\Local\Temp\mWwAMMcg.bat

MD5 16c9ad2c260506c915d146e9d5c21c7c
SHA1 23bd145cbaf2f3cc5df4ace2ac5239ec10bca62e
SHA256 cb959234d0a670ac89e95858abb28e63cd363983e38fc9d35bb550886431d309
SHA512 2620f2e57aff5677c11f56ced6e783a2def3d7ba620053d292cf23494fc329965024cfc42102f0c8b2fe454d0bca3ab310b8957376e98076db01ab2431750920

C:\Users\Admin\AppData\Local\Temp\SUMC.exe

MD5 79e26e9fa915fa9a9764430e41e20944
SHA1 016581eb0326af9a313e7aec6f83a5d31296d875
SHA256 bd0548b223a95e66a7f2e62602a2b71a2d4012cfa19b30d89bfb6c9e08654b4b
SHA512 07b9cf0063e51709be3000821d58c111c6848852c5b128ca26477faf602f21a8212ccaffa9a09967315d218a654866145e875aad068ad484277b8f0626b4e89e

memory/2684-1119-0x0000000000120000-0x0000000000141000-memory.dmp

memory/2424-1141-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OwEw.exe

MD5 a1daebde35ba633a1bff3246d3352e62
SHA1 82d055463ea2fabec1f675176bc1984ffe12966b
SHA256 6e711308ef1d10378398d03ecf88443b524aa0f91a9d6b100a9ee81896bc30cf
SHA512 90ffd50f287e994185daa2943532a752c5e3e6a5d2de98edccd92d9cec2252b53f76c15a6fe0b8a44ea845097cf9ce12134708f34c27517a0500bdcbc6c0f011

C:\Users\Admin\AppData\Local\Temp\moYE.exe

MD5 f82c19e6c4c937a68e3d51171580c401
SHA1 f88387ee71329f48b1c3fed0922d3849a2f673b9
SHA256 0f5cd8866953fc10331d94a2380e0385269bf1b8a3e36632f5e9cb915016af9d
SHA512 40fc61b3e3c22315a96fe17b2bdcb769b9630006ba977713fa84473bda8a0dcfec38c03cf74578ea2784b469a587800de242b8474a6a2ae3c73a77a114b49aaa

C:\Users\Admin\AppData\Local\Temp\Ewos.exe

MD5 56a43ffbddfee8da6720dda9d39ef1ff
SHA1 86069361c1459384cd65556d62eedd446e74668e
SHA256 01bba6eb36272879c90b0734296de74ab0515fc22352f45c5ba50f708b5ca9ca
SHA512 74de632ea666968fdb30142b0e6def53264de30dc96cb649b51cc154536d822b6643f4bf3b8c12861b62c50ea9241b1f04fbac2af08af79b919fed2ed0dc6942

C:\Users\Admin\AppData\Local\Temp\sYMA.exe

MD5 6a7631f6fbe57188ce5ce2fcd0cf5aa6
SHA1 8346a6764924d839e6543ffe117ede43453d23fb
SHA256 7401ec79ac6ab4df2201343adc40d7fcb0d1064cdc13c5fd21c268245c7eb16f
SHA512 2da734386a1d6f21f5e9ac4b0570ae2024fce3ffd0acb857cd1d97b13d8b6b4b606125823bcbbca7b0cafd90f50993bc29c844eac9110f421abe7cd8cf68606d

C:\Users\Admin\AppData\Local\Temp\ZGAgsgsU.bat

MD5 802058c66fd88cf6f96eb2742fad212d
SHA1 ad2a778a981087d2acdd55ceb8613dfd7168b7f3
SHA256 731de0f05e2d89f539fbb07ba5f13674b94a3895ef2a2330352ef12006d24067
SHA512 15c3017081a3274ef678c71497cc305508aa3b6ecfe78afa20ca9c626f8532c3a31fb0e1c88daa99d503638854ccf1315b74ede8a4e3ca75100520ffad876d76

C:\Users\Admin\AppData\Local\Temp\CQsE.exe

MD5 3f189b6870f7c9c9692d500fd1d5159e
SHA1 bffd5dff3e653193058513f1eee9472f8e4fbbcf
SHA256 dac90aa1cad00203ec11cd713723256aba3bf139dbed5aa0b6b18cde1e5a7d7a
SHA512 e2fc56b6404cbe4467c352493cb33256c07d7b7c10209cc2f31deed7d306e78106a756a9b42ca7c586e15330159658b0b28ab1ca3f5cc74d9cae92769489894e

memory/2976-1215-0x0000000000280000-0x00000000002A1000-memory.dmp

memory/2976-1216-0x0000000000280000-0x00000000002A1000-memory.dmp

memory/1992-1237-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cUcC.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\agYS.exe

MD5 d8b08c880aae110b47e2a28bca2ce7ac
SHA1 a57e2467ed12c1ebd3af548da7dd3cc4ddddd15a
SHA256 a5db1087bce3d2e1d106f760936855d55947d1ee729f87e300e0defef4ef9a80
SHA512 c1fb042d23925a99d2806ef5f5ec2d7a53aa34f84d624ef0b69d9c85bd6aa1ee07986b8bad87c3a9cd3231f025ddaf3231ff270bbe1cfb60bca2305140161b15

C:\Users\Admin\AppData\Local\Temp\sQce.exe

MD5 c5773ffcaf7c6bc87a3b30908c53b32d
SHA1 7b7a026636b6b6932612678fdcc0e786e3c70fa0
SHA256 112c0bdf9f3195d8a694b9f8f303e5355ce2462cc3f20853c752b46ed598af4f
SHA512 a24da431aab94c5d8ef12bc995196343ac89da97230c4cfe1f25be0a074a2c00089424b76ba9a8d7dfa2599c42bd769cfccfe05e8c6f22849a9556585a1dd7bb

C:\Users\Admin\AppData\Local\Temp\aAse.exe

MD5 b93981b178bab76abdf308bcb5d657d3
SHA1 d5bc0f9fec82e7f6434b12e3876f302cc5c7e79b
SHA256 ccbd59dc1432379b45fd288efbbc5f611ec391f3755456c27d2a82ed686d88cb
SHA512 9ae17999b03fb13dc0371761d30a63d9309423c032cfa73ce4f4be3e2c23e0b1023abf043c850930d964e121b36b2587dd4641dd9c1fb1bfbab0ad31209b7053

C:\Users\Admin\AppData\Local\Temp\YMEi.exe

MD5 c2ce75a42675e9002fa605aae61ea938
SHA1 80621ae3814f1c465b3ff72b8169b3cfaeb6f8d8
SHA256 1b8081c726b07d2fd77b6413678a4e0ea140429b032530962cd53e9138558421
SHA512 dc7c8a9d51a9a562caac338dcb890203e4fcbb5fb0fe12ff1ec9bc87f7406f5d813a65bd1abc6e9c358656dcfe60edce3b265d142e7cae17398518ab4c6638b8

C:\Users\Admin\AppData\Local\Temp\xQcwsYUI.bat

MD5 72ae1628e60f30b2725d8dc72f144d26
SHA1 46b299a20923c4326199792d375a646c9972c9b8
SHA256 339eaeb7e20a769e27add4aa0083bfc9363b0e660b2b978264970cac44864a56
SHA512 31cbf6b8919e5a625b89bdd091e6dfcd98157817687be7cd5aa810ce64065e58042b1b35f67f31c027c586c3042b83a3110d4621d3c81784c54338ef543acd66

memory/1540-1301-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2352-1300-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2420-1299-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EsIC.exe

MD5 00dc9ca1970203073b80306e5d63ff7a
SHA1 094163536ade8e5d483146bca85bbcb355482c53
SHA256 b8e289139251592a664e65b230b4a463eaf7999f7ec27116de64aab51fd7f569
SHA512 2b5b87a8fbfc58defac1e63d9a80bfb77dd7db2028b3bb2505b471455925615171211a4c2ef1b9e041816852b67c266ea64121451ab5cf8596d3846e91c71203

memory/1596-1323-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MQwq.exe

MD5 0c75f55bdaf9c0c3fbc65eaa525a60d1
SHA1 3430391e037e602e1d296a1921b49b1b18018479
SHA256 3c62294d93d03ed5dadd4192b1e58f264eebaab16bd607ec9de3189bd8d89b07
SHA512 ca825aefee7d1a9645c16a6c7808d04dea9be656f487f78446fa38a40a1f5fb9ab8e5914b619da6f4f5f333189eab9e886302a7c84fed38e1d4a26161c0c252b

C:\Users\Admin\AppData\Local\Temp\uIAQ.exe

MD5 eaa1edcea679a82a53fa82dc2e6924bd
SHA1 7c8e76da14eed13c9457a1aa72a7c2b46e4e25a3
SHA256 8d0faf63f14d8d8a3edce891322b3d1abb304f00f25ce5613bdf1cf5fc18ea04
SHA512 2c72fc4b6e399ffd1cced57cfeca7e6e54e3aee50c812df82e247f003643552f7a96d75e4f42d0a8d9d2a476523ec4b72227044241dc971e8dcd77cea0162a37

C:\Users\Admin\AppData\Local\Temp\xGYkkwwM.bat

MD5 618e03dc13b73397408e7aa51f45102f
SHA1 61dfd96bb2a2b364b489162e5e51402032d67988
SHA256 a949db0f31fc04aa0f95a07cad2ec52c5a611dc93732ac5f8e5af2913b2bb144
SHA512 1061ea8f45a694cce2a69429a723f747f1c5f10ee8511aa0fbd9270a7c96ac29becf16bea36b63b1de31a19a07290dd124d1de09e8bc217fbe26734468e9fec0

C:\Users\Admin\AppData\Local\Temp\oIIa.exe

MD5 64bd8446ba50a1c9099fa997c19b48ef
SHA1 ac800246f2b83870c77fbecdbb0aa8b744f9d958
SHA256 1f7d7ae769992d274d4c53aeef96aca04084dcd2d87e0300bb57e3b1921c0f92
SHA512 3ea9e00dcd7ddaf44af77f03b47c0c8d5b798aa58f414286a9e362d894560799d4d4e13ccede9f9a47c94c0b186f50ffcbe7cb23c2e40bea433e960f7c47aaeb

memory/2912-1373-0x0000000000170000-0x0000000000191000-memory.dmp

memory/2300-1372-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MoQE.exe

MD5 402742d178c5e474ef0fbde7912080d3
SHA1 9c8e5112c0965855d31ca999f0235bedcedb0921
SHA256 8a07432d5b0fd6335992b79b010bf5d5453ff67795fe103b2f170122b6ad39d0
SHA512 7a03985de994fc62492ea133b134b37323124b35127ac76ddb5975267a56b335697911a39a3c66df2304157d3cf7fba324598c60261047820aa93897488756ad

C:\Users\Admin\AppData\Local\Temp\kkUw.exe

MD5 d030ae4a1abd1b04662c3a88e1524553
SHA1 2487ef616051026062ec0bf7706b4e7282437bf1
SHA256 99fe9b489923df21c231fc4c7f93e4d23964f3e8f776bc2631154167d75dd60d
SHA512 8a083664f3f58eb6c0732fdab71cf4676abf35d34da6f28093307f067b2a45890a8797cdb4a507395447d9b1627424c65dd0ec77266c53a355605d5ae98fcf63

C:\Users\Admin\AppData\Local\Temp\AIwU.exe

MD5 d2f6b55300ddfdc9b31f133b0a96c58a
SHA1 9e7b565190de7f36ff5941846a44286b8c9d63d9
SHA256 626aaf5e00f43101694da8f6816e0b120fd8c9a646044881b17162e33e25fd18
SHA512 38bf7632bc615f938b16a24d9e9b437aed13a3a4166f684e7f66092ca6fd99ca1f359bea7dc0204891673da29d2dc53912e4c302973cbd3bcd43e141025b0934

C:\Users\Admin\AppData\Local\Temp\sUYq.exe

MD5 71bc2b9f4880c706f4607e32810ea3bb
SHA1 111cd91036a96f77e77e6d884b4dd8879215e692
SHA256 95e098123a969d6a2bea3f5bafaf7bb96f5f0f451aeac1b2ad84b27b5058b82d
SHA512 e298c11009bf857b87f88ca050d267984ba43f3b6fe6304a73bb46426190ac340eac064936895fdda85d9659ff0a8bf7c744bf3f6abc2a149896d77f63841a25

C:\Users\Admin\AppData\Local\Temp\gYgQ.exe

MD5 3b32b4a25f905680cafbd16886f08b42
SHA1 cda5d2ef241f83443dea33796c76bfecc85d66c8
SHA256 b96ce59d5e3830d92a04bec9a033caf5df2e77b830598a7700677e71ffbd3867
SHA512 547755531eb465e2c1a3ea82940806ce4c7c2e65c75b05327e9594e6f5ba51a6c25c4f44bf0f72838713ccd47dca4e4ab35ba242bad84f843998b487f339ecba

C:\Users\Admin\AppData\Local\Temp\zKcUUIsE.bat

MD5 837246033b3bc4ba04f8190a29739283
SHA1 3a52eab825eea5b37f208a93a2d06e8af04903ba
SHA256 64c40436b50478272acb46dd408544c5bcff7a2f1e6f6a08736cf7017233e5ec
SHA512 2b6119520ef221754a98ae1e5af6a91e1955f8f04d8a931647f2744f06ff11a3131fe5d2ec5a2c6fe826f615ab8db7d8155a9fdb7d77ca2787825b36dc32cf56

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 ffac0b23defa477351610ada7fb903b6
SHA1 9c93eaa31c72ccedecf3f9ed6d2d00fa30966e16
SHA256 8b5dfaa1b1848821b9829178de21241ebf0ed76e8d55bb79e01c0133744bdd77
SHA512 0a9ff700f024e86a2a9402faa07dfd35b037106e4be4a8124001629c721c8f9397d85282f79daa9eb198ab3f56fa9cd854cf3dd971fc10a0644f39bd0ec07b9c

C:\Users\Admin\AppData\Local\Temp\aQIy.exe

MD5 14d9779677840d3caa65223662f662fa
SHA1 e3a6485482bf4d6342b06cd8e73c51772c327567
SHA256 3175ca9626afb8d9ec637d30b6eeed7092e3a63bb31330c117449e598fffdcc2
SHA512 0a8a575915659bb7e8889a038d3481a85e52ee6799c74af8bea787a2c240731fc0612167421b3a6ac6a230439057562a43b8066c3dfd0d6a7389cbc7a29110ab

C:\Users\Admin\AppData\Local\Temp\eIEW.exe

MD5 bf17f7b2cc69abe0409933b3fa6e3e94
SHA1 a9dbf77cb06630b141c5bbf8bfdcc88cdaa2eee8
SHA256 76f2c86cd49258048e0466df1cbbbf5adccfe6112b2a8428ef961bccdaf35924
SHA512 39b1c52c83dfd8bb373ec53194a427191cef383428f05c597a51c6d15f48253f6810e012bd2c82511465ff5896623477c8c9e1d4208f6f2c6de289627c11ab04

C:\Users\Admin\AppData\Local\Temp\rwEkgccg.bat

MD5 54144fce2b2cea993d423d2ab468e8cf
SHA1 27fb43aeeef9067be4253fb3d850c6897706a64d
SHA256 c1c8a786dcb55ef6d33bd6e237e683bc61d85118777a60d48300f619e5fcebe7
SHA512 2cb0bef1dcabf6e3c1ab1e93d8127e2ff8c98d7fdaa1eaf719bd0ea7328981e7428d36403b7724ec60c79e8c7fef4c7bd896a263ba25e3433eb1450819a4b313

C:\Users\Admin\AppData\Local\Temp\YcIy.exe

MD5 40cd9a40edd0ebfd60de74d7fc30373d
SHA1 6acf88c64be045effd329dcef1a9d1a4593ef10a
SHA256 8ca70f900fa4f9689ea199e5ad7393940a6fe50e594dd7187e5dc84198de68e8
SHA512 4c92d94de65846975bc97a4684292700e01ca8c73cd081585420fcb8d3b37c025bfcfe13f0e7e6b95a82beed3660ddad7272f9d40b8e8cad6ca5601cd6a7f655

