Malware Analysis Report

2025-01-22 19:56

Sample ID 241016-wjtwyatarc
Target 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
SHA256 8c2d37665861b2652b06805f38fedfcd44bac6fe889f0ce9997c3f13a43a5543
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c2d37665861b2652b06805f38fedfcd44bac6fe889f0ce9997c3f13a43a5543

Threat Level: Known bad

The file 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (83) files with added filename extension

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 17:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 17:57

Reported

2024-10-16 18:00

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (83) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\ProgramData\ymAcoQcg\HgswMIoE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HgswMIoE.exe = "C:\\ProgramData\\ymAcoQcg\\HgswMIoE.exe" C:\ProgramData\ymAcoQcg\HgswMIoE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XgUoMIwY.exe = "C:\\Users\\Admin\\eoEEoQsU\\XgUoMIwY.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\huYAIEQg.exe = "C:\\ProgramData\\eOogQIgM\\huYAIEQg.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\byMMAYIQ.exe = "C:\\Users\\Admin\\DKIsQIkE\\byMMAYIQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HgswMIoE.exe = "C:\\ProgramData\\ymAcoQcg\\HgswMIoE.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\byMMAYIQ.exe = "C:\\Users\\Admin\\DKIsQIkE\\byMMAYIQ.exe" C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A
N/A N/A C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe
PID 4780 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe
PID 4780 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe
PID 4780 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\ProgramData\ymAcoQcg\HgswMIoE.exe
PID 4780 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\ProgramData\ymAcoQcg\HgswMIoE.exe
PID 4780 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\ProgramData\ymAcoQcg\HgswMIoE.exe
PID 4780 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 4000 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 4000 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 4780 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4780 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4780 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4780 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4780 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4780 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4780 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4780 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4780 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4780 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4536 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4536 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1384 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 2980 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 2980 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 1384 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1384 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1384 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1384 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1384 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1384 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1384 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1384 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1384 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1384 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4488 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4488 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3008 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 4068 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 4068 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 3008 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3008 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3008 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3008 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3008 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3008 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3008 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3008 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3008 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3008 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe"

C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe

"C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe"

C:\ProgramData\ymAcoQcg\HgswMIoE.exe

"C:\ProgramData\ymAcoQcg\HgswMIoE.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isYoYwEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCQkQkIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsoEUEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIYgAIQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMUIkowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSUMkowQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoggcoIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyscYEok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IoEIkQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOcsgMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncYUMwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqcQYQEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEQsEYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYQkwwws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWEQkwMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yUsMswsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYMMMckM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiYoEcYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaQYccsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmUUwcQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoccwMUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\eoEEoQsU\XgUoMIwY.exe

"C:\Users\Admin\eoEEoQsU\XgUoMIwY.exe"

C:\ProgramData\eOogQIgM\huYAIEQg.exe

"C:\ProgramData\eOogQIgM\huYAIEQg.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3008 -ip 3008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3360 -ip 3360

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwgcIYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 224

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 224

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaokYMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYwgcowc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqMwkoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZocYYIYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmgcMQIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwMEwEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYcogYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eccAogsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wogMwYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQgAIcUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGAYEooU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAIcswwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkwAoYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgYkgYMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCgkQsso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icYswMok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rookAEgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaYYcsgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUEoEYYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rywksggY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwUYEQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAMsgIsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiUgsQcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGMkAwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCkgoEUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riUoEgIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baAkIYEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQUAgQMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCYsosIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGskAook.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIsskAsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgAkYYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIQAEIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUAkQIcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuggwwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QusccUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koQkIIMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGwIAcos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgsooUcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEkYYkIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsgwkoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAIQwYYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyssocgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqIEoIII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMMEAcsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAoAMYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiAQgwQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqoAQwgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuYwIoww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiksYMMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUcscQow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aasQUQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkIkIAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUIAkoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWwgcUkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imssUQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqoscsYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osQIUoEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYssggwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkQoQcEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xscYMgkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUYUsQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMUgooYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCsQUsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGoEEMog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgsooUwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twcYwkgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCkwMsQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWQkIQkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAMUwkMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiUAgkUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksYUkQUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEYEkQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\likAkUEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmsMQwcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv n8HJyDLZFEqacSbMTlIvNA.0.2