C:\Users\Admin\AppData\Local\Temp\wkQQ.exe

MD5 894e810253aa44ac8a5f5d9f55ce4ce4
SHA1 2f79d0756b29546230ca61129f2595be79073d18
SHA256 e01ae1412e46e1e1ffa6b2b269d4098db3d9d898b38adfacfc6f3ef377473653
SHA512 4847c7bf87b13722cf270fa8f8952b1d8374fa8799743347daa61c2933b57a88645bf2178f3dc8a23da6e7c44b06a003fe9fd02a3ff5e4f7143de3ec630dfcbe

C:\Users\Admin\AppData\Local\Temp\MsIo.exe

MD5 d5f5408e88c9763e7d359f44b9e430ce
SHA1 f0b038ac7e07078a76b8cc2a9a15b997ae84e49c
SHA256 f40868bd9a00950227e420005e5f2d386d37245ad17d430b72be1fb0c829e399
SHA512 fe1024dc82a018d1ef39e2e4291892bffc5560fa889b165687acbdedf631a6feb24af2a463342469c776ceeebc0b92b094179512bc23207475052b45141e05e8

C:\Users\Admin\AppData\Local\Temp\EsMckcMg.bat

MD5 fa7f0626487d06a6e33cf6b1a323d7cb
SHA1 fe6e3132daacc9c60de15207494f3c0427473ca0
SHA256 f006160a0d8e277d0814d407a619e8539ac0dbe691a29366e545bed81e037266
SHA512 fa1d78b3ca77aafe8ddf0826ddcfa41304c64bf54064b91f4b910deab1b49b598d2937d7f231e46f23cf8e4817d1f91a73a4e3956cbe297516ab35ba0cf25e01

C:\Users\Admin\AppData\Local\Temp\SAcO.exe

MD5 43fff41d96a01511b89847ab81a28581
SHA1 aac948e96e9d0ef8334544f33df693ba981b889d
SHA256 f2f4457fa03bc5799c7e313d6f53b85e42daa98a09b7a6124db67d50174642ed
SHA512 450d576a35e46578671e64e31cfb34201f12687baa8c9443ba0ffbe4ec774d33be782fe2dfd627a83f04075b7b052e98862820c93127d3c28f2ae02f478cf3fc

C:\Users\Admin\AppData\Local\Temp\SwoW.exe

MD5 77db4c3122cb719e4164aaf073ec1960
SHA1 568063f92b45a31f51f142612fc8035ebc7ff01a
SHA256 8e504e8303cd266f358b79e9e419bac3d8417d0c33b1ceba9207adfe9de032eb
SHA512 10c6fe8f47932e491b0438b65a384cb2ad576784bbf73cffa8d4d5c2ae165d57184a13c9edd851bbbaf7ec74e1e0ce25743ddf282c8ae12982bfe118c82157b4

C:\Users\Admin\AppData\Local\Temp\okAS.exe

MD5 6fa7e3368133221f91c6addbb5fbd5d8
SHA1 698a4d88a40f89983f961815ec597882736de79f
SHA256 529a4f72a1745604c35cf18ac2e92f9b743af896f52706524deb1c360ca1382e
SHA512 82181f80d41a374dc779ab8bfa9c2d4da4a1fc372f92d184ed600a462c623cb1f4a8782b174d8d023151d753582f4615106af3e81bb3f2741e533e565cff8a53

C:\Users\Admin\AppData\Local\Temp\Cckw.exe

MD5 46b90f6b0e0489c625c9544b44633a9c
SHA1 d24a6d81955b5514bf2c36a7a326deb2730f4a2e
SHA256 ff36b09c9aa33e1d7dd5505936eba04d608227860850d5c97ea04ee3563d7c53
SHA512 e739688a4b1fecdb4d26ba9e621548469f4e7ce60fb2ca799c203220987ccbbc6f1f276392a48a6ad80a5b58689a13038cc435605bc9be13f7b10b1b939a2398

C:\Users\Admin\AppData\Local\Temp\YoUwocIA.bat

MD5 6682785b608d327eee369b4a58113901
SHA1 3448f722b5589370f865b5a43726b07b80949736
SHA256 35d111e6354025c3bc18bfbcc7e56e43e455681b23d70c70366bfab0981c0c6d
SHA512 cc1b6da028384ad20787a570ba5224730c6611be99ab6024c2e733e68d031bfb010dc59c6dd766d7511aae30a46a0c77193c25e7cb605162e1078c99daaff544

C:\Users\Admin\AppData\Local\Temp\yAoe.exe

MD5 8c06f8815da6dba94ec90754cb1153bc
SHA1 bc123fb87a02632885c69662b89c08386ee5adcf
SHA256 2a7579c7dfafaa8fce162bf6b8d762ba66c780876858cabdc7beb10c24589273
SHA512 bcc2a5975609f9cf067d0d50bf1ff354e499b956ab264f3556599d78c6d4013fdd89709f8dedb5442ef4ae6d5eaadcc645fc9b967030b5aa54ff48e3a3e6deed

C:\Users\Admin\AppData\Local\Temp\oIIG.exe

MD5 a745b79d8b4e831ae9e2ffee0b94e7b6
SHA1 3232941318fc6134c6f5aa1338173a00283b5bfa
SHA256 8dae1b85199aa567609528d276a447d4551f8bb6714219e2f376d0d586ba3325
SHA512 9cf7117b629c4dfbd8a672944faf8bb0088c03c1641347ab82e4888208ba0a3483503138c7fcf55c0e97f4465593ed19cd9d384617b5785ca2bf264d3c29c929

C:\Users\Admin\AppData\Local\Temp\AYMc.exe

MD5 908538cdf6d2d8f36cabbb6a33110924
SHA1 a379f6fee0b4fdca91a2615dc6652b97d2897802
SHA256 5aabdcf1a2d52294e30b019f174370493fc13ffb9f8facffeebdab40c3a9bf3b
SHA512 95147066c800396da43a29ae190badf02b3c9bd0d1b11831bd377eb636f710d47a5924ce91e94fbb02f968a3d49e679db82d9afae766f168e4bda8e5af8ea8b1

C:\Users\Admin\AppData\Local\Temp\OiIEsoMQ.bat

MD5 33665fb329ad9cb561ee7a5b8f74d9cf
SHA1 225158def978a80e130be2cddca43957bd43903c
SHA256 55c2b9b5229ab89f59e975d74d44f623fe9d7cc43355351e81af25d1680a3572
SHA512 35a0588d99d77abb26b866f40b4fe0785d38c7667c519143bb21b577ca5a5c24e28f37ef25753ba35ba4d750af424c3e25f59ecf83ab817c1d9280a183c7759e

C:\Users\Admin\AppData\Local\Temp\IQoS.exe

MD5 db5d6dec39519f6856f0a663b019de41
SHA1 fd36c68b989dd3713fa4e9cf677bf5ffc3fac5d5
SHA256 6e1724887a27f1ca4eebbc11e76d7f6539fcfa6c94fbf23f3db4534acd1ccb5d
SHA512 a8860b7447e047de4bd78352d6a854317168901dca3b9eb28adf120418d45b19fc3fd4ea0c8b6bc46e33cefd1258fca600a12e26d1bc5b6632136efb5cdf09f5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 8c09e4569d124e040dd3cc426a8bc656
SHA1 ced588be4e6237c33bf2eb634ca27d959951db02
SHA256 012e3df0db45f726d361641b22fabc1c9b975c6147c819cf11fbe614df7a6874
SHA512 beb725bb3268f56d7a61b38d3015e1f95fabfc9042f3e3834f020200c3a71c8bb975e9ddf26f3b7ffd6b9bce7a839942e08c72e8661afe133f473b566bf00721

C:\Users\Admin\AppData\Local\Temp\yMQW.exe

MD5 aa4b10a9b4dca3edc917d94d2a3c0878
SHA1 fd06a5b5140f79b26c7d1ef85e92e8c5d4401089
SHA256 d0b63bfca2b423a3c55efafd47ee589b38d9441ce6b7d91278f4d5f967f4999d
SHA512 e092b0049e1fbd8089bede08784af28fb29eb0176f535bbf16301d303cf6d34607b66e37cf580ded2af80dd89fabd214c166210ab12483eb396ea4eaba77f69a

C:\Users\Admin\AppData\Local\Temp\oesQsIIc.bat

MD5 228f2bdb8fc01fc4ca63c81e26c608c9
SHA1 4382b7a72154d3134b0c81f2db36fb187abf0091
SHA256 f8aa5c9853c17c3501a1b59b5af65ca4fe6b70a2c8e5852cf597b9d681b2c847
SHA512 61c611a09f9094cb692472bd7e6d482d510032b826a52b9336919d554536287f4790c34231cc81f331fa30b15f913d8e55ad97e61d0c6e37df2051ac1f288a9c

C:\Users\Admin\AppData\Local\Temp\GIUq.exe

MD5 8fb4207b2422da61bd6da9280de8b2a6
SHA1 1f3efb1e9da4c3caafbcc4354a37507339779ccd
SHA256 41735255b8ebae5ea67f06b7625fad6b6ecf2f27c67c317060f939f2a15b9a94
SHA512 2472a25567c9dd99c50c16865e742875af144d53802c135893ce3c06ba926c56211ac15a6f6d209debdfe88680034565d4b763d25e2955d04f1a771926b1db11

C:\Users\Admin\AppData\Local\Temp\MkUq.exe

MD5 6e8e79a376fa8a580dbdab445f2d9750
SHA1 1eb728cff3f511553dc2e3fa9016be5930e7fa87
SHA256 d0af8585b7761acd7bc29d44216762ef183c91ca58e121fb10f0c91dc8dfa71b
SHA512 a0a2a94c3c3a9ec395bdc5680368779a2767d5ee1512ed2e6f3f82272a5eb51810d53501a5d0ea83c24040bfcf2260a16f0f017dd5ecc916fdb6407bea185443

C:\Users\Admin\AppData\Local\Temp\QYMQ.exe

MD5 32219857bbf7ace09d41174b373095b7
SHA1 0bbcd8ae7e864ff5750ff65736597c57de4e058a
SHA256 41ee07d63f6cee76463a34ff2ab3b1dd79da815883ca3bda56307320629129e9
SHA512 defd630681ea4546e1c926c5f2373ba5f1172fa8dc96a79329e4588bb27a1f9b8878fac08d23c42fdea2e99a264713732ab7667813cd41d14c3c107806525f45

C:\Users\Admin\AppData\Local\Temp\rOwgMEcI.bat

MD5 4e15732ce45bfa8ad07274916871d13f
SHA1 03c70bf9c7758ac32d0218ddf5a6ec0e079432b9
SHA256 44ebecf02684b6bf9fd51327c803e6d1d60102da7ec182cf1fa5d57ca4b81802
SHA512 67814e725eaad35eb81901a0cb8d9750defb6db155e03d771223ee68a3bf879d004bf60972502ac915623fbe761df2ff698a9435a887d03acd521473a47162b8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 be46445fd7f3bc607a6b8c1f1d298a15
SHA1 bc338a658cd4ba302b9b0efe2e5e4004d6fe222b
SHA256 ffcda584da86cb6ff86202376a3ae1ff1901cc193c63a87cca3f5152104aa671
SHA512 06c958b778825370b001c321d502bf8f23d1a25417108fe1ed1a46de34ba6f909aea2c7ccce47b47977c30225aa0598aab87e9bbfbb8821c239e3c9ea5638461

C:\Users\Admin\AppData\Local\Temp\EwII.exe

MD5 9a67507d532b9dbb64ab96f7844406b0
SHA1 736cec49cf3cc95bab918f3ad6d4ba413a412816
SHA256 978ed954342c42e01eb71f60885f8341325cb2a37ac5f80bbc56d2f621a26c5c
SHA512 cc63ac1c8081cd558d36bb3dcf4de06dcf9d5a099709e3b05ec7e129ff16b8ed5c80414d1125b92a8b2abce554f849872e2fb70bb9963fbf27cf0c7f43e0e692

C:\Users\Admin\AppData\Local\Temp\wEQo.exe

MD5 9b522cd5daa1c3b8b4ea6f79bdd9a166
SHA1 74187c13f662cd02d7c3e59ffdb9fddfa2901d67
SHA256 7842bc9383ed403433d007e1d035cf250b233082880d1dda71d2656af731ba3e
SHA512 82c18d69694e1c013e1816e66f2e19307f6379474dd713ac424a5735f2d69ec9f9135a5065df2d48ce1186bd1c971a9a4f37573088a5cf77fae121ea8dba341d

C:\Users\Admin\AppData\Local\Temp\fWgIIwso.bat

MD5 49cc8a5356e05b7b36ffb216415668ea
SHA1 baa643879e649460548a25bef29c806646c4c7db
SHA256 94734ea70ef4efb105fbc785568d8afa21e369a887288af4fed5d74c0ee34af6
SHA512 8f5839ab6b5fec1deaa74c774d6b13a429eeec7a175cfafb34345a82f9e9cb926eea071a7ab33863938940a0a3af26ffcbc1a85efc839315bdc252ee3a64de4a

C:\Users\Admin\AppData\Local\Temp\EMEU.exe

MD5 fca2e13ac2b9673caafcbbcc6bda0a11
SHA1 23dd6d4b8d521dce3127d9ec17441db4b19ff0c0
SHA256 e61694541611ad337cf15bb10f83fbded3aeb64d78639a415de316b828e6309f
SHA512 dc4a64eae5bb584636c6c091d9e6c698ef09e0801fc64b5294e9591ee4c5a87d16058f6bd1e08f15f5191643af13c847a3f7f4dee8bf79ff03b8518013c457db

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 4726d26ba6a1be779cf4aebaa3110261
SHA1 39af7a7609274d49833ac1909294a9a7f00b0102
SHA256 ebc4506a186d6d561f2f816c8b5a7aae21427c07f633bbf1a15f0c4cab61e947
SHA512 13022f0735ff980a9b997d10beed303477d3961ae1fe8f1705410a5b1b80635bf50cd5515eff894ed1b6360179106231f176941f04216f79245cd51540698bec

C:\Users\Admin\AppData\Local\Temp\qgsa.exe

MD5 9bca32ee067cb4fd373bbe56d7c76f61
SHA1 2b9b00161709fc80848d6586edf12158cf7dd5e1
SHA256 960f5e50f242c8da3e044ebee7ff9807c4a4a48dda422e0c53fb691057a5d05e
SHA512 e8373ca8a4a0487d448ec93e816ef9947ac3eb4864b65991f34745d173728ff00cbb3bc46e9a7a5eccb5e3e61b3b1685f0f6ec658b2fa31fdaf3169ab6059548

C:\Users\Admin\AppData\Local\Temp\FIMoIAwk.bat

MD5 37fa03fe439ca6d7726f1962f5a5aa44
SHA1 d3bc69cb43d0f3b110d2080c1511fa84a55a265d
SHA256 3600da2c4ae5c34038d992ca4fe0c2950aba35afa354db6b73aff855a7ae30eb
SHA512 6efb913574a63c86ac6fff2a199415d5cddadf572dc1ad73aceee72656b03bdd05c707e9f1969775d4a2d085feab19d02e757aa4a5009c366327d970294ca897

C:\Users\Admin\AppData\Local\Temp\UYgi.exe

MD5 6aa5089e7b3292e3fd5b98c931997f2b
SHA1 f7eec13c52120d6909055eb44405dbd9ce1a9045
SHA256 848177545e87135a27f3f2e51ca3f838e0fa0dc52b76bd90d417567d23c0588c
SHA512 352274c49a10a83dfe9cf122d8207b35f16fcbd0ebcbc69c3c0d55ece7c355d5e09853acde87a60b6626a63ad2bbcb6d8f063bb76a800110b2420fd054631797

C:\Users\Admin\AppData\Local\Temp\eYUM.exe

MD5 167ee8a3c67b1e40459c889bca27e077
SHA1 3a5e7529d56b0c3184f4648b9d4b0d5e2ff93dd6
SHA256 a0a1471382811ccc149f8ecbdf4b6dabdc9604b8e17fce70542728fa0e5d03b7
SHA512 3e15fd38c442587d3dc059d1e5d4a6015c18257391e56bb40e1b8e624843c09289783ce13b045a23e531ea75fe91f508440b993350ecd7edb2db79ea8b04d918

C:\Users\Admin\AppData\Local\Temp\cwEs.exe

MD5 01e383807d77435f606b04deee0b98b4
SHA1 f75d9247cc1def4aebfd0b4f3a768283b027d951
SHA256 605ce18741e127698cf3cce61d530892607fd406f814a943953286fa2f0d8478
SHA512 f1c10855ce4d1d7f83d9325fc76c557c468e04c58f46e23bc3e15d2a8c6f4420e5514962915a0d7e48a61444dcffd4adbd4d3f3d080f1aec78d8b2a8c4fd4454

C:\Users\Admin\AppData\Local\Temp\NyUAAcQo.bat

MD5 d023ee853d231895b5bb3898ec44cd83
SHA1 cae1cb6e7ff00c4b879fdc0d0ab204318a5d63f0
SHA256 c7bd6696f4746d6ff762b2d282f3bc434dadfc004e3fc33af2360f2fc5e34eb7
SHA512 3e83058d3b027898fe49fed221c9224c27465007167daa19fab76e8305865b4ece4225190cd6af6b72f2a1d0557809ef4f8f83f6318716146ebb255570972ed2

C:\Users\Admin\AppData\Local\Temp\aswG.exe

MD5 1a6612aa8007d27c601e23d376c1d30c
SHA1 b93529e2b02729f3f2cb237e449a43dd99cfa615
SHA256 1a1763cff6895a595231eed7ec605096646231aa7b237b8c273d283dedceb610
SHA512 e3283ac9174a756df2cd468efe3dabf51ae32c7a26ef52a22a2a56e38154758f4d0b9fac786d1d0ea0aaa9f93e0f80fcb715f23276d2aebcabfeacca2e2c778e

C:\Users\Admin\AppData\Local\Temp\MkAi.exe

MD5 15d4393c958fcc04f9e0543e53236908
SHA1 3507d2bb06ada09b28f2bddd647b43d14eaeafe6
SHA256 0c5dbaba3d7e36a5590e7bf913df6cbb2d348ce539aaddd102bf4dc9b383d872
SHA512 49ec3baab63ca60577ac074b1476ba8d6f7da0c9d23b297d5013de73d5d85475fe290c59d6b6cbbd6d891f4379322ef91b54457a46a31591a6dd78bdf06dd368

C:\Users\Admin\AppData\Local\Temp\uIkw.exe

MD5 1a06dbce52bca07c60e42bfeed40019e
SHA1 e048c32d35838cf0a56939e127eba93ce5d35b9f
SHA256 ac4ee89a2d5e87ce8735577c239055242b96410b3cd04278cc6512ed2b221d3d
SHA512 b684b9a09ab7f7f0964def4d23df3587d30a62d76896ef07853063357979e1f991cdd0b87d6a005dd7a62632204a35c61851993774623b8c5be21df56a463e50

C:\Users\Admin\AppData\Local\Temp\OuoEwwEE.bat

MD5 d1ef3839ecde3478da1931d81d62cd18
SHA1 1e60928e237747c94d41aa08f3b857fdbb8e0993
SHA256 f9adc888c27fa68269dd3b1e1a1a41c6bad3c7952a0eb44105032b14bd39f6e7
SHA512 94472edd1317d371add749febc631b41d0c18ac297fd61adb09809cbd7debd44b8f6f3c0137fdb99c07b3d0f038a72cdfe443d454eb783d907b1e379bafab7ca

C:\Users\Admin\AppData\Local\Temp\oowG.exe

MD5 4178e8e2bcf6d5ad8c6e462d41775d0f
SHA1 f66ca7d0ef8747306f7fc88c567cf26efcdbde08
SHA256 d2890ededa32b28db30bcdbaef8229ed10c374332f61880417e56cecd215eb40
SHA512 98e18fbeae82645945e4ad21db77b7b7c967f3ea2ced93c88f00300de63b6a4ddd3a0b3a3161f2655e68d6d1fad4ae944fa5808a17d357bee753cd3c3095e0de

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 6dd3dbe07216599bafa2d69473e35689
SHA1 7653b006c58e86e1f5d352154524012048d9fbe1
SHA256 bbb91a2a1e400e23d23e834e5b8348e403b1aea1a5bce8c2f9e045bd1f0e7a02
SHA512 e9339f83be12c0b530e8def038d6adc1dc093e786997170e72322edfc38c576b71ff0f63612c0a39a472c247cb6d8ae16f9b1b1e85805e09f362851bf90965dc

C:\Users\Admin\AppData\Local\Temp\uisEoAgM.bat

MD5 d34fea270b7866842cdefdfc8f9f5951
SHA1 e30b0ee4648330d7bd7030de0e05edc0dcc8e7bf
SHA256 6144c3c17e99f1fbf87357949e1f0b8ac929d7b68d0144ed5d991ff2ad1789ba
SHA512 6c93e3b1b4fbd8e37541277ada10a47336f619171e1407060ea6e27bfaa31ae05ebb2c17ade57098328c22d2daea5e0ec1c9df400bc8b81bdf0941bbb9659572

C:\Users\Admin\AppData\Local\Temp\GIIA.exe

MD5 6b3ec888dbb91084905c81601b793e90
SHA1 6a115a9a9788aee22422442655bbe86dec8fd814
SHA256 a2f12ce29b6328e2d108b0a9e335a35f4eea49a3db53d0518bb2ff8e71fc96e8
SHA512 7594bc4086399573fbdf951ea3b6bc6ebe6e85abc080d96cda0a97983ae4b5e45b4a77d56aa08119713a6c1e1bd608a3d519e7ed647a22640808a5a38524d452

C:\Users\Admin\AppData\Local\Temp\EgoC.exe

MD5 9974903c80b01883342b60f8c48d583b
SHA1 3ef4c711bd0d5d7102f7d5ba74558b717e4ecbc5
SHA256 fdbc6d19d3e18fa644a7a101d4f0438e44ee5036ecbbcca6ebec1f9adfd785c1
SHA512 4029b748f6e1f50269f991a90ef13a1a8be3659d0008b01bc4b05d951e61e910bdca72c4123bd7fc34842eaef4d7fe071f2ad32a31c9ec85adbf382ade8270a4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 79bdfc195f47c6a8f8fb51313e05f8ae
SHA1 512259a321b3d341b15486a95e1d882b46ef87eb
SHA256 eaa7a56b4fcc59cb170c95e185ec56fa0b22be5457bdf6b19989d1d7bfaf23cf
SHA512 92ede9358ad4aa0098b2a7dd4c43c534703f1dfd97d3a8c2feca91916b8c1ff3a2a09e4879f46993e20a3c3fb2dab082752e47ae1c3191482f2b9bbbb8c2ce1d

C:\Users\Admin\AppData\Local\Temp\kUgG.exe

MD5 f79c75cdbc144f37c3a71081f34d6358
SHA1 07a8dadc96c4e9a14db07b218f457759d6e1e8d0
SHA256 b1fdbbd93482156310b85e190c7e968c8d6d2ec389c24950b3328ca583cb8268
SHA512 b5b1a41857829fe7c7fabf460152bc002990db9c23c29d64d5a3e5b8925a5b4cf5b4273d7f31fb16804c4672dd75b209cf1f328dda753d20bb9f1f4208f99d90

C:\Users\Admin\AppData\Local\Temp\MuUwYYoo.bat

MD5 952d3d427b02ca4ea0692901a750fd0b
SHA1 149cd8808013183f6c2bbf240c24cce120a52e45
SHA256 a42a55cda9fbf9defcd64d7c9f878bb714e29ec5794b4b75cd1b4dc6c4d8669d
SHA512 aae2dc12aaf386837e391677057d5dd7416fd9cedfbc38a5ffa44e2ebc18923ce27a0b52e7547dd9b21a51d2e4a7010cf8f2f1ec5850e9b8df5e017875cb5e75

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 f25bfa4a4b8a2bb52e42ca25c7665f13
SHA1 aa508507f769cb000416271907c36dc0456c01b9
SHA256 4bdd714f83b6999571ee54ce7d9680b5053f751f0aa2d3e8a3b07c57577d672f
SHA512 c3b8228933a44580bbf048260ba3ca6559e7552448f1805c4f1fcc8e856a9c3e759bd584c737302e325e6aab71f082b043688a4edfbda570109437204fea5762

C:\Users\Admin\AppData\Local\Temp\IIIo.exe

MD5 cbdcf85b3ba14ec734a1e0ae62d06dd7
SHA1 a1f80206e32805355913c1f803bff27b1f59c766
SHA256 da0e01080eb795289e5e84cb1c1723e8d739a77f9f692c1f6e8e8fc4a2d1c66d
SHA512 c373278ec4fe9612078f26af175cd937f2f33f45de122c0a1c462354d0217b80ae4a4d6a85cdabafeb8f146d9908d2717f662a607601a47a7cba3ec613bcb674

C:\Users\Admin\AppData\Local\Temp\CAgEkMEU.bat

MD5 bdde1e920f91ec119709fce38125f2dc
SHA1 c941d85925e8de4705a5d1796cf97a9a7ae561d5
SHA256 89f4ef240de52d53cbbb04db76799dd54b68366f8e5254e09fb35c31cffcd860
SHA512 242f3239781606fcc78e034aaf7c9f9f5970acd492ccd732ef26177a5bbe1244c0b00f556dad5ff3253bb34b760522c6a5ea90a1e15039323597dce58484afb8

C:\Users\Admin\AppData\Local\Temp\gYQA.exe

MD5 6adaa17e26fd8cc5951a3422d7ef8f44
SHA1 3896c97e026d6139c54b65c43acfe749d5e9a8be
SHA256 0e17f838bec305d335849b31a0e6c66f2c167105123e3f35297872a82856a7af
SHA512 1d9ca24e8d0dfc5109dcbc66875bf3b544a295d4b41c1f1abbc44e688800ed16a53da6d9b0569f22b347aa86ee85debcad8eef5f6c45d3cd6605c584de22a6e7

C:\Users\Admin\AppData\Local\Temp\CEoq.exe

MD5 006ca36e4ff7cc96b040e19dc1b2958d
SHA1 2a49472620f27287b652fb8a857444d035a48dd9
SHA256 8e102cdf35a4b7c5a3d48dd4f6cb0a0ac84ce529a37acacc2b467d54c4b1a105
SHA512 e52839b5b337cfb0ba7c8d7bd12d37b74adad3754c0a1878154f85f4aba3e7c9733cd1e623652fb4775386174b32d7ca4a94a81a8efb2f8c586d747faa4c5ce5

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 95ea0eed856e6bdc52dc9e15a3a54a33
SHA1 92e91029ce15578a66f6be8df4070e4f366e9ed0
SHA256 eea29a82daee351ac71d83d045efacaf8ef3407791a1a967eb247771a909a756
SHA512 11629657eb457da42c6ce20cb2a81160684d97d65fbac95f546468f8401486eb8f5c2831424e7019d767c9d9f732d712f1f4a836122c48fba56e9a54f342e30c

C:\Users\Admin\AppData\Local\Temp\VSUkcMQU.bat

MD5 c4f7414ca737154899e522592516aa00
SHA1 24abd43f3107bd050fef27a7a0646171572b66e1
SHA256 cf83e0cc4465d05be220495d9c6bd1f457a798c11c31d8e42b93439bd1621209
SHA512 3b725909cc1abc3c4b1baad46aff39a91f5f499ec7164e143aa6b7dddd15bf823416935db7de13dfd4043777159868b4a28f105bbc50f777e24f5974acba95e9

C:\Users\Admin\AppData\Local\Temp\KscI.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\uQMS.exe

MD5 82a7f301b2c4507410cdf59fb8ec0b42
SHA1 b2b76ef3037d5bb2e5c40fbf1eeae36aa1b84b7f
SHA256 3782513daaa07dd2e0f99c167184ae0b158af099abdc108c5aa9550c41f759ee
SHA512 c4a3bc45afd410659c6dec8813ac0d5a40709e20e61f4e123d473b84abe9875ae6432667663c99071393094df3906e940b1655a43241253f12d2e402d33f59c2

C:\Users\Admin\AppData\Local\Temp\dAggUkUU.bat

MD5 1a6e798ec172d571bcf7e4c197a29885
SHA1 2464ea794173aa679f41a0daf4b4baa7f0fc19a6
SHA256 b6cb60f63dce8136b447d1c256f714e8ed367a429382e03329d84bed869e34e7
SHA512 750b30dabddb753bf1022f750da24e146ae0c255a2fdfdfc2c2011785397c844cbc21b46f84356034a1ec1fd999daa8df361f834164282f7d33197f26afaac79

C:\Users\Admin\AppData\Local\Temp\EsUA.exe

MD5 6701a6d7c308f1daceaf6f520c0fa9b3
SHA1 7c399775e875046e1705715c6630cd8c1bfeae62
SHA256 31e7f29903e487d3835c5e678d6d0207b4097007d1bfbeacc30f6bf7b3477ba1
SHA512 94eea19b39af80902d5633a37902c06d6e856cce10ad804ce5b10516172d4f3a10634da4c5f3dd9f48e488f821921a7ad93c79a095807d0fa433ff2dc0a2318b

C:\Users\Admin\AppData\Local\Temp\hoIsoccM.bat

MD5 49569f14658910aaf61df400bb7f4d9a
SHA1 5b309ae6ea92e8adc3d49b2dfd39a6cddb851145
SHA256 edb6eb5628654c71b085b054d75d6bc340bce1e650dc351b4649d71c80e06829
SHA512 1d6380616190df022991074248fb78c33b9f572b0d43bb537f1bb554e688004c151fa2233beca0b65359cd2aea16899f44548292ddd557861dc927268b22fdcd

C:\Users\Admin\AppData\Local\Temp\WMww.exe

MD5 45f3ab01ec9f487d60f371167900f89a
SHA1 d55fc189420a28bd3334a151e79b6589701ccfec
SHA256 77c472e8de74028ead681e16ce7d76d9c150fa1910468f4083acbbd2d92c36df
SHA512 05faa376a21c9f8036d89f7704bece12fa05766e9e2852872617df2e844ec12ad485b3add7af9672af9620668b61763f270c67a33eb0894320ae8a133fe02baf

C:\Users\Admin\AppData\Local\Temp\swoo.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\UYog.exe

MD5 2c70dc3edd5a277f4855dd3735dfcbe0
SHA1 e6952401a992605977ba2c836a829aab1b42a2ec
SHA256 774da02a5bb9a1114a96f1b2336ca3706610ffce32e7d30fb9eadd062bd0162f
SHA512 991e3376602804b505ccc8da5f4b8df47da6f6966a165a0d277b8c5674f8b117b790b2a0e3ee7e004c8f428d20ad61f4f7559534c18993d8cbca57d5cbd206cc

C:\Users\Admin\AppData\Local\Temp\wAEy.exe

MD5 6b3f401a6d869f869ea08f3ff0509f32
SHA1 34fcf1116412165341f63e9737a6ef9258681398
SHA256 42181ac0e40f7a2897aa0693019d979ab3d9238da3ed9655491676c0f5dcc925
SHA512 d714780ead5609d8506c643b412fae532c8f3b9adc747160e4b57a87b289bf50c1f5ea5596f1ccd26ef9ed66bf9125b04e1cfede969b5efcc05fe576d7d2f58a

C:\Users\Admin\AppData\Local\Temp\AMkm.exe

MD5 927105a7adff5eba3797551547e5367b
SHA1 db0dd382cfb515b72adc27f4f27994655a992e7e
SHA256 e85a1f2f0f360d748a489b512ef7930acb8253d941ad1568c5346aeab8c9f86e
SHA512 2e86156035ff220b4329dcb21078bc6d7a8070da8215b20cb5780f0586fe7b904856662a07ca9e660ecfed9ad9fdbf9b6abdcf7aaae74a526f0c7d566bacd7e3