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4780-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe

MD5 96d18beaf092fe13fdc4579f1a89636f
SHA1 3cbb513984cd36d7386889445964c342aea15a6c
SHA256 eff38c97f6dd5b5d222fcc0ecb633eada1b5afd386fa7d6507ddef871750bbd5
SHA512 841a21df415fa075eadc8e62ef8c994f13160858211554d59ad65afeabd8d5d1d5fbf021a9a5841f93fc3e23834aa39808e474de069a067ad645b0ef71d1e5f6

memory/212-5-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\ymAcoQcg\HgswMIoE.exe

MD5 d29793db63903b1fbf17323719c7bfd6
SHA1 c6eecbc3e9e51bd06097f206b898f01d1969efe3
SHA256 b06b3f3610de98fea7604c5a7d348aa1789c0998ce86432db597457150a557ec
SHA512 94d69d006b50407ec97b2fc444757d5d0b358acb06f2d2b57a4d63dd42f9f03be75f7b8b8e29aa2926e46b88ba9c84d2c55eaf078309c393a7ad9e7f5cccea42

memory/1180-13-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1384-16-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4780-20-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\isYoYwEk.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

MD5 d715f659c83f2b95e8a4ce1233822e94
SHA1 c2a5cedfe5e05fa74d17bc6c9665d27823c3650d
SHA256 8a3d3787c7a87042010865e1d0aff07486ed919cecf52b21746ab8c6ec7de94c
SHA512 1afe9f4713af2d2e0a509fcf2e727bc4fec2099291480d2edfa9f4e0853376d690a42d5c7af37232d21f21afa98d5e8ddc6c45fa8f2829e9eb6930792f92dde5

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/1384-31-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3008-42-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2288-53-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2660-61-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1816-75-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4788-83-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1512-87-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3088-95-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4788-99-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3088-110-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3872-118-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2628-129-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1304-140-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4016-151-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2864-162-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2556-173-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4000-184-0x0000000000400000-0x000000000041F000-memory.dmp

memory/916-192-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1928-196-0x0000000000400000-0x000000000041F000-memory.dmp

memory/916-207-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4492-218-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2620-229-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1856-233-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1856-241-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3008-245-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3360-246-0x0000000000400000-0x000000000041D000-memory.dmp

memory/224-247-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3124-255-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2196-264-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3008-263-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4160-265-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4160-273-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2564-274-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2564-282-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3124-290-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3144-298-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1396-306-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4480-314-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1444-322-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1928-323-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1928-331-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3456-332-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3456-340-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4484-341-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2148-350-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4484-349-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2148-358-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3976-366-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1408-368-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1408-375-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4172-383-0x0000000000400000-0x000000000041F000-memory.dmp

memory/388-391-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3476-399-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4536-408-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4740-407-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4740-416-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3456-424-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4244-432-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1560-440-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2232-441-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2232-449-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2280-457-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5100-465-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1616-473-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1200-481-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1048-489-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wYsY.exe

MD5 d829a0ed44710a1654aaab80e574222a
SHA1 be917209d9fed8c4e64550a97d2d4ebbaab94c07
SHA256 6d3d00afb0b0c18e30a64765eb759bc777f6a2b87ef9209a28a083decad77663
SHA512 5f98d97636f815386008a26680a96bc570ea5bf2926f90b81ace3f642e1f738e659c1010487c4c06f29853f9d628d396ed73015e7a21da9bb67a7f411300dc04

memory/4488-513-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5032-512-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Aksq.exe