C:\Users\Admin\AppData\Local\Temp\yEky.exe

MD5 36d94819a13d1f2efaecf20060ab351d
SHA1 452d3106f5efff2de633b62ca287fdd043bdfbe9
SHA256 7b86f6bee93befb06570176f628927a93620dbdacf34f48809a8381747fe3095
SHA512 06e7f8c6685866a874a5dadd37df76bca07345f397d2ba96acb7e7d9d7274ac94e25409feb87690e12879d161c8416523b8fddd6aec86292adc48716c87f89f9

C:\Users\Admin\AppData\Local\Temp\jQwgQEAg.bat

MD5 9f58130b1a756a472b48b7e8a0b996c5
SHA1 1fe8dcdc13656a07c9549288e6f2be24a362d7d3
SHA256 2141291941488a0675df33f9c599f64d50d4c0649ca43516a78af7d789136af4
SHA512 56302585336a22fef6cb0e6e62c08bd262ba985d0cc8ef910ffe5537b3eaf418ecdef11de8fe186191f20ea297fc3c1c88651ade0498c0abf4ef6738c1d813f8

C:\Users\Admin\AppData\Local\Temp\uQYg.exe

MD5 bea2a9ed04cc2fbe5ed6c84de017ae9e
SHA1 2cd8879786ba791f63684943d42c154325ffef51
SHA256 3c0a2171840189ba1a3b10e63390d465e1d5f7a3066a86af617db854fa730ebe
SHA512 08cb365d9528e3d78fe3ad10659f08099aa167d14c467f28dc9721b2f0d00c946bceb1a59cf6ac10c4a0059a9dc3baff6bca3d529e26be520d5e261d5274e61a

C:\Users\Admin\AppData\Local\Temp\uEMQ.exe

MD5 e0b25c0b48c768cbfd2a1ebf4c135651
SHA1 f1adf9226d9eedbb36c6149f84c1a07a0c6e7165
SHA256 b8b6ef3cba037917dda4c3cfe7400911c0a58fac2eebc4600e67e015e216a476
SHA512 48b93cc9ae81d3b6ff4f9d2c57d5033c21e47787e17f0fbc8c610db344466ad7faca25f1fee45f9e5b36ade56bd353eeb75b023ff109586d9c9cd2b66238937f

C:\Users\Admin\AppData\Local\Temp\mksc.exe

MD5 07403e7bcd97ea3b5b46afac2bc00d23
SHA1 ed6e61f0e7190ae14d6ecb16d110e3c0dfdbb0cb
SHA256 2557498a66415669d869c609f5cc1cb1b70278f7c2b77451028316ee92bcda37
SHA512 6fb3831efa40fdebbf02f13fb3d56f555ff253bf1c39571c5c75aebd4d706b0289c40e83c6319a0b65d1f69c65e7d32b932a0db64ab25cad377f9b987dcfdeed

C:\Users\Admin\AppData\Local\Temp\UEwIUgQA.bat

MD5 1314e1cf1c8af4f1c7a4869bf9472fb1
SHA1 aff6e3bdb6cc3305b219d6c5d7c4118258c39d05
SHA256 41f6a5dade156167c0e995e34b8f211b26fc72161fc0c85704538fcd7d1853b9
SHA512 dced333e96730f83a919646180f494ad5a7a5247fab244553255f347c36ea5be4540814c2b7291c6de6fc54db0ef0683c5133083750e015d51239fbf06cefb77

C:\Users\Admin\AppData\Local\Temp\kGYQsIcU.bat

MD5 62ae61a64df50949eb97d29f71c650a3
SHA1 0d41c53a7c6f287e40b8ecbd528a2fb474701101
SHA256 60ddef5003f3baa98a7a9c2f5f9d80ceb73f06f23d665ecf11251f0058b3ac46
SHA512 fdd0692c780ba0b3041846dc1f0ee1d0acb8b945b4afda612024cc95343a5879319e920425719bf9b1823c0c0e464de23a44e3406efbf17722fee6e1630ecc5d

C:\Users\Admin\AppData\Local\Temp\aCYwMMMk.bat

MD5 cb047632a8d27a22285c207d11c62fdd
SHA1 3167777d87484a0d8ab0bf630a4587a346ad8bad
SHA256 6f36ca1ca95e9459e3e68bb019e409c1ad5a907eea46908e92eb90a680e9fdae
SHA512 61d9e4abf30fd7ee7795b54b047d989fa7096c13cdbef894dc2a5e136e2a43a7129c002b60762549e83977ef6593c0f43cdad3af1f552605aeb230627527e413

C:\Users\Admin\AppData\Local\Temp\nGsMggsg.bat

MD5 9aaea3874267cbe2a25ace3b53692acf
SHA1 881acea08e455939b017c403af43615644e61617
SHA256 a8d7012f602fb688d11870effd3a92b5c193d2b487362d9b3c61980676d9b5b6
SHA512 5ea50cfeb9295cee6bb18b87bd23f8fa6bb1936bb1bd7e5f372eeabafbc981e61624bc819d40c969548fab5503feeb149f14b880fbca442c4dbe6f2ec65d4292

C:\Users\Admin\AppData\Local\Temp\rewQcIAA.bat

MD5 23b7d073ec25d849012ccf0da65b4108
SHA1 d1d6ea0a7dda2ad090bb9641fcb9d123f5b64ca6
SHA256 0f4e012c60d7944092ba8145e0b288a9c4a20b8a92e32f1abb174917b5db564b
SHA512 3892fb856102d4be4c182206129469eb423441a38640ee00bb595e2555fb5b15bff5be0c87d775f09cfef74fb598f61cfbd5b8c21b813d76861b4278bb6f3ea6

C:\Users\Admin\AppData\Local\Temp\bqIgAgEU.bat

MD5 3024d39b8d850bc83721a53c679a2419
SHA1 aa2eec726d8cbe14ced935ff5daf59194deaf048
SHA256 2dc90ab36d698b99a24a36a6d5babf17b6eb370ac2d397633575a276db3af1e3
SHA512 428fa06295ea44c5a3493487dfc78436feb318df43638f1408e814acdf37ab6ce394e589daf6cd1ca5cb3e64abadf2f3fa6231a91c41737cdc6ed2dc21e87bc7

C:\Users\Admin\AppData\Local\Temp\vAkAQwgc.bat

MD5 5e81b081667a6235d6f5b5476df2dcc4
SHA1 dc171131bd1b0a2f0e165ee9aa15393021146214
SHA256 e83d1363c6423981e9f80f345f8d5b011d8d7a40644a02f67ae98756cdcac6f6
SHA512 db5c176b8ca465faae025a2f153e20547cda7dee9aaa284cdcc7c30189d59c83ccacdbd124cc97a34d92d930c98192d929ba9146dc4ba5d1e0b41d21a2f68659

C:\Users\Admin\AppData\Local\Temp\mCUQMYck.bat

MD5 079222af11477b06e08591a342645ea2
SHA1 e21db96130371073e80c8a5d14932d976d35a332
SHA256 0d88d3fcba7aaab7d1e2b833d8e92b49cab175d23f9b01266b09e5263fbd2cd2
SHA512 dd0675388ead2ae82377f0a3ca7036602319c4a0cc06bc6b3c80adfdf9962adacb880e1b915e4b3d1e69ab0759014753c288c4402d60dbe015509f7975e6c6c5

C:\Users\Admin\AppData\Local\Temp\AGYMkIUs.bat

MD5 432c33576bc39fb09400e22819a1cfe9
SHA1 56fa5a76f9914ca1baec8ed9f55063d1b5d08ae1
SHA256 d094fac9808e0ab320cb945d8a10f705283a21bfa324a58dd11f67f1b67b5787
SHA512 3f4c515f674b29689f3190120bd5aad5ae57108e4edd9735e4ee863ffef56d5ebc06cbc43bdecebdd80e0390ea22c47891a0b7d2b1335b7593f2126a9787b4b6

C:\Users\Admin\AppData\Local\Temp\KiMAQwkE.bat

MD5 373037cbb6178b74f0f75603911becfb
SHA1 ea7311918582049504cf33a51d5aaf0b7a995d25
SHA256 2469c883b640220a2cf3bc63acf2814387e72cedb16ba03f5b767f4c720cbc30
SHA512 7c34c4e7ce6769a71d42afa268176688f7e32c03e0cc0e5e52a7b71277e0cc80e6112f71b258511f84ce134403b1a33765b782f8345af848d9a1f047812fba38

C:\Users\Admin\AppData\Local\Temp\cagIQYsw.bat

MD5 944acef95b1ce0baf52e668d0189c5c5
SHA1 2454eceaba7784c338c486a1d12451531206d82b
SHA256 308c0e9408c2f93e3c39e9747d6361b5200b2d9946431fb6b093c3139c24495f
SHA512 94a2f359b64e3e1745afd72035ff60f773579bc7342a0c86ed0ff24b4ec911b5299ba891c6504f9628a9e31dbe86a8f0e2f50787aae93804b3dc2ed7031997bd

C:\Users\Admin\AppData\Local\Temp\QQUkMQoY.bat

MD5 b56566574d3eb1b7e8b6accd3cc6aaa3
SHA1 703d395b0a432ebb3cad211cac93b70ed3baa57c
SHA256 60bad284b69b876640c5f1e44ced0d1256e265fc48a36fb21c2c90d29b237b45
SHA512 e7918e43ebe97b05a90429a001b2accfb1d5b4565d3008a75ceb35b7c5cf42bc7ebbe2a00aadd4aca53d65c5eb56b72817d75c5294dcc05d09f3a4c984d8bfe9

C:\Users\Admin\AppData\Local\Temp\TYcEswok.bat

MD5 aac58101e39859ce803f7151bc47a84b
SHA1 352c7e678905b6d6f6dd7d609b9e011bc6b2f0ba
SHA256 813c2fcbc156df7739620f977570f7a76cd2c4e700396dc83e0a9effaf82c08f
SHA512 0073bec0af034491e058247f3f8ecf0e1bd838fc8e5bcb7dac0f85db3b6707e8759da111bf04d2fe215fcf8f21b5c774a9792752b20a25719c9b7b3dd4d73946

C:\Users\Admin\AppData\Local\Temp\RWQUgwUI.bat

MD5 166ac1ce409bf2ede296365b11d4a7db
SHA1 922ada54802ca9d040b6fe77f9b1fb7c9ee4c5d8
SHA256 5a7d17ece37a5b49d6fa8a4a9504d569fc73db6c12d92355934519f25c23a2cd
SHA512 0f81925c619666db0ed1b82ad69a6299edafeb1d8dbf58f6753b3912d387b112295d6399e0b6f2b0d898c2acae2dc8a67e41eaa998e38f943b2ce19508fe6d37

C:\Users\Admin\AppData\Local\Temp\NAwUYUkw.bat

MD5 88e30038c58762ccee5025606e964a21
SHA1 2b4ea72b6c684c3b438f98739128bc80cdc124ff
SHA256 7d897184ea2f20c6f73b72e9243625da8c5b593d987ff660c5760f2c9051956f
SHA512 928cf7b1385f3be68761a4f89b84a90edc5e2d8394087c7697f84f4977c451301256e1b08a0b2e6222c25a46bbe6909c31ce6f1c4678caeac9e396ca4b4bccb0

C:\Users\Admin\AppData\Local\Temp\HUMIAcAY.bat

MD5 9272c3e3942f27088a546bbe75768e71
SHA1 955a1281b148986ac119f8eeae17b85ca056df62
SHA256 24f6aeb78d36b2714d40ccc433956028a025616ac02ae907b1faddf60c3656b3
SHA512 52ca89558bd2790d9698773974f48c12492045664b8c19bdfb4ee7651bac25a7f6bd1f0d891e39c91ccb5814006780c6b374ad44cf9bde9596fa912e169ddfad

C:\Users\Admin\AppData\Local\Temp\kWQAYEoo.bat

MD5 a3c18192d93d019fc01d4207b2f29850
SHA1 00e1aa49a9827e9d3e2a90b847c05f3ed3e6e654
SHA256 8eb9aeb7ea7c05f3ec9facebba48f9ae0bf473261db5a37009b6246ac59cee21
SHA512 3ee300d628346c7b72f528afa24a3bc164ecaf78e60fb37407d63b497e01eaa92f5d4fc3ce90657810c24fb9e73d3a2292c85a132864808ecc97fc447291727a

C:\Users\Admin\AppData\Local\Temp\OcsgcgkU.bat

MD5 9ce68914cb4f585db8e3d59d13cf1af1
SHA1 e453961494da1c948df952f9f2a496841f1d9f10
SHA256 0c4227121ed7048dd63764111f307a99d91c5722ac00699a66535f974f0eb8f4
SHA512 778dec9262f35893b667bcf15ae164da141c2c46137cf06290202b8694889fab405618600c2efde34db7676e380b07ab4487524b93fca777be3b613f8a18f8d0

C:\Users\Admin\AppData\Local\Temp\OcEMMAgQ.bat

MD5 a0d14d1f6796178b8ede9f51ad671bb9
SHA1 470ab0aa24d8b128edfc0b8864267178113de92f
SHA256 67ac6600f43e1de076b931bdd150575f45f6890c3780dc640c725331b0b8d415
SHA512 f67ae465531657c02fbf69d4bba36190ee2e18107c5f94354d33b259f506bf9d3066360c3594d7fcbf89c31231ef90344fb3aaa01ab0ececf24833e1d49cc761

C:\Users\Admin\AppData\Local\Temp\gWoQgQIs.bat

MD5 65570aae0d02ba15716bc49649380a68
SHA1 e752ad4874b6c8f6b71fd710f4eb507f18464ce9
SHA256 eb0b66af1c10a250a3b35c63e422dbff4293ca4ef8bd1954122c983288b998f4
SHA512 1f6206e6dfa34fd202d378f7ed10cbe46419d2a8d9bfe88621894f58fa36f99f74415bb6ed49fa52ea6da67f91cf0d84d065cb7feb568f987528f71441ace767

C:\Users\Admin\AppData\Local\Temp\XusswoIk.bat

MD5 e6ee0877145597c8ba5fe77d77a3735e
SHA1 2059cefc91b3dc6efbb8ac73d5f16a9ebc073616
SHA256 d9ccf6dcf67ffbfa2dfa5bcd474074f3315447d0d22891875cf0844700ea41c1
SHA512 aecae462a7c5b4032ee5338bb0af9ec35eda9e559f8758048a150d7b55126267fe8a010ca9649a7bb20898f77ad10ae9c64f1b0f3a2380f52df60e8aed80e800

C:\Users\Admin\AppData\Local\Temp\lsEYwogQ.bat

MD5 80e08c7f44d820c2198f5bb8df2d72c2
SHA1 c747fad8a5c27e0703950c7e4e4ad6e97f42a179
SHA256 8ac84d6339a5c9535d44bd77b28f7f1e7f1bd1f77f524bc9d9aea57cf051b9dc
SHA512 6f4fbd004657a0e72ef841188f981455b6979074d47ef32fa26eb4c039a61010e3b79809b75cdafc28492bbb1c2a5b9851246f4cad47d3efecd6a94bba6a559b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 17:56

Reported

2024-10-16 17:58

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (87) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\hkIYIUEM\EKYMoYMw.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EKYMoYMw.exe = "C:\\Users\\Admin\\hkIYIUEM\\EKYMoYMw.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\euEcgoIY.exe = "C:\\ProgramData\\JCsQsUws\\euEcgoIY.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\euEcgoIY.exe = "C:\\ProgramData\\JCsQsUws\\euEcgoIY.exe" C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EKYMoYMw.exe = "C:\\Users\\Admin\\hkIYIUEM\\EKYMoYMw.exe" C:\Users\Admin\hkIYIUEM\EKYMoYMw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A
N/A N/A C:\ProgramData\JCsQsUws\euEcgoIY.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3868 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Users\Admin\hkIYIUEM\EKYMoYMw.exe
PID 3868 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Users\Admin\hkIYIUEM\EKYMoYMw.exe
PID 3868 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Users\Admin\hkIYIUEM\EKYMoYMw.exe
PID 3868 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\ProgramData\JCsQsUws\euEcgoIY.exe
PID 3868 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\ProgramData\JCsQsUws\euEcgoIY.exe
PID 3868 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\ProgramData\JCsQsUws\euEcgoIY.exe
PID 3868 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 3628 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 3628 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 2832 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2832 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2832 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1156 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 3624 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 3624 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 1156 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1120 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1120 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4064 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 4452 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 4452 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe
PID 4064 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4064 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4064 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4064 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4064 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4064 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4064 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4064 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4064 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4064 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe"