MD5 7bb78d1ba4b2b7089b1159b71303ac19
SHA1 4443da49b2244b94e4bd91c0badb393f7b86310d
SHA256 b5b57ffd7b27884b0a635d5321da139832b868ca3a377122652e68b7b55ab4ef
SHA512 ecc803338a17cde79f6bc32edffbba99e7f186cbd8f3ff854e9148192e3ea4d448f7cf520272ac3b51456571adf7783ee5dfe998d93f0d09f94cd79d9d64fe45

memory/4488-535-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgIy.exe

MD5 11d3b57f0a4d69b66ccdd7ca59dbf7ee
SHA1 b7f5faf204093cb277c3a2d7e3956e0352624de0
SHA256 8c02a8c9d0416b64cf66afbfd3d23f325cdbe7af19b4ab5a526462498669c4ac
SHA512 4d344001338cbea8e181ccb4413bf3d99e3dc24268bfe148e4bf2aa7208fa892529e339e63c2f142a21a8fa480747737e87daec75d22ba8b30d9a2b8ad8a3d02

C:\Users\Admin\AppData\Local\Temp\YsQs.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\yMwM.exe

MD5 64121be64cd190e6dae9aedcc5e87265
SHA1 cd3a01a899482eb67eba80dbf5bb0b4efd0e8b13
SHA256 fd768b61de06bcdc6987937bc38b40654f8f98f789e1bd223a291264b9b01351
SHA512 d9b29bae8600580b35f65a8598f56ca107c882a52e36c6c29ee133c1b285ca5ee6a6441b93ec9bcff3cecbc4956ded6bd9cf0f9a70a7678bf7aabe040eeec3ec

C:\Users\Admin\AppData\Local\Temp\SQom.exe

MD5 3e52b07d4c62b448a407762835197943
SHA1 91c990e454dc5f0937999204acf80825e602ea59
SHA256 ed4b656966d5af8e46370f6a882bbbc17f8bf4cda78f011646af61bb727a8c72
SHA512 187216cdf39424add32b5f5209f6e768e6b918299f34a3b6bf9ee256ccea450323cde38afaffb6ffb3320c2f06d8996aadb8a4036909af469e95a09310c4e361

memory/2180-584-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aEgU.exe

MD5 1006f84e5ecd433198836a4f1aed0059
SHA1 fdecd00a51ce2cb0f9a735b26856e1507572be90
SHA256 934634edafb99dcb3cac478cc94aa8164e7b9a3aeeea76dbdf5c32f01ab90e97
SHA512 534bfdbb5e319c758e8131832b1fba4d76a27002c668897680097660b834931e54b99dd6533ca890a5298d39e2b2af7a176a5726d5f7a591072387b43e03ffa1

C:\Users\Admin\AppData\Local\Temp\CkEs.exe

MD5 19bfe06ae94c8ec36ed2ebb2d01d76ad
SHA1 38703a9a7c4a221f7dbe1f1dd1597f517932851a
SHA256 4e93248a2eb70a09ff5de941a3cc271c455b3b38b31b920334738541c4e47d0f
SHA512 0238535599ce518e88823e8f533e3454b0fd2e0b5b4bae0783c9bea6a3cd85334b25f465049767e67bbf08d3c88638441e7760240b8cdebbd9d78eba4b9a844c

C:\Users\Admin\AppData\Local\Temp\mEEu.exe

MD5 f678b9af9f0bd1aee4aff1ce9ea6264e
SHA1 db844066219078f87c0252d6a1a3affff0a38d91
SHA256 ebf5a2b9f53a1d9911c960f0d63e52c05b526b38b7f1650daf2d4ccae5b8534f
SHA512 45df837a2b6e9a5e19059741d950e4b0dd14489a513977591df008e4f0d3cd0ea3753f6ccbbcba89c1852e1c2bf879bee4373b40940dd8e7134e3a5f7afa58f4

memory/1392-634-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yIMs.exe

MD5 d287c2b058e9fa71d3078d204476ba2b
SHA1 f3498414b35d9a52b2fcdd563aaf8dfe9e3bf9bb
SHA256 68a1faa8ee9c83ff225c3607715711c814b18a9559caaa1e1ac2b96c14316d60
SHA512 8f3826f9f5d43817f52807be292f0afa01be084f78f827666fe5518cbca5f1ef3eb7d51e1b236637c14e7e91373108d2bdfa29026b15b013cbe7aaff89fd49b6

C:\Users\Admin\AppData\Local\Temp\cUMY.exe

MD5 c01bb208bd912a10fdcddc7f5693f515
SHA1 0ee9868b84ea16e2fc1842f07e6205e443a8ebb2
SHA256 6dcb1da5457eefc5de6c153ef2f86eefb9c753798a758d74a87a510b1fe6d583
SHA512 bed11f193625efee7942cd1e76ed6b9fb43fbe10780e161bbce7ab02e3944d780f7d5e6b286a3fe76100aed36b1ebc07a2c59b43829d589b870c59f617d59ad7

C:\Users\Admin\AppData\Local\Temp\sUIe.exe

MD5 57a5c1f6e694981d300f4888d2c294d5
SHA1 c0a14e446d7b90510d80b4c95896c5fca4aec82c
SHA256 e4f033962ac1ff3053cd04e5812fa911a05cceba2729ae6ecf87c305b7002943
SHA512 c7ff32c3371f1561681709a346ec1f54e8ca228c7568906f46eca44be886d94504cccb303adfd6f99f34986684c170a640e21a71afb8f818bd97ee1a438e0f55

C:\Users\Admin\AppData\Local\Temp\CgEs.exe

MD5 1879dedda3c20886c057eedb54e40f44
SHA1 ff2b28ae3d627e7f1fe58e63f1962366ce863908
SHA256 d095cb7ff29aacb3829004e754e7d202846145d6ac97f318b0b0469c31043a4c
SHA512 2ecc86ea046c9530b553f74fa24744396a947e80f66cc95e1408ddc705088340107ac25ff3e3f5059baa011e3527e5310690fe18396c2a307ef679eda9d1148b

C:\Users\Admin\AppData\Local\Temp\koko.exe

MD5 79c87ee9c52971ed8a360b77a34cadb1
SHA1 6ce06249bd60c0cd7f84c0d37453fb20cf71e7d3
SHA256 0d06a09956c0154f72cbd815f852472d03f15a47278e054919d82dc9c1fa664c
SHA512 bf23fde0f5ef420e33cd2a562833941195aedfea4c9763718d49a2720c92beacaa5e17178f0b0348eb740361a8a2e00fcca9a2fe4d5756c3dc37a5fc53ab8a1a

memory/4128-711-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cgYQ.exe

MD5 6478c801156a1f87e1d5cd1df5f154a6
SHA1 73430d0209c1a9bfa1dec4237650a3f9fc804043
SHA256 8d617b65f9038a4a4315ed5eb3c17ee935590e35addf73be2dcb46534a5cf667
SHA512 7c031e8015f635d01c1fe8ef6d1bd056c418e870f9f8a47b756919824d09af8cb53ca88637fb7f331b534a6d465027263cedc3937c8b43d3977b5a422902f758

C:\Users\Admin\AppData\Local\Temp\IEcK.exe

MD5 eb1bdfd86545b25804f44dd6d8d49516
SHA1 3e844257ee740c2352a65605a4a8e35f77310590
SHA256 ff127b66447e18d27a64f2c5a644dbbd82d86023bc5e1368f7df5eb59baf23c7
SHA512 8f9b9dd36ee04cd3dbbd318f8da27333ce42a7cb8d4f4a11d05be9389f0cb958fba7bde36bc0f69898ba9f7b84d7e715b184622780003a71230829e0b45ce68d

C:\Users\Admin\AppData\Local\Temp\mEwm.exe

MD5 c349b28b98768fc00f5a97273daafb54
SHA1 0d0e8c83c0956ba576113b20a991dcba4e3afec0
SHA256 0260a21d80b8d58ac1db3922653e3510d0ad0c1cbbd131becad18ae86142431d
SHA512 b0c25cd3b4e2c14be5efc1a7561e08680d370e52d41ef186914fde640147ae71ca6ea3084cc2c381c0488dcff538e02909879887f280727da0bb8015c8d78323

C:\Users\Admin\AppData\Local\Temp\cEYg.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\iMcy.exe