C:\Users\Admin\hkIYIUEM\EKYMoYMw.exe

"C:\Users\Admin\hkIYIUEM\EKYMoYMw.exe"

C:\ProgramData\JCsQsUws\euEcgoIY.exe

"C:\ProgramData\JCsQsUws\euEcgoIY.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIssYEQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIUAAMMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doUwUMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSYcMsIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIMIgwUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmQogkQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKkQQIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuQkQAQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuAswwUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSMkwcUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAMQcgAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEYwYkcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqcgoEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsIwYsIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HoosMEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngkwwwks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dooIwgwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuoUoUIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSUYEQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQMswEMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmQgcwwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYYogwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKUwwMgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOgYkkII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWwYwoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juYcYcEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAocMcoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmsYckoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEcUwQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIYUoYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqIocYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGIEQcgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAEIEUAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIAIcQYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsAgMQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAgEksko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYMUQwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGkIUIAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyYsMccY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGsUoAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgcsUAoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yggAwwgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGoQUsEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsgMUMEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOwAEUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toUIsggc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWIYwIMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGsEcUAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiUQcMog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmsIgEIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYwkMQYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWwwcoIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmIQckEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAMwAsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIwwkwgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WooMgEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekocsAkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQsUskEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIsgYoMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEUoIkAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKEwAEwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCkgIwgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUowwsAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQYQMkMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgkAMckQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIwQkIsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGkMwYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsgYQkMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XagUMYMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIAcgUIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsQYAoIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGgYsQIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\macoUsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umgwcUMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYIcoMko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGIIAwwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSEokswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EckAckQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIkUcYcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuEAIksM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qygYQwsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqskYkUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsgskskw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqUgsgkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCgwcgUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiwcIgAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgQwMEAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMoAMcwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hwcgowgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dicIEIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKkEocAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYwgUIIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOIUwUQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAEUIcAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAMoAkAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NusIAUAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgIUMIMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQogsYoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqcAAYAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSsEcQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqAogsAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAQcsYAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TiEIkEss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zoIwIQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv uDEKrWuZ3UuM8vf8dsxHlw.0.2

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYUowEsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEEoMYkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3868-0-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\hkIYIUEM\EKYMoYMw.exe

MD5 4c7b55c66b901e3f79fa7c0edaa1ff8c
SHA1 25ebca5871d940a42f85cfc53236e167778d86cd
SHA256 0bf8f47d323f2f53e2538de22f66ac884e661d96b3354c24d44b6e0481da33ad
SHA512 adc1bf3c6fd89bd98ed97361101c7d5e0c8a75a3cf3af98226cdb563219da3d32b1d0d2c4dd78fa3401e7964454ecb3861b5a9a0e2cdab102bc04491d82f3c3b

memory/4784-7-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\JCsQsUws\euEcgoIY.exe

MD5 a47b5893cb13ff6685cdca87b10e046b
SHA1 498082c7b2a6a304e371cce21334337910441f80
SHA256 91ca855e6849a0adc0487b40d2e51a589cbf17c50d34334a3b58d80d4186a3a4
SHA512 a343acaa0973304e48a84a55ea5113576895195c7fc73169e73b0fd298e18d351630d784646140e26c35b49005e6ef2e82fdfc5fa5ada1ae9e4ee40bd4989b36

memory/3908-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3868-19-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1156-20-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RIssYEQA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-16_3c1c337d67b3742f5e15720fc2944065_virlock

MD5 f598e9820ec2badd9796e258a2906231
SHA1 436252684b0b285ecc2747aaf1cdf1e4e67a6eb7
SHA256 49da8c24946900bd5af73c70099b775d1142033a25b347dd5a21ca68cedc7c0d
SHA512 e26c4b70ca14d0790d4495d56adf1ba87b0f4a5b86e87a9e4d3a9466443c6641e48f493fbbce29e9610e39ec0c150ed8bddda4e898760aa9f8b83bfb51df1f86

memory/1156-31-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4064-42-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3236-53-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2116-61-0x0000000000400000-0x0000000000421000-memory.dmp

memory/812-65-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2116-76-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3364-87-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3916-98-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3528-109-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4416-120-0x0000000000400000-0x0000000000421000-memory.dmp

memory/228-131-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1976-142-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1804-153-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4268-164-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2416-175-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1072-186-0x0000000000400000-0x0000000000421000-memory.dmp

memory/452-197-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2168-208-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3236-219-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4976-230-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3860-241-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4644-249-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2028-257-0x0000000000400000-0x0000000000421000-memory.dmp

memory/5092-265-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1112-273-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4464-281-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3360-289-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3348-297-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1228-305-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3068-313-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2432-321-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3216-322-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3216-330-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4416-338-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1576-346-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4696-354-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2324-362-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2144-364-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2144-371-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1572-379-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4736-387-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1692-395-0x0000000000400000-0x0000000000421000-memory.dmp

memory/5076-403-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1248-411-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3692-412-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3692-420-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2436-421-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2436-429-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1516-437-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2092-438-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2092-446-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1136-454-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2904-462-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3288-470-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3544-478-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4792-486-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1976-494-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YcEu.exe

MD5 17c0548043605fae4c8170b4c1623863
SHA1 091e7ca0368221f2aa4d5bc2eed46f03f4e58a14
SHA256 4fea74a16c4940cca4519ff432de9100152be083eaeab98715681fced7872a07
SHA512 058a6e8a239d49e59d838cd3f09d8c1835f59ec4d7979ff3f3ed2d2923f7a0e03092066aa69a31362dad1be4755e10c9b881ab6b2e45fe42911a402b8bb0ac39

memory/5076-504-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4436-518-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EQcm.exe

MD5 59b4d3096ace73fa154fe846c1784402
SHA1 9d4772c5df64e2e1ef46adceb2b7ae5d5139bace
SHA256 43722b30950702d0ad018618a93ebf761b1218b60d4d8d1e7811d12f62a5ab5d
SHA512 895b1354bd243d40b03c1ffefac5d3342b86dbcbc4ef619fad445efb1c6dfdf2fb905968f9faac1be14fbb0d1179a4ef99cca69faa05d932c93d188d99e26593

memory/5076-540-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uggo.exe

MD5 ae0909b234184dbfb913eea8257cdb30
SHA1 4c10775edfe955007082953694c88eccd92934cc
SHA256 9e81dfaaed604291123724e349e302cac22c1466fac1f69f53b234be08884bec
SHA512 ee1c2bc27ffacbcb61822e6eec259fffec8f7da7d85e7ce3c3274f838008c1468b4ce2a30de0496e188c7ab030426333b918754ec5fc8ecefbddf4c124e0133b

C:\Users\Admin\AppData\Local\Temp\mUMm.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\mgQQ.exe

MD5 d112450069f06a75ca314d1cc1f47b24
SHA1 69bca59a768589fddb67fe025ef000c4e23bd2bd
SHA256 eddcc1b9d6e34f92c37ebfbab9ca25109b250aea0bf5da70882921058f4a52f4
SHA512 e69e17f05fceac76b1550058a0a37cb0e83736814d9649b297d09b86eed4c5d23ed58be449b2264955f320d363307b491271753ca1b41936f1fac48f5035a20f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 782b510d17224cd8dac4783393bdc022
SHA1 ec486633185db5dbe7e06e6a0aefbebd154025ba
SHA256 0254974aee1e29a835ef73a2836b133cd271efda38fe826a5cd0c4279cbc2410
SHA512 40de3b3bd2280b653608df63c13ef3cc820a3ef57458c67abf8dc7b894b0f5b432075a2a5a1984cf6dca86cf7268149e6b542cf87dd53ccd387e01667d9fb83f

C:\Users\Admin\AppData\Local\Temp\ooMg.exe

MD5 8b27c41c36ea7bfd8a4d69b4189db33a
SHA1 110c74155c8751fc67329ded2fc8d3a3af45cac8
SHA256 33b74a59eae1b520162360b67dc5854daf255b05be796b5f184841db1368d3a4
SHA512 2a46aa1fd92f3db6d7439c9296def9aec4c6e517aa6fd6811d577a91f1eaa96345568ceae4bac447dc17dbe127162d528216f92d61d7ba34ab0ff08331bde087

memory/3568-604-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gQoA.exe

MD5 bd74ffa1b455a2784adfe25ce9d1574c
SHA1 f20e7811b9b7e1354da722caf0e02367dfebce9c
SHA256 8285557c043047d63529d6eade88c997ec98ec99a0056bf10369954f16355d43
SHA512 01a6f6c23ccf6d2ca8a658b65e884448452cbb5ecc933937167f3f1bf19df2e920ada19bdbbb660dea515263b7eaa636dec33fb855dbb9be945130ca34d0d074

C:\Users\Admin\AppData\Local\Temp\mkAa.exe

MD5 d2803dd1dab3692e993b902592d4237b
SHA1 592cf35082e8ddfe226c168fb3398825aa53fbdd
SHA256 4c8259f3e10dd83f3ebdc2b1fa67849cf19c4feef96d6947538be37c0d79b3ba
SHA512 63080e1c63565b3e48fdc44789a42bbc993a196b17bbb1c46837db581bb30a6f713b0ccb53169fe40369dbebcc8cd1af47cddd31174cc1439045153bb6ffbd39

C:\Users\Admin\AppData\Local\Temp\Acgw.exe

MD5 03acb81014948f9f225b6a6eb66220dc
SHA1 434a3a3cbb3b1ef40b8d79f89c2a3d43e31a11a7
SHA256 628efac4d5eb914d5c058c30b8591675b42d49c36a1ee58453fc28e2ddb697fa
SHA512 00f21e4eee06d3c5a9d41bec7d078e6b415f30c37e3408a131f07719654b3b9d885c97e96a64aeb4311c3178f2c71261fc673ebe0c63ace21183672ee75ba31b

memory/3968-668-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MoUc.exe

MD5 08d847f195f82559a05ae41dfac955f7
SHA1 7cf8644230ca2913c833b4a70f1584ac84573d8d
SHA256 78517baf304008d2e698688e6966ab8b19e6921edc6b9f96740b37936769f6d5
SHA512 104a60fc71c161cfd88a3905eb42b00f0fb035b5f61e86a130946fce270e354a47e28c0e166170d2c9eb9a07e6cc7d3ffda1143e255fbb196abcecaf5cbe2d81

C:\Users\Admin\AppData\Local\Temp\ckMm.exe

MD5 cdbbd1ac2564eb66a6e5b1944f4acf20
SHA1 676c653fc36806280e4a13425d998cf140071b95
SHA256 d6d1672d7731cc058700a30601c23f52c449b72d0766cc34fb06e6ea594ac5e4
SHA512 9cbfc69aeed20c384cb9c3b61c53cb8ef00d92680bf8da316f2c4c0a1778789831461e7b6278873748f5da497d9bd77854021bdc8326bcd389d23c018a728fc5

C:\Users\Admin\AppData\Local\Temp\aAEo.exe

MD5 6a540daf3a0128403015ec72614e336d
SHA1 72718b8c4d6815a1bd155368fba09254ec223d92
SHA256 97c948dc308f60ab4595b698b5d9bf5e850b99d0c026c2bbc974a3d7c201c838
SHA512 3f0b5d7ba5846972460ce08cbfa2a171b5b28c24a9eaccf911e65ece58a50e418115b2c26d33be1cedcebc5f4dcea1472790cccbfe81b1159c700c65d44f15f4

C:\Users\Admin\AppData\Local\Temp\UIwy.exe

MD5 85d6f9acf5dc61acdfe300366369808b
SHA1 ccef660ac4175a17633dccf38bb5ff57fe6e3f74
SHA256 c2a9dc3f61f16a53280db6edf7b34341f59c22cb54f5baa5beac79ea3d2e4d02
SHA512 b6539058a896d591fa094c20e4ddce645460aa276165e2de497cce585f3a5cfb9371d698ccd1b9c8635b6e4c0e5f0fd70cb97fdadc56a514a9eb083123303295

C:\Users\Admin\AppData\Local\Temp\KcwI.exe

MD5 5d92dffcfb4035d157c7d948d38be5af
SHA1 9ce731164427d90df84ae6408ad382d1a0375823
SHA256 2bcdbc26c461f355184ab337e8b84d121c600900defb3be9a78596eb1502ce98
SHA512 392b58166f912b7bcef8554085a181afcdae44e6f6c206bd4cf6a9b57ab470ecc61706e506a425ec8194d28f1a4510d823774529cb390136d33ed39f5b53c567

memory/1980-732-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4988-731-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SYoE.exe

MD5 b24bed7c118f99fb132745500f06130e
SHA1 fe86800b50d4d83743706bc6fbebf58d3288e21d
SHA256 77a5d8ae67e1f9a124cdd78ffd6028ea0becc7fc65b5ea065b58979d93559b3e
SHA512 69201fe84e4a36cc6fb92687aac3ffbb922c318ec50658022627e08728ff4514f41fa5833d4ec3edaf839859828cfc0b32891795c5f7ca4700b376e2acef4360

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 e710c6a406a644df403fef92bd4e9e71
SHA1 cc77af52466b9d76e15839600b04e1f157c1b6b5
SHA256 84311daf9673f7fb3fe23f4a96239eb81342a31fc6ca51e09d68e48163fb7c65
SHA512 b69841c40ef0857e7781c2bd5a1c03fb73142069b49ca11f9571820431ac54a464e6da7ff7ac925c9b4b7f9eab6d3f912a6f616ea13a5f1c0c80e0c83228e838

C:\Users\Admin\AppData\Local\Temp\UEki.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\Akkm.exe

MD5 d1a66038a4928144b7cffc5b33832937
SHA1 a12fd877039766e96eb64d762b33f7227f8451bf
SHA256 7db933fe6677c8ed7742dfadb023a04bd447d9556e2ae8e3f1ed9e2956b3aa15
SHA512 d3f4a9cec65b33e5a1e5850b64e08cd72932ba126b7ac50b8bc7c0fdeff4548ecd4c70b744de2075f541d8a0bd87cf822cc4e737cf296af179a6ba2e44d00cdf

C:\Users\Admin\AppData\Local\Temp\uMAI.exe

MD5 1ee097494cea69f9ea68bf87768bf4b2
SHA1 71009b92bf21b3bd2958e47a23f92c4a124c2fd2
SHA256 1f3d1776843e38ef6922f57d32e42c548d688557337fda7217993b85ec84dff0
SHA512 cda11eb252d3e3989f35c8997416a5878062acae3b35bb6a668aa0dbd6ea841804d9a1fae759612646c3fbd3bdf375f84f879a4c9306f1c4da12350f8bd594c0

memory/4988-796-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iUQS.exe

MD5 04e75c097375388176ce6060f0946efa
SHA1 0d0c1f8562be568c8cc9ebf3dca113a8c1ab8dc3
SHA256 dc5cf2913f716e0108e874d19068b9ab1333fb12c4fd04cf15c185883ecb7576
SHA512 be2127649c66e90512206ccf89c697220e9626529f0fcfab7f35b9fb409831dee07143a0f99f170325d6cc679aee1fd6d99f9e4453c305b303f2e1c362b30404

C:\Users\Admin\AppData\Local\Temp\uUAM.exe

MD5 7e46288a8f3cdaf960d8be5aba301913
SHA1 d048adaeb29fbd63953ac163ed9a2c2deec6f040
SHA256 49f1f875a5b03589e2aa9da52da539d9471da32a46eae6d217066576a4f97e9c
SHA512 905c7c2ba159b9867e169dd2beabc7d620a2eff6e9cc928802d7f6a95ed81e64c03348f01f87e40139a1a49414449a3da5434a5941ed67fb2de1d383c603e448