MD5 e0877fb3025d26e944b6c2ab0188e0f6
SHA1 dc65e98af5d48bd4a9c43f3f8a936f851b93d3d0
SHA256 a86f21be125ca50e7f9b02ffa158cfe86e5907f13a64913273f8c70408910ec9
SHA512 6fa8822c33c4216f76de9e5c38b0a468f7e5ca3fb05a13bc03126456f6ad2339f3582723eb6d474179986409451e00888ec073228ee0d835c32e267526a3614a

memory/2132-775-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uMUi.exe

MD5 e0c651e0638adf65497c87b4e99a9d92
SHA1 cbdbce8053fd13c41a8b68085914c823f0b89985
SHA256 310b586daf524f350a2c950c71a6987040763e29857f90e208f415eac3c6dbdd
SHA512 0a295706a223fa746fee697e84b1cf81f952c09e0c123fd404be5a30423eedd0f505a22d03805a07c83cfccddb8ab7ed00187d91771c5f0f594da422837a0d20

C:\Users\Admin\AppData\Local\Temp\EEkM.exe

MD5 8dc712c919f3f0c377fbd6c0e5f56ec4
SHA1 98fccf0d8c70775f79fc99b1bcc4aee582a14aa6
SHA256 a74b46865f482c1e05a1977c03adb861ed45a601a6de6026e0c29b8f9a83caaf
SHA512 7e09c5a8f1886ae050ceabcfc5bdc284a3fb6abbb9b47c416e265701f78c5dc1cc0b4887512138bfdb3002ffd13b6436f73931122cc42b541c1a7abc5bc2f896

C:\Users\Admin\AppData\Local\Temp\iwoS.exe

MD5 60c5f4002544dee58380cf3fe2f3dd64
SHA1 d1274cf5e1f1e4da4e08466dd795678ef0ddbadb
SHA256 fff0d41d38d54f095b4c36615631722e77d10c945270570f506d6fd1578d833a
SHA512 b84ec3931fd2e4846d820f39014bc84d9587a822c9b26a7c797e1da456f6b2573cb2f3200c49b9229e7b6c63fdf592453bbfd8e09c76eadf97af39374660bc7b

C:\Users\Admin\AppData\Local\Temp\MUYK.exe

MD5 2d493a1bba0b7e8382f707113a45e339
SHA1 8a65d4f2fbe2b1e6dd6da66ac3962da8a5623d51
SHA256 5ab042a480e1a5831ed601cfc5efbb697ecee0bb7b08ee02967017d108174f23
SHA512 52fe7823f76f0d437891520263db9a36baad3e0d1b0f6d607fb74a36f2e5dbb2b0273f8c27833348c9dbbaef4bc0360892f6e2761ceb34425fc382db19005f13

C:\Users\Admin\AppData\Local\Temp\IgkC.exe

MD5 a3ebc0a1e0bff8249464190fa15649e3
SHA1 5c5f50340c950d94c03dcdb894417144a56e4254
SHA256 ed5cf55355530e2dd8e5c1a8a736856f10e5981cf91e641a6fb0c6adf53ccce1
SHA512 57266332a56b25ebab5b4fd498b47972bf5252e19778976e3a6f7556ce3981cc4d0fffe7f5c6f05373585efa606a4450661e05bff6d004f2a8db1cdf29196f07

memory/2148-840-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uoIW.exe

MD5 7a1fef13c14de4251bb2584a66a20f22
SHA1 f64d8301c167297f0b41c509aaf2d754aeb2beba
SHA256 09db67ae4aa8d3d87bd6a4b23a4145b80f4deefb77b16bb4e2dc74d7c10b0e25
SHA512 f23cb9580877cacb41d2d1fc477f0a77cb12e43bc7584760fda39c90f6ed3844e5e5a5267d6564907fe4322bbd529cb3d88f427adede5a0ea0f8e70b85e29da8

C:\Users\Admin\AppData\Local\Temp\WwMg.exe

MD5 b1a14da226605b9badd667277c97edaa
SHA1 e336b110373f57a4a799af1c26a1e2a2983690c1
SHA256 3d5e6daa11e445e4eb9a8cedceaf69e0f537838d224f3c995e13077a0b9554c9
SHA512 76765bbdeb5d59e00c86237d662889e4709bcb7028a52d56e6e556ac85a74553325c451cfdec17b7c96dccc9ea67bf09299709a069a3b2495d045d382c9f9776

C:\Users\Admin\AppData\Local\Temp\mUwk.exe

MD5 08def248f9548534ce8430a5a466caa4
SHA1 c4ed479dbcea13f0e0b791ac834210577a9aa555
SHA256 14ee063d2e1edd7622f6708a4263482bf31a67bd1eb37f51c043cee6545f0cf5
SHA512 65c43b4c8310c48b324bc15ce66f6554fa4226a571874a42525bf01e18f26a7b9a5181efabb0d8e314fdb82565d34b49f71723b99d9b192889c3dea677279950

memory/4492-903-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SIcu.exe

MD5 ef9d53ebeb2e4c2e64dfdfbc7878e8ad
SHA1 88a922001658430a576cad695a64504c9d85eff8
SHA256 f7348a2587d1bb9bde64437f39796bfa28a309476507e592e7194a222a46922c
SHA512 e5ecbf3e56bfc5e8cbd2493cfd746d962b3b1a210e99395588558010a44fe21d7714eac7abbeb5c7e46e11d2986e2d13a039b2a4404e2671395bd8ab13e80374

C:\Users\Admin\AppData\Local\Temp\gQQE.exe

MD5 af654037c329f6219172523dee124349
SHA1 8988becf8979c5a0c0ea9f6fcc9ffd26673907b2
SHA256 80d2f4588ba54c7feed35125352331e0f2bf2734993cdc7118dccbfebf4f8dff
SHA512 341ff88bc7c66b14a7f02097478e93ac90817592535980e778c0f1f0251a16e98b1d4a2f8b20da80bb8b7cec52959459ef33dcdc8f42696c69c87d718b63eaa0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 bf7b05186b2a7df4da6dd0c82f53a8ea
SHA1 381dcaa182846391c0700572c162d91a3f8193ec
SHA256 03a6a4ce4a8eba26eb70a3e46b00cea3d9a4c539e2550407d87d7857e7dc63b8
SHA512 105b62ab0489d461ed033fa2f5f444dbe8aac71b095dcd3c10b27f12332744ed22d6a501537ae63c3e2ae4439235d6bb0ce13154fa882476701033c6a032c3f7

memory/4596-951-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MAAU.exe

MD5 3277947b59e7432f356c0e5220ace9fd
SHA1 14f42832678b6ad17773ac5ddddc580d13cc6cb8
SHA256 6f4c99e94771cb9d910252506f2093e1ddc06b9cd2e7b4af869652ecf4957a8b
SHA512 342909b6201ff5617cec1c9b0c505d6c1636126450dd1b26996c4f39c972ce27ef1cae99e93943e6c6ebaea79e1584b5aa5978cb2b185266bcecc4867981dc68

memory/4820-968-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yUkk.exe

MD5 2de37f6cf9b83aa6eaf8b7e8398ff085
SHA1 7751e065055c37caf332acde7e165352eecac0b2
SHA256 b446cfd44bc4bd1ff88e48f1d13e105ea61a43a54921393ac8323bc35bbd5ce9
SHA512 80956f9b2504270057e36e18d98d89322cf2011fca7594b6944365d87e096751d8cfec53cb8fe1754efbecac19602b6885bea1b49a1c3316c9726da59b94fe60

C:\Users\Admin\AppData\Local\Temp\ioQm.exe

MD5 24744b5e2888d391aeaca82b72aa73ad
SHA1 706a908c126589c4a9ddaf66716e7863ba87f81e
SHA256 a045a913c4f66d48d5665e455830bb34af5f55a7249a6a2f22d4f195cfc9b732
SHA512 e0d3b200f87e020f358546fec6c766883c6dc8968b39d4aacd90edad6daf5f3b8e65362f21b51ffc67101030fa8c8974289a398bf15fbc7d609803dcb8ffd279