C:\Users\Admin\AppData\Local\Temp\uMoY.exe

MD5 beec791ee78103968701831136f49455
SHA1 16bc9ffe6b976e4337aa889a3efcd0487cab4175
SHA256 cad0aa5dda75793e8367e604c52366cafdbc8576f181d5a74143ad7f8c1e4c2b
SHA512 dc889cc4124df9845b18fee58287b9592a7e26757227a1a0d08ac7bdbede7f91779ef73808d2d8639b5f12d0af2e7d5905a7155e210dca9aa5abd20220e3418e

C:\Users\Admin\AppData\Local\Temp\EMYi.exe

MD5 0131290c5c589fbf69f2cfadf095a463
SHA1 591d11552ae5e7204b73d7b3a1513767d6d0a81c
SHA256 3048db0b576920f56bcea3db7465eb94163aff36be8f69b0d944271f2c4d03a8
SHA512 fd10e1f1e20737b09529138a8cb5795042b3f0b4066f976dfae69258694fc64fc5d46f39e599336d43b63f8ecaa026b7335794a8207c8fcda50894e8b7086b63

memory/4892-857-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3812-861-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qkYQ.exe

MD5 729ee11a90f5d94b0301e83ed35a4156
SHA1 7323a737bcd67fd2f460ab73f53b75cfe00af9e0
SHA256 5720884b2f9d889a8f699caa47ffab63003dd826c907ff969b585fcca94a701f
SHA512 751c14c6cfe26a0eb1c8eaff07c940053527d9b053ab63a4005722ff83f72c9fed23523e576450518b8a54289df1fd029633e4d63d5e4cae4d7e811273af0a3f

C:\Users\Admin\AppData\Local\Temp\scgc.exe

MD5 d8c09cd0e24b9e16d72bc37940740a9e
SHA1 145f3038d5128b11291d98acfa66102a15e0bab8
SHA256 4cba8624489901dace768410564581fecc7fe37cf24fe72f003b557b3b5a06e2
SHA512 c5c55e01974c8ac55e89fa0109a0b152ef0e7ee5ee96fb6785d0fc306313811b78605af88df30043fbf4fe07ec2125435fbfd28aeb2c30e2c837aacdbc396a67

C:\Users\Admin\AppData\Local\Temp\ecsU.exe

MD5 06b8cdc7fae24278ff567e9b1430f92b
SHA1 45bec98a05a61bad4c45ecdff1b7eeddea7a414f
SHA256 1c6af38b0ded65aab9d384cd5dbdcfd41231b73913aead28c41f296e7b5f299a
SHA512 482909201c3747e226297edf0945306e782f1c5e92cdae49a163928b70c7a385020186a8d9d629c77358c6bde26fe093abbf2a8085e833b3ac09a1c5e7776c7f

memory/4892-911-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.exe

MD5 e40ace71faa31cd4709ba22df4c851b3
SHA1 6d6b3e94211ab31a101b8bc764c5137b3f59b219
SHA256 bada25d44ae22f1c1611bab97f036131f439120575649218090c6c5c63c56726
SHA512 7bc213200af6e3f9be5071b223b79e699194fba7e2e14d028c6c7e718ee57a3e8a5c4f54f8bee199115c0fa6382607feff7460eb83aabdff288e15c2805eb920

C:\Users\Admin\AppData\Local\Temp\EwsU.exe

MD5 7b0cc06120829e498fcbdcc9961ff65b
SHA1 a994d1685fd16dcd7e0799e8237d034c0ab0d67e
SHA256 e19716427a9f23c65d892013128f9e965b171c186cef661dc88408b4cd17fe8d
SHA512 410d3919bc95c9fb7bd3641c511055a2931a1d22b8f3a3a864de7dcf950df4ea5a8b4ca530998582af4d471a83089a5cb76f6b1aab26b621af802fd7381dab13

C:\Users\Admin\AppData\Local\Temp\EcYG.exe

MD5 9c128b72fd2c69f48c9d557bdefad41f
SHA1 b94ceb496e84e53973bc93b3cdafc071f6a65d3d
SHA256 3de9e04a898b23f1d1c56cd43c54a9546d1c01fb51e8d36dc91ef8732e8d53a0
SHA512 66951168c674d19311c00edf7140957ae32c393c525869c6c16a0e2323e4a96eb7d1b5b38ee0a9c231c5c54289480c1c17e7324209128cd1347c20c02e0ad7bc

C:\Users\Admin\AppData\Local\Temp\YoEE.exe

MD5 4ed7dc2f3a136dd83e27740c7009d33e
SHA1 0f08b0e860eda2a4f98ae8099ba5d50f8e59297b
SHA256 cb6047de8bb348310cf515e6e32cde6003c470118472cebbfe76d94f550cb27f
SHA512 99e7cbe40392b017f1867047fcc9fb8d2d74ffefa546e98305c6c877839c393191e246ce03f65c98b058c86c9339be16fdcb84d75ef4624dbbc923fbfc6a75fb

memory/2116-975-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AIMU.exe

MD5 d6ed27acc4fadcfdd8ac782e780938d9
SHA1 febb167804c38f82ce3c51744bb2591f132fab69
SHA256 9d907ac3b0ff0401073888b8b2c99a21651ad57f8202399311231e11d252ee6e
SHA512 152c25fbfee86973f1793442cbe41bcd93901874319f8151fa26a6ea7a3e96adb676d55020320f96426839ef4ad8072078035d35f3d7242a695b9522f78aa675

C:\Users\Admin\AppData\Local\Temp\CgkC.exe

MD5 2558cb6d9d7beff96e1a9fbffbc9f0f7
SHA1 e009d09bcc4a5ca6e5402582dcf130257c13e9d8
SHA256 a271a7c9a0d7abac138c6dbea1bd61950e7e0c2d4603d1343c65c6940a8c93b3
SHA512 4b747561648b35e9e67c592102021867e8abcd8b6673556986048b9d93298076c4d07e56de6f4e33d28479d27ae64607e8765981c719a758dad5f4e8674d27bc

C:\Users\Admin\AppData\Local\Temp\uQsq.exe

MD5 be5877e9a081902ae8e866d63d72bcab
SHA1 1a4c911bb17583d91802bb171e935f0e41d7380a
SHA256 cacef8beaa36c4104b47bfcfd5a6cc5dc566f2718cdad17f0a56439ff68ebd9d
SHA512 5ef75ee1b7490b5b77080db4fd2363990ecc2a16dc9e90ad962b641ddea676d78a1db4994b3d1bb7eeeefb5b73fcac48dedb186b8318dfa7f3946a64ba9041bd

memory/1156-1025-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OwwW.exe

MD5 51326d8448dabda52904870782f56616
SHA1 3ab5899521b6b0ac69b0b2cbce7727f0cf25f62f
SHA256 6344e2e88244b3a790147ebcea6fc13a28abed566948e02842e74b090d419c15
SHA512 59064a32b8805e54637186a27c89f1f693aed48e98d58869b2b047a0eba357cf8f89ac72590f439b6ac6209cf045b065dfe9cf2a068153b471396e4d88346903

C:\Users\Admin\AppData\Local\Temp\egIy.exe

MD5 db4784422d106c96704f88e31cd10918
SHA1 4894698b3bf250cc6430810baa16db6b50a629d1
SHA256 fa019a9808418e43216d77cb6ba72fbf81de6d2e2a021141259d5ecd1c02837f
SHA512 2d6380ef8e5c72312b17e0244673a4aaffd792cb7f61307adecb5149ada8f89085e68b3a2e231101fc32fd784b998edff86a66b76e7b2590be83038b103a6b83

C:\Users\Admin\AppData\Local\Temp\Moka.exe

MD5 9d18d451742ad20ba0319b5e7ce8e93e
SHA1 fad1bf851f6fee2e8bc8ff66c5b4980113baccd5
SHA256 3a814e9dd7c61147f05b91237009fdb0cf197805827d96fb2d1b927e0a48048a
SHA512 2946fe542aca6bac1e4824ea5f3c63b33df31a4f1a6e7ed06df289c8c4dbffeffbc03b596b1cb4f027f431777504605ddc952af774d401b986ada546f912ac23

memory/2000-1075-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EggO.exe

MD5 ffc8081057241adb09e0655f1e715cac
SHA1 a6cb9aa64fbe80e412a22fca8ae9030d75d63f8d
SHA256 71471b6f2e8851c1d24c601a0d2e1cb516419c14c18baa33303e49e17c84307b
SHA512 8c29b1c14d4538e81e4e67e0cc160b0fb8f54394d4db7bb5bee6ac2e3a7b31d6ec2ad974e4dcbe6830433604901712af5bb4fc520869acec0172dbd12c60481c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 c5ebd078794f75982e3ace09edfa6487
SHA1 5d1b08ddaa11ccacb431746c4808624a1b89742f
SHA256 7bbabdcc66daa43029aa1b2c72119424e88093cc5bcae88b783eaadcb1fa1c2b
SHA512 e1285a955b9d2d62f196170ebd6e0ca22b95ce5371bb1beb69c01a852e249b2190d1acfd5d7151d9f47522467d498a9a3e3e6e5644805d1d44ee621157ba9f97

C:\Users\Admin\AppData\Local\Temp\CIke.exe

MD5 dc6fbc4a580acb81beca7dd6fed78c08
SHA1 5b40c4250a11541793ed4722619b3749230859ab
SHA256 7b3370c043e825345ec95aa013bb82a2980ecc4fafaa180416b8fb85cd6e478e
SHA512 ae81f68db8df7c22ff1c3ec6c6cfad38f49db1171bbffece227f130275b63d711a3ae5fe2d393f6e1e050a95d8a376e9ce59e0b1e4bb97101e2c8e05c479d758

C:\Users\Admin\AppData\Local\Temp\uMYC.exe

MD5 612d8c52f78c03a826abc6a32ff7b3b2
SHA1 1dac873b56ca2f167a6ec700a17cdd2107974378
SHA256 3927a0631449ec1e6f1792e727200208c3ace65665a0327ccaece82203c24bbc
SHA512 67bc3d956a2c628cdd6d3ad059783d11925f69168454610ec12e93477544457b4314534a29c58d08815e68a6b06fca1dedfb15d648aeb19d1cb002f4c1b0edcd

memory/2844-1138-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cowS.exe

MD5 83d87ed287c987df8b85f8c858d04977
SHA1 7f36650801212b735af7482fdc5f74bcf47adffa
SHA256 14a3a34f0c22d913f0a1bd021d28c72bc71b04f9b8ef81d2550e3b73b7e582c7
SHA512 e0dbd57b933ffdfb09935be04232c8122c6f8aa6b4a5f30621e19554e8b4b065f57ad1e843cf09bc712065bd8151698393db36d310191ceeae996b2f2851cb10

C:\Users\Admin\AppData\Local\Temp\sQwc.exe

MD5 1065f78b8af263c915cc17057e35d197
SHA1 07c52c682815a82720dd34248edbe87033e9ab3b
SHA256 b9ae952cee9967a618273c786b585385597b8bc0fa149f20c3ad897572fb7c13
SHA512 d05423e1ffe7e77520264e2aaa379fe6805e0ee3ad4c9d5c334df2cc8946bcb016f4173fa7754b4f9cfc993b8ef663661751de02491df5eb99a324df780c339b

C:\Users\Admin\AppData\Local\Temp\IEAW.exe

MD5 2ca98b85d8799b9958c3138ca65d505d
SHA1 2c898efd6e02b18cf748ba4419eea97298bac555
SHA256 d448c1c378844ca7081ec4ed779ec184c9dc29306d8e7b6416e484f5bf674d97
SHA512 88c8d93125c0c5cd25e18353d8c66b665659958686f76ddb7a1a812b8a1b0118bff1e373b9b9c32c1dc88c8d295f7a498e71df3ce163f0a885f6a53eb650ad18

C:\Users\Admin\AppData\Local\Temp\wcgc.exe

MD5 be73afa4de2831897f05bc951b80ffe8
SHA1 f03521ea7fe4ad74d2118c774a63bbc647b69363
SHA256 90ccb4be3b647b1cd5fbde1b3b699c20c015e17cd959ece255964d58771853bc
SHA512 8b818dff17e06a922ab427cfa9e03e2f84bf2323bdb6fe7293fddf1b0f62b2428a0ba0e0518c40e064b15306bb98a3bd898f8c5a5048afe66faa39386ce3f44c

memory/3056-1202-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KAIK.exe

MD5 4a691e7f840f1851ce616416fc202616
SHA1 5b8f8d0a96fe29eb92b62f932409010b89683e15
SHA256 48239444ace5861ab60bb7f924f46abf27addc00819f3dad5142c05573d3418a
SHA512 1a3587d3cbd0232ada1627d61d4b0883853fc03020df09b695a7f740c927bd66faf97218047451c4d19fb486163ac6e1f3540a8df1c4853da151ab988019c71c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

MD5 9ff7c38a0783e5c0b40462d5e51110d4
SHA1 4383dce2b40ae473931fb6953dda6e2b94f84940
SHA256 d95fafa316ec9a0d41a91622651242c27469ebe40ab241a50c62166ab1934d1e
SHA512 122079a91f0774ba6a74b6caad5b44b65dfffd0ad84893ce3ffdc838a6c08410235f3cf28ce823930800b5426dc6dcbd43468d7b19f332191947d5e3b96fec50

C:\Users\Admin\AppData\Local\Temp\OsQE.exe

MD5 f23f8bff8c7ff0079086220e8b9181e4
SHA1 e689a45a7c7b5d0f2b13505da3484d559124b263
SHA256 51421dccdc70f983beef2495ac88aa058df6b9dd3a821e62d78be1c25bd76afa
SHA512 8dada07021e36db45465a4ba9f81d57fd1905a0eec80c6e02807e2db6a221097ac0540c8af0a7d3b57d53c2d51c7f3543ee50e46dc90a6c270b28c9bd4f870d4

memory/4004-1252-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WAAu.exe

MD5 c7b009c19c21c89b460e4cead88a2a98
SHA1 706398dea85cab354a78720a547fb94a3a7e7fa2
SHA256 ddf5b41f012d09281a4bccfb6229fe7136d2fbd6507c58b7ac84afd9274123f9
SHA512 0430000a329d07e761458c74a26089b994f598803ac1f5922fbb5df436989d9030adb4b5f3ed2904f8c9e484673a1bb068e85b3ecd50ecc2b13cd9919c6030f9

C:\Users\Admin\AppData\Local\Temp\IUIy.exe

MD5 4a858f37b9ffabbed81f86a00053fd5c
SHA1 c673d6fcfb9e55668b72129dd825b67802c42e28
SHA256 826b0ae118294c9666cd495ec69de16bf5a3052891e6f226ad49b03dcc39e8e4
SHA512 91b64397808d956ed414a7dae3b4e33e4c2f6b7a06e0ef167867e4ec7018a1ea658ab49076121f90314ebc0c054cfc18b8a8b1630964456082f4a5ca5008bb61

C:\Users\Admin\AppData\Local\Temp\QsIw.exe

MD5 35ba5f1e72c728dfed30e185e23a2b84
SHA1 20ec5e53f5c08ea6e1d4331ae036721cbd7feaf6
SHA256 54ff0a430c00ab990ce6e5127beb6c97c45ef372c9a734bc2de6290206407dad
SHA512 1d30e2f9e256eb567161a7f66b823e5eb38ee23fcc6cbf85707d45e9c9af12fd9552256043ed6c76fdbc7158fc55e399e1b4f2cb385fc5f64393dbdc2b6d62b1

C:\Users\Admin\AppData\Local\Temp\mIIY.exe

MD5 d4129b19acbd5a99f7d1f695c8785da3
SHA1 e3878bb5a1830f0a71f0e365b157d0501487a3f6
SHA256 e2fd092e73decfba899dd2b0f7be29133d3e0530850d8029b546cec81fc08c4f
SHA512 3cdd7ea5cb7f68f89d620197969cc09e18c574d3f776b4ef4233784dd5aaa039d0bf0e7014787202e8a31fad806e07819c283cc3363beb4789fcfdc8f9b7cb13

C:\Users\Admin\AppData\Local\Temp\ekUG.exe

MD5 c5bbeb3ce05eec51e5373b1901ddb81e
SHA1 a30b8c3ef9dbb19e4fb7096f1466638e0f987988
SHA256 03b4c081a9289e21be652d5988864ed02b3acaa08f1a7a8ab1995201f52c027c
SHA512 496be39e0c61108a325474dbf38d333adfdfd7f95926c5e67c39a32e5caaa60f43f0591274bd18d9ac73415b9cde76e2d4341a3d99584301653540c045442424

memory/2300-1329-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sAwo.exe

MD5 4cf79354c25b4efefea554b8c86f7c80
SHA1 95d295ce9c1c3147a33ce645b3e9220f8b16d792
SHA256 937d3d600ae505689f71ac955baa952ddcac4e5757179b569946e71fef3910a5
SHA512 d50bb56c5c23adb711235a85de514fccac3cd69e340031a6cd8bc78b067d609059bf7a1f585f515e78dace9e2dc9d1ea211dd864f7febfee97de002df1366739

C:\Users\Admin\AppData\Local\Temp\IIkc.exe

MD5 1f2ff695355437d616eea12d64355cdd
SHA1 e963193452dc683617db898ac527f06c401ebebc
SHA256 96b8fff42230bb40f979e0221a48b701ceaa0989e2ef1058fd56ab7dfe672a34
SHA512 f18d6439a23a4d11e8202561336b0294e7d2a39dec55f3e6ed39b4c4209ffe2dcf19b50ac1e0d4c43cea70ba4bbd1d482c98276add076a7580daa06c617af139

memory/3868-1375-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qoEG.exe

MD5 6a4ae10162ea069eb9e484c8fdaa2fe0
SHA1 0e89954d4526cecbf13b6321c5508c9ddbf3c2fd
SHA256 6d4394de63a2fea71755d516d78a61af808ebff65b2515c9ad9cf7cb0624c72c
SHA512 dca83936a98a1ee52ca5c146a7587ae9db9a8c837d2dbecbd2c9f24c14d0a70ee534a4eee3125ca5fc64c5f25a51c5ed9728fc0ce957a2ff90d3090bee38fc77

C:\Users\Admin\AppData\Local\Temp\SYYq.exe

MD5 7f6ee695ed49b224dbc99fdd2dc843fc
SHA1 4e26d67feb03bb17afe55ac07dbc35622b9a0237
SHA256 39c07bd9c2e7e84d050704d72c4b50f95a6b7f8f942b580e7aa9af0260dff172
SHA512 b7029ce1b4835e4fd403b56716d34b7bc921f1bed3ec9012d42414df1b828fd07932316148f16f362dcb83f1c3ed3a5c3b0914385a7113a860ead67723e90793

C:\Users\Admin\AppData\Local\Temp\wMkI.exe

MD5 00ed0878efd553f6a183ba07fa835d09
SHA1 043ce2e88674d990b577c1fedb1625cbd14f1774
SHA256 3b0cf4ab3e4f8a6ad2140edb076bdf1dfd1d3eb3ff0286dad81b3ccd03bb47e6
SHA512 d8cce59bc019e83a43876566e7b755f00e1f5daf7dac72226138388e9dd86f1d7ad39d1a8f830ff1d21ee136340578ec3d6bf6d09c1ecae612cc74872d5d5528

C:\Users\Admin\AppData\Local\Temp\wUgI.exe

MD5 b4e64b91e47935c5c99656eee75b24ce
SHA1 3ca776533f48aa6dfbd062aef0ffd23656ab6ff3
SHA256 d3d97d7ace95ae627585c2e0bbba56457cf71d59a4d076f2d77cd5cdb6197968
SHA512 7493519141b630e45fde9f79f4c50beb3e931d5dacc34d12e5682a0a146d60f16359cb39a4ec11ac5edebe9c9d41d34f4734ba8cf7701ae5d6dd00768474189e

C:\Users\Admin\AppData\Local\Temp\wsws.exe

MD5 76a1d842c5e29f16162833504657edcd
SHA1 a59bc327a9c1dea0480462b0d553f9c63d9b5356
SHA256 05c7c966a6f5039c5712f411a8b0f30298acbda36add52a4ad92bc212fd6dbe1
SHA512 3ce22079ca92037e752a856b876e8962c20701e5c91235c5a834d6775d67471fb4be3b6ccd3deec4366666c9d44a9f934fc5b7041c0cd2ebb1dad25654cf7db3

memory/3940-1442-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\osME.exe

MD5 9232f0dcde4e98f85efb4af5ad18042c
SHA1 1c1b287b7653a2c00a8533fc7b6765bc5b98e696
SHA256 4836904dd948c693284859e42aedde8ccbd36660e80b52389c0c38c7be48570f
SHA512 0a70fcf7ef82161c54e903e0b14d41175034f172b083d1bdf8ef85cd398854397aafc9dc4145422f6c953b5190465b4fa72c14e35ee35fdfcfe07cd9f360ce77

C:\Users\Admin\AppData\Local\Temp\qIIC.exe

MD5 37d5f42239cd4519556364d7a5c473fb
SHA1 7adc4b576efa95d9b4aab1108c65cfc5379e8dcd
SHA256 4dfd2c0092bce2758594ad2ea991c7c9192bd4cbc1a1d8f0327666f18ea3291b
SHA512 6c3becb3a44f989ebe59fdd301a7157e03b68a3d34602d973a7faa97c79f7e173fee403550597163795a6056af19bf76ec090f8d4550ace8097b1469e159e6fa

C:\Users\Admin\AppData\Local\Temp\AIsI.exe

MD5 19ceb4e1db54aa016bcee8c22eca05cf
SHA1 d2f9ccae7a0e19f0e07086186f821e0d7a9478e3
SHA256 9fd6f3e5598aec21b9a98c52a331974e098f899cb683a011cf015fbe865d6c42
SHA512 3ee19e6a5d4edfdb009a3e4588505bdadf9344b96945c9cc5f60e389fcc455a6866fe1b80af17949674a452b50001a2007312476ac989d5dcd41749dbe76f62e

C:\Users\Admin\AppData\Local\Temp\WIce.exe

MD5 55544b9fe8f9270b5246fadde61c94fe
SHA1 0b9ec9ba62ba7801de5540b469d68f3d12cbc4f4
SHA256 9c0fa840e5b201a4c86d133de8aa2a6f91060ff7cd763a17b1f0169e033ee4f4
SHA512 bf8a950ac25b4d20799c33f2ac34a599c8f352884d4333f339eb05ae5d63c3814d3e53d628c4758589d17ad1794b5f8bc53cb4ff766c3c7c3a8f790cef32e2ae

memory/976-1506-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oQcy.exe

MD5 c0a66f61231d30f1a41d3f8f3677ff51
SHA1 f43b91e919b2e7ffcc34a2d30b5773497c95ddc5
SHA256 0d6fc07c048a9ca714fb78b34a2cca8e2a5f4cc11cec196bb0f2e27d477868f3
SHA512 f9d0360af1c6077638546feded2ccc310ccaf2971b78854c0cbbad14a1efa11c88210f79a5c6252f117275809d63d9943f4ee41eccef00726ff589d58edbd95f

C:\Users\Admin\AppData\Local\Temp\ccgY.exe

MD5 56c727a9bb7502fda0ca9514a530f5a9
SHA1 a40b65fbbdb05bedacdcbb7317e81b69b04faace
SHA256 91d9015a6f5cb96895b1f4704c3b033c068d15fa2ea91ef8cffd8a7bd0518869
SHA512 7f59d610fbf963dbfcba2c25511a3835a9b65214034d6d8d686ac9cecb6d4ba045122d76e3857d090896ba74317ecff898078e18e11a186dc0e6be9e988d8790

C:\Users\Admin\AppData\Local\Temp\kMUi.exe

MD5 8c01c4d62a0378e2b7da23dce15b8d10
SHA1 05890733e3d9b9822fa65531f8d41a90e64e8bda
SHA256 e30561f7967b620586d4a28dae7d0eae63a0d9e979f62d764c289f892587fc5b
SHA512 847bc6b347223b7812a80bd368401ee67f316df68882840f206b71958c7eb7b94f9aee9f623c90671d84854fc9a06498be9df449bb4ea9a2bece226e3607c844

C:\Users\Admin\AppData\Local\Temp\ccsI.exe

MD5 751f656c6e0d09e9a12a0a29c0f5a935
SHA1 c707c4e8fa8c67d633950c4bb62bbae27751126d
SHA256 f43ace9483ed4cfa4d67f0e58dd993714bd6cc7634826ed5783d00ae4a95620b
SHA512 9dd635ac9250d164fe90f521471b02c72e81b4ba0f8ca9c18e31fa9e60ef9be80b6eb9e3637a4eed40cc55f807969be90d02878d6d4d88beb5faea82ee55ef6d

memory/4460-1569-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GoMA.exe

MD5 42d2bc07f1389d32d7738d1c1a78d971
SHA1 96cdac6dcd1c3552e34415afe37f7c3d644622e3
SHA256 3814a3eec8fee815b51b9828ffd071807b791243841c4f665dea3291cbd1fd68
SHA512 1f60aab677d5189b0cb48e413403fc067f940d55ec6cb03162d5ebe692a619aaf874fb96843fe460f39db71926c91a5a926f2538dc1984950b17307ad607e471

C:\Users\Admin\AppData\Local\Temp\egMe.exe

MD5 d8ca25bc2690385ed6d2128b70ef83aa
SHA1 b118d46b91e70d115f33443ccdac1e72aadad2ab
SHA256 44f1e39df2231d568c4745579d3d125d8669115960896b93877d7fde8de3b346
SHA512 4a4d697161233a6b750b532995c35230f86d1c8e5a5a4e1ea67fdfd2cefdba6e471896a6a29f271a1ec3ca9fb99ea0cd04fd4508f7c7e7446a5a40857b917676

C:\Users\Admin\AppData\Local\Temp\sQMW.exe

MD5 691811531e9e03b14e6fa97d4c0df2f7
SHA1 08ea0ed3ede0ebe1caa92598bcbe68c9c772ec91
SHA256 92324b74ede954c060c7cac80e75fe3386aee603f7d998f190e7459fb8702135
SHA512 23029be1708c93714f0a2e75f82adaec72150ef6ff4dc23dc4d13e58e6f733b48842f80d8547ad774b8613f0fe17946089e117f39777357710baa0f8c0512fd0

C:\Users\Admin\AppData\Local\Temp\KYYy.exe

MD5 727ff8e9cdf0f03e27cb29c488536103
SHA1 2dd5e698a3c4c9d35a5e7f7326f0ec199617bea3
SHA256 0f987cbcde13340ce1daa881e70d908a38b930bf0a8758acdd8b0e143e7a5631
SHA512 e0a7f3eba5cb9f5e70cb749e8c9be223418bc60bad2294ea20abf9f1ebef02555eba69e1b1ffed5b365d0dbf3da521c029e38c69c5596ace5366f1343a1a09fb

C:\Users\Admin\AppData\Local\Temp\mYMy.exe

MD5 96e664eb733b08ac7027e39bcc6d2e9e
SHA1 9de22d422346612ad18d962361987e8b22855c09
SHA256 27e87169012966fec0dabdff3972c61b64a745259fb8fb54844e344ddd63a818
SHA512 c339bf3ebd0d0fb29b4d0389f9e10a93f5d1b2d2beb5028934bd0037abe69362ee5f5249d3306caaaa206ff38e9fcca3e63cdba5cf2134c79ddf659e43d73dec

memory/924-1646-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iAIu.exe

MD5 c2e86a6d6d0f73f7bc567472ed3805a5
SHA1 c54ec44f2d1e3e48c7aa993008caf117a5f512fb
SHA256 02c8f85c7e8958df09c452f3a6ed41c817e2d867a5f173150356451b945db974
SHA512 8dcd661b8eb5925321178e2ab1da7ef82ab090ba64979ee224188f38aef38c71832f42671667a5a76f3ca50c2b051dcb355cb9008f4f831914a63a2ba0dfbced

C:\Users\Admin\AppData\Local\Temp\skYU.exe

MD5 a5dcf53dbcfd92cf44fb338a9a82a168
SHA1 341f840dec4a294a4f3e20323e8afab3b49ca39d
SHA256 56f1094066b3131d6e4df04567543f953cf24929218311657fa25812e1efbb40
SHA512 02c9aed047b4486a8d7ee57bb806a6792b22c811c50d963b6fd4fed06bcda1a5fc5724b309bb5696a148869dc3b27f60b47f3461eda04b50ad385a4c6cfb88d8

C:\Users\Admin\AppData\Local\Temp\AIsy.exe

MD5 c823f440553e7332bfc80bdd9a50bd43
SHA1 3062df68cb9770ed174805407be0a3f5c0b5e451
SHA256 f29b146d7ba7a2977326e539a47ead64675c06b1531bfa097dbd095a5c58ac6a
SHA512 c3a6b6519726ecd0ff5026831eb834f5f23e92e73993adcb26927285217657fcbf80a53b5c65f236de40b947289dbb7c4844fb472165131e723428bcfe7e8a83

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 ed56e652778124c43e6d73c6f671c959
SHA1 7c2824f9c518c4d67ac995b0946ac7a087f4e04c
SHA256 b3e1b69ae51c3b3f3c4a0c12849ae60c1a4167a2995047f7b3c84887c80fe634
SHA512 39f7b90adadf78064136b3f94b80b365f701483b352f9b99b174e3bdd1c224e1940f5f1710def0843ab9b6d57a1dfa406f5490ca01b691ff75031360d82ca71a

memory/976-1710-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OMsO.exe

MD5 2f8b6280f25b8a882cf560da113ff830
SHA1 2d1c2ee7c94f2f3911124234994f05f99e7dcaa7
SHA256 9eb232633093b1253ed30eddef4f49e84ef5c883371a2a3957081d92f100befd
SHA512 0aa93a553257c3f0c6f64b6c01db918f147dd712dc3b9a28d4f424799c4f37759ab67028b402985c22de1e6a91338f40d6e098e8a10355f236dd10ebd0c311b2

C:\Users\Admin\AppData\Local\Temp\yQQS.exe

MD5 624814d799a1aeda9af23ce2bd72c444
SHA1 5b6ea94879c679251a8414e98b9597ee56ff7cee
SHA256 0604b483760a870c28deef72035d5c2eca1b3d61e74f3ecd034ad2f3fa961c58
SHA512 151e9cd5b0dfeedb9f471431beba60c2137ea0b64c16c4ae9e293dddfe32762d7e326a2a32929127a467a4d0dd6f0eea768fb0c9c8ff5ac2ae3f22583895527a

C:\Users\Admin\AppData\Local\Temp\uIUQ.exe

MD5 decefebfdb815a8aa5a8d1f5315afbad
SHA1 d2cfa6d869d1bb9454d662c9f10c02d8d9b964b5
SHA256 04638789121265ad134adf4d204717e3b5eb3326c35895c5e6add1c802f567e0
SHA512 c82f63c222ca2d9bb52821ded7854a8daf860f883c2ed2fd1b3b2b8c033df61b885af55e627987fc3c2c0ffccd17bd9206ae57ef6b6a09bbde51b6646bc16902

memory/3804-1760-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mEYI.exe

MD5 675039fe2c5bc1e0b81dd31c81433134
SHA1 4489f30e64ecfd99c9f0818bf6a686101f31ceb3
SHA256 76d7b76787d875d6a6b88a0dc90b27755dbc7338c89f64b1b788fbdb553096fc
SHA512 8a4457bfd30abbad666f40184a5fad9cefa45a162500b64f09ee30dd801a29a34046d8f5a2fca01d0dadf33379e21cb0c6f7e594de305ec4fff32830028c0ba8

C:\Users\Admin\AppData\Local\Temp\aIcw.exe

MD5 d250267f9a789dd3dd4ca2d47cf260ce
SHA1 b4a589ffd1c168e5d50ea61851973b86adfce6f7
SHA256 659a1d125dd9f2f21f77f90173d468b9e610a7756ac126a4414c081be1bf2edf
SHA512 8da8cfaad6beff798d4e8849f7e166cc6a301c180813e53bd2dbaacff42e593491023b18cceaf6d135ab0e555e991dd12465a2a5355d7ab7381f0392dd1b3f10