C:\Users\Admin\AppData\Local\Temp\UoEq.exe

MD5 ca9a5da254bcef41a30c397dac05b79b
SHA1 5ec8859361bd106f14553933769472376bf762eb
SHA256 8ff11a3ce67413cda503e972b3c96eeb7c9eb90f65983bb02c009307bde22a09
SHA512 8bd7f91fc6f07ed7ceef6fc631c27f43e8d4f5a43cd718f18c0c7afcd0d0f210abead04685a02a875bb10dd43c834a9d74d506c406f124a908806d99c21ff8f0

memory/1576-1015-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mcgU.exe

MD5 4fd48d45ffc134948b84d3b159401612
SHA1 233f0a7204da7df3194ac8e3e7c9eb462b039011
SHA256 31b49f78b91db28e686f454283f9c90afff29e093feeecd6e9fc2beabb6f2613
SHA512 a1c6214ea840aab662e59578754a3e96ddac2037bcc442df868036a9252b5658e5ee5a448d4a069a1a64e2740e72913ba95761a00655444b50af775e437913c0

memory/4596-1033-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yAMU.exe

MD5 b244a208644ca8178905efb715f8bd7a
SHA1 546269966d66540b5eeb04ab6f7a53a8656da3b8
SHA256 79beba8f29c6b6b395fa6e98b10871deee4ed8e2556626d1a0a4a518131e666a
SHA512 26d9bcfbde75d11ae7cec7a26f311c487e05998a9c16954535163ddf604b9a050c720bfa88e7c368d63959e2427682603a630e7ab7667025149f1b2430e73eeb

C:\Users\Admin\AppData\Local\Temp\aIYY.exe

MD5 f795f509b97da0d50812426442f497d2
SHA1 65867f9b93b493e601d785df65e1c7a04a90bc14
SHA256 4a852067b171ae95f32dc262b24b1858d918590f6ffc65c015d7cd0ff495e3be
SHA512 8b563dfec3e42607ade603c7fa1be116eeb60d2b7ef764f06c1f2746287e17985c63df8e51e221e8d60d67d93262183823d23add5378dd8638db21b1fcc2f7f8

memory/1576-1069-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QooW.exe

MD5 7c40abe55e19fc72d27f8ea44d1e3209
SHA1 48eda17743a2f35656bf17ee50b4fd65e5ebad74
SHA256 15ec6d4870d66b02c851acc35c934379cde325937d2de53a84dc80047470c81c
SHA512 f321246e217da91ff662ba9d85a084ada06b78bcf4292497ba756a5ce383c974100d99531aa9fe83782d26f8ee188968b612254eeff77580b2193a8d160cff62

C:\Users\Admin\AppData\Local\Temp\WsUi.exe

MD5 ad09a18feceabfa3f39ec4de3cbe3b55
SHA1 352e6bf2ba64bd9115500514346192ae4ef036d8
SHA256 d2e3beb71f4a666a29e5c6554a76eaffd98815994ffb2c24a42cbcdeb4576369
SHA512 e797ceecbf27a45b371a80297a8f2caee7b56932da7cc80e2880c865ca9e68a9d90f2174e3dad58913c334ddda6c7ed9b57c1627bfb3b7a7a520b5564d9a9732

C:\Users\Admin\AppData\Local\Temp\wwAk.exe

MD5 2b59b4dc6335226ff7d29b498d9a7221
SHA1 3ce951a555127944f63b0350fba1f1fde7f6296b
SHA256 d7d52d01f658946d6f2ffea725a3735e61de861a39b0fe1d9b4f725726e7994e
SHA512 3ecf96fbf592d099caa511e9ccf2c28a7dec033b0b8212a9510f783e8d962b1c3e9f957e8b85393d7d8dafec3ead36e0e2317a8d9c81d2fafd29527a2b53f81e