C:\Users\Admin\AppData\Local\Temp\KkMK.exe

MD5 93e240b6232cc282f01ced17786bcb3b
SHA1 e523b5af11fe1c8b8987d5c64b35fb3e90fef7fc
SHA256 d9732536db4fb7a60e65e5e5295e5569388c2b4bd7c48972a5101f0bb8e9b28d
SHA512 ffc2e75c1bbb4c76eea5d271f0e2e7cb2f711467a80f93c67053eedf0436c923dafd87ac8c4714f03ace8a24992a1c641bf7dbee57d030d9228ae20b947d3eda

C:\Users\Admin\AppData\Local\Temp\wUsU.exe

MD5 ba882a9a61452b19e4566ce72e404d41
SHA1 01d1b5be30c7af1d8375246c6cb313222858ab5a
SHA256 54f6c44df87b96577345f734ece27b0c9f83df04d8945fd4efa751dd633d3917
SHA512 ec3d99d5e2b5c7239357a0e6aa08c10175cb7cf58ff856dd9da820b7531945016356402e854daee7c087433e6d69eee7fcd4ba68a04b5f2dc99102f7da616256

memory/4768-1821-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe

MD5 cd609da409d0566173449e3a7630b35f
SHA1 4a00251b4581df8a1a59e2dac65d1995cf4f2025
SHA256 ceb685da3f694eb57a4e36e079ffec143c6f37c9d4d72ca7f2711aab31d9d4cd
SHA512 59eea1c4d92e67899264a8138a636fa4ee9df17829ff9e7965c6f704c3b56f0093a0992d0d638b5526d5989634798f56e54a333f0114f353d49d02db0a7c28ef

memory/2316-1839-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KIMu.exe

MD5 03ac4ecf835a29da4917d4d1cec26192
SHA1 4f90643a0a79b47b3ee706de02d8932fd2088584
SHA256 fdf434b9afc7ab7046ff91710c85b7a3df9df139d95403c8a530186db0f3b951
SHA512 baa0393ed169712f979cd77feb314dd6564025bff1deea14d6517d53bc225937516bdb280237f0471920b1517ac1e02e6651dbbbf4ffcc94f8add81f661e8b48

C:\Users\Admin\AppData\Local\Temp\AEIc.exe

MD5 1aa37813981de6bc37440dd397e9b09e
SHA1 d4558dbb793f04317b09d1893446bddd21958c3a
SHA256 6d8dc414b13e3e092a4156d833b5a03b9e1602f42aa56ceba119839c352876f9
SHA512 975139a8a8c927691817a5498e4d20d9bf422409e4246c837e949c51d0109cf346d857e28eb268de2d54b02d9188eea91b7b7e8b9cc1efdff2de5378db770bba

C:\Users\Admin\AppData\Local\Temp\iEMi.exe

MD5 7199b1e90f8dd0d68c9755db317dae4b
SHA1 cb0bd397cf1298e853dfe82dc687ea488c19e008
SHA256 00c3d24ef168b96ec61740fc6134ccfb8c21388a8bcd608ed26350b94351bf04
SHA512 662627ee3c8d8f0a9e418868ecf50749dd25fdd711fad34297df68ee0ae702c717b791927ab1b7f2ac948ed2265060c7f4ed10617544221c903d251ced673b3d

memory/4768-1889-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OwwO.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\QQsq.exe

MD5 5d1a9f35c04445e85b811a5d0dc86229
SHA1 0d3d8e037de8d9ca72c9e143a8defa844300bb13
SHA256 4f34c1208151fe44622fdf03fa3e087a52925428ce3d4ded60c1a2228f6d1009
SHA512 2f216262133ad53128c1e8fbc8953f503b0030ab237a3d81e1c2027ba6dd03fb7657cc815a7d0db2bc2421e632dc38f3d5c42d0401a72967069b842a50354f0f

C:\Users\Admin\AppData\Local\Temp\EkEW.exe

MD5 ed1c1118837b2b807c9942c953a3b373
SHA1 8b272a7bd3497a1edd7c629b3a9623aca98f6c8a
SHA256 7c5e18ac72217812903efa781024fbdc998d4c92a9aaffd39499d066c51d478c
SHA512 da85753930b34a26f4907e14e2dcaba3b398cc4adddf4f7f5a6852ae9d679aecf784677d066b9a133440521caf4e28d696852a92ef2b5889ad00e753bbe508fc

C:\Users\Admin\AppData\Local\Temp\SwgI.exe

MD5 7b7cb321d9082c7a7aced40de5101839
SHA1 3315e896749a5ecf7b533da3e55f481545fe0b49
SHA256 5c927664a4f0797f4e73f67bddb5df58bc80860fac8268c7255f7bfec5cca2c6
SHA512 335e15e754fc310b21c7de16db966629d62a7e409cef8bafc033ffd9698aeac3a13a0e3e4414220e7a29fee5bf13989bf69e822cbd95022e023d65dacbc69891

memory/5064-1939-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uAAi.exe

MD5 277c17ff387ece5626e0f094dfc30868
SHA1 c0b0cef488b398d6146753d5183008ce7b48bb94
SHA256 f3c1303211f7ce7a8836a1faac4dcbd18daba5e7c654e19b7b77bfa6d03c9839
SHA512 6e7245176788a14fc90ae976406e25fb164ff136f9ba5582cc084a41f4908998d722527703ec00fcea61da40c12677b54a14a57dfc1e94e15e8a0e7e4134bc98

C:\Users\Admin\AppData\Local\Temp\sgUG.exe

MD5 4e565af15e842c1695b5ef52033123f9
SHA1 d1e71815e709fb8fb7190c2d2a48ad14e3150657
SHA256 04e41e7948bea29c27bf198d55b6b774f52a0ffb830c5834900c9e83522a590d
SHA512 54b2cf013fd43247a2a0259ca8d2178493062fe424bbfb26ee950b87042f8b1179dfc1ce93fe366bf09b031ae2712c6f0bda3ee974a0c573d803c626922faedd

C:\Users\Admin\AppData\Local\Temp\QYYg.exe

MD5 a3d8da04fca384762688fd13af4dd71b
SHA1 65f27345f00498d6c1c256d9459d9fde2b28e8ac
SHA256 2bc0d2e8f77bd9e20382953b76010723a4f4c3e053e9b8fb16782d22c5a5d17e
SHA512 bd6ff57a6708c450b1fcbb37c9f18c653295041e37a313063fe71e86b17d9af35f362bc537a9148a2a56590ca6224d2f0b4c1f593e09211cf90198c3f7c7aa10

memory/1016-1988-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qUkY.exe

MD5 34e96fdf94de5f02d980cd29817e3ea9
SHA1 bf414c889afc44918ebef8be736619f46724a3b4
SHA256 eda9e6b72614784f69a61ac543aa5fab7149f2202d729929f5180750c8060934
SHA512 3e4df17e4a2b7fa1f3934cbb474b38c8a02db3730aef6356085643f93ca46d0f123e88aa7b999f3e5dab2fa0b008a3f26a68a95ca00a91208d60fc4298ac5e59

C:\Users\Admin\Music\ResumeGroup.jpg.exe

MD5 0be2c27451121851c94b7091fa81a2d1
SHA1 61fa129d5bc40c4f951a3c6361f75c086bcefd50
SHA256 8299d317962c61841e28c0b90880ed6606846abcca50e9c76e2cd5469f5b1b9c
SHA512 e5c36718d7560447e7aaaab2ee475a2ed1ab37dca696444b461e3177ad19a27e0ba33dae2c97e5ff13dd2a11b227acaaa173bb030078b61062bb93d3dfcdd250

C:\Users\Admin\AppData\Local\Temp\iAIY.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\EUUG.exe

MD5 8b262abb88a2c1e0c78768a74488771c
SHA1 46c05ebd66e8a29c0eec2385351d584c402cb931
SHA256 fa2a100821dc54650ed5793f78a74861db9f712fa5029b7e4e9c07d284a69d5a
SHA512 e85d52cbbb711ebf6040b2a70aa43b33d5f718fbe636c6135e5a23fdb21683e2fef761e232f8bc008d681e4ff59b24e0b5b2f26e21f5a29723c1093ec63440ea

memory/4784-2035-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2560-2039-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ocMg.exe

MD5 8602462db5b0e3ad5c54314af2309ad4
SHA1 ccb3b863a2f0c4582195dc7aa9325fd5d2a5d954
SHA256 eaedf3967bce062d143ca9148aed558648a790b17c762f5560ad36411001dff3
SHA512 fd3d08c261d3286437bbdbba2ed6d5928997aefebc9547e58bec4ff2a0a0bb7729e93ab517ad9fad7a478cc7e2ccb5c82ce8b780be4738081779025ce7106c98

C:\Users\Admin\AppData\Local\Temp\gEIc.exe

MD5 604819e90be32dc5e89e30f6a198bb59
SHA1 2352e0f5d1cf0a88d61d86bddca86a634685b190
SHA256 e71bf37737a340edc9c1175ef4b154bcf67aea1db2114e910e8b26d15ae78181
SHA512 8497800e07b6527e4822bb0a9b39c3b91a6b88d841ec9a1840877c567b283e731dd3cf82d484cc85fb58556e6e0975c3b81193920d1b94c9f5f9f573a6b80016

memory/3908-2073-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YwYS.exe

MD5 2582bd6434c92f8016cff97b26a2365e
SHA1 79ddbf19a58e03953d95ecca0b04a778c48d3979
SHA256 32896bb5f3fd0dfb31125ee845da734a4b30169d86854ecfbe362b22e7c9cd7c
SHA512 bb08cec2b07dec3800742039633e4452a2d33b426ef23c4980d6812fd0b8fc4b63b281a61cdcad2a58ebcd9dd55920ec075bed1da8ff52b00bb4398f5bc27199

memory/3364-2090-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EIgw.exe

MD5 be430a2aebad7e114fa65a6a8492534f
SHA1 501f2156baead857c569cc2b66d7377faaa2d818
SHA256 706b6c325032f39b96f32c4bc1f76771af9fb87bafbd9e33a5b9ce7472e9da09
SHA512 c94535609bf1071c74afd81f22d8e6c3ac7543b06c8d1b682b28a00a804675cc5eb357a9c17ea5032ed859352c07afe24808ae12719737107908347539099e38

C:\Users\Admin\AppData\Local\Temp\ssUC.exe

MD5 b73e3ded5bcd0d19f136f6de7015e01f
SHA1 526bfbd56e67833ead6979457bb5a99c5c4cb64e
SHA256 709da43e453413a9c1b821baafb149d1d62b10d583f78fc0815c3166c49c96e0
SHA512 71323f33d362ba51ca032cd9a9f0b0e46a1f1decd3f525fad579ed46cde3b00407fc726e4218795e48583f6962c6fd8ac2c2e38f6da77ec6a0ead39e37953d04

C:\Users\Admin\AppData\Local\Temp\SEQa.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\WQoo.exe

MD5 c2bf5585c9ded192cca2b10c65032871
SHA1 af45b49166b6e0fc06810096d3ed808fd42bee9c
SHA256 c87fe71482011128a8ea59665a290eac40b20b97301fa42ae31287d60fe1dd3d
SHA512 2b4127214a19c8b1f12647fd56dd792a51c2951cc12d5f00676022a83f0f5b8c75d58b920e555895249ea6aadbdfd5a4d3f9adafa09981b6689127c21f25dd6b

C:\Users\Admin\AppData\Local\Temp\GYog.exe

MD5 33833e574351e172e6c2be3baeaadf94
SHA1 08a9ff6c09aa696dd7d334f6df3b6726a363e6d6
SHA256 8668491afb56151f4a3474c2b18e19d21d640c1bc3dc3a885950414e208d5afa
SHA512 d4c6c656cce8fd5717f5e42ab1477062f01e783aa68b33cebbc710556dd6d1ff508585f67c03a1adae8bd66201711f8f8518fc1f38add6523a9f46c7e3ca2fda

C:\Users\Admin\AppData\Local\Temp\oAsk.exe

MD5 2c9a14e0ae567047da2984dea470601c
SHA1 224ebde030d71810a98f0b917653e130cbe7fab5
SHA256 591a3098746436a5f400d96b3c31120a3e1516770be207a5387825c8e9a284cf
SHA512 8abc30136e491de34f41dd6b948d93aeb338c5d1e53f902145c5a1a385b12c02edce975e1793672f079d064e183321a8a3ddcb8560a124a6f7c4c8f51a2f3794

C:\Users\Admin\AppData\Local\Temp\CEgC.exe

MD5 e627ee0876fe164756faeba45eb7c95a
SHA1 2fa933d1538d2f8cb6867754ab519276c2bc8f16
SHA256 69471bed4a28668f5bf034829603f86720d1fcab84d3ea8960b5c26e69b11d10
SHA512 675c81d62c7e009768b3db61bc38a617cc9570a20158bd02e6b84a9507c52bfd70c2dd73c199330bf22e1e8e7be6da5b265352daf9e1b2b6414fb8e646a4fe27

C:\Users\Admin\AppData\Local\Temp\qkcS.exe

MD5 f07e88451c2e02963c0a007ead2c4595
SHA1 38ba76054edaf6dc5992e22fedc3a033cb2df6e0
SHA256 977db59b524b0aa4c2bea171deb99ef885c9934d3b7eb5f3b9fc2536957bca4f
SHA512 80fe8a2fe4d6885a3738273796f8c812633b66237dc531b0abe7d6235fbe227173dfaf61bc58a59cc500477826b4962b8dcf2b0cb828ceabc70645518216257b

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 923a50ba0615b19dbdbbbf569d496e5b
SHA1 b8be0315078a6056fe96e34bc47cfb39c1b09213
SHA256 d9b7f06b37b788d9aa0eb4bdddbe856ea7ac93482783e5b9d7b682ff707c683a
SHA512 8511334d915b0daa8e2fb0405cfe19559aae521cf3eaf9314667e9eeefe61917322fd055cfc1ab8a7009f799db5f55df3747b6b1b68e408bee9c779c2735874f

C:\Users\Admin\AppData\Local\Temp\qkIA.exe

MD5 c3e00b9383ad880c8723a853f18efd28
SHA1 5b7e80930c0bf6d2372ef1ddd66395333a480c3b
SHA256 40bdf4c631ec57fbf63084d1fe65719847bb8d463610c4cbac1744050ec9c32f
SHA512 9bd545f538bb24537901001120a1d6e50b9d972f23f25f8b0923661cb1d3ea2531fb1f2b8fcefb36842f3814484dee1f8a03a1debcdfb4833a464c59fedec7ab

C:\Users\Admin\AppData\Local\Temp\okYO.exe

MD5 2b21ee6cb45389689ff53215675ac023
SHA1 e266e5e18f27c024ea13068766111433b228ea20
SHA256 d43385f5141bfe2a3fec006d6d375b675852174f5becc876f626c6f21fe64dea
SHA512 fea0abc7f8be01b22506db3b713e6c7545819852c320eda9ff1125e4d5e0c0b49eaf84ed12f1a43a3ceb3b71313bf26fe390e183ad3ab3fb73049ab1b2a18c9b

C:\Users\Admin\AppData\Local\Temp\ewEA.exe

MD5 5a98a3d4798eb804572c5b55d91b7bf3
SHA1 de1aa4d6ffc170990b865ec496a4837d381416b2
SHA256 508d704d873be2d755b8936837c43b919e1d778e5f28ec9fc01fe76f39a35fdf
SHA512 87bb67f2bebc318634992b00b516185774e5d02fd0854f2bd2040a5f69b7822ddb879c082ed0adc1c2c1c04e1bf0c56e135be0109c9173690117af6be419d09d

C:\Users\Admin\AppData\Local\Temp\yUcs.exe

MD5 d58b052e75caae93fad57618829a0d9b
SHA1 8b8c2e377701ef0bdc2f6791532913d117f4e933
SHA256 5819e32cf91d838ad2ceb80d32282e0d7bdcce1e34a4b3f9b52454812477d8bd
SHA512 e4cd8b6466bdf96e5bfa0dad8af5490cc434659b2a37b740bcd84adf08c10dca4edd08282cf6f859de688624fcae4ca6a5c03c10701981732984830b84f405b6