C:\Users\Admin\AppData\Local\Temp\OgQE.exe

MD5 c8a6656b9dfecaec07305b325f4e5240
SHA1 123cc45d4aa418500e676a10be38fd447eb1ecca
SHA256 f30abe5a6e56b81a2a0809819b858be1f90b4e5ae6b7ac5cb757fdf1f91a53f2
SHA512 d54ddc8e00943cc15c91735862bd2e42f5203c59f4ad1198091681ae665a6aa2b16ab16456051a905c4cdeee4d8e8bbbe33761217d9b94a778c2fe260743425b

memory/3496-1133-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mAca.exe

MD5 792992da8060f1dc9cf69458eaf695e6
SHA1 a1575dc6e518fbf293bb7f6ef3c28f3eb416f2ed
SHA256 174ab4e84fadd0e0b6044726add046d12725fea8701a6bb73acf11d454d288b9
SHA512 62266a2f715b83dc964131da777deb431769b755c6c761cc5a7adc4a117428bc5b98ff0322bd555b3cda522575a66143c7e85b1d7a886b3ea6d6a9334a2b5c96

C:\Users\Admin\AppData\Local\Temp\uMMw.exe

MD5 a994116d470eb5fc8a14d030c8a42452
SHA1 b0249b5e8b1579a7cf1ab08585bc1ac042647b04
SHA256 7b73ab1cc12f17587434e6af7eb3f10e26008952ef333cad63844b1839c369f3
SHA512 cdd32b1cbbfb786102c520eb1e218e18c2fda9914532922ac2e81105fa05ec815a49233324e4811499099c5577442eff7be3db0d4dc46d7116ad9984dd9d5e60

C:\Users\Admin\AppData\Local\Temp\WMMM.exe

MD5 3bd7a396182a36bc2c76d6b6afb224ab
SHA1 d9b0aa591b211f6cd50c2180c472dec4124230af
SHA256 eba912a5d68cb0e63f3d9c65057364a22a045b39a0c714b503616bcd82435b9b
SHA512 532c0879edfbfd193bc7f0a5925bd82cb39006bdb4d84503139b52cf3461d3c31371405c93adbc25519063ecf6a09b26691d262862137fe080d824b736f041bc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 cb842512a4b06f1d71efea7c346ac60c
SHA1 8ea2bb679ce63f0dba4388eb3280b0555fa27af6
SHA256 9cb55387c45241d670bd93fb881c5c3250f802a8f21d0dfb7595888ce296b4bc
SHA512 50a2d104f6baf6b2ad7ac89c883dbf5a03892727f5fe326d4d738c1b2e589990b0fc408b2f474bbc3bca6e1428e5d18f0f43945271972de5845490eb62c7bd60

C:\Users\Admin\AppData\Local\Temp\mwYI.exe

MD5 b25b80fa68f61f9bec0157ac5560dfb2
SHA1 31141b6279fcb9577da9959e8a649133365ceb15
SHA256 e5b0104cada7d1d42e5422674545f97a419ac957eea6765e0e6c47af53122086
SHA512 85832811abb0acfa2864b9fd885eeca054b25150d579c1fd07820d1cf96d9a77ac1a1195d92666aaabeae6a4d54a95ac3c803a360f5625b28e0e676393316d63

memory/3064-1202-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ckQe.exe

MD5 8023626fb018514d74b429ac540e57a1
SHA1 afde606aa779d368e87b7887805d125f1a772495
SHA256 72bdfb9e6d1edabe94309f0cea2ecfbd6dc8770a97fc0cb98193c5dba76a590b
SHA512 f66f04de20b90363a60612ec82c083e1164ecc510199257be885f708074eac155d3421241831d24c07470e8af2ec20cc9e191c3973ec17e32ef2350e9473a2fe

C:\Users\Admin\AppData\Local\Temp\ygwQ.exe

MD5 25f793cb099fa7b706b62f6781486a2a
SHA1 df0de93023be894c9ad25b3c12540f4acc2e7cc9
SHA256 23650504205c25cd208efc3d8691fa1f7a32f43e0f7724d0681715d44cfb13df
SHA512 926878a850944502494a61fd3ebf4e1071ca52dc0fd7cdb20d23e7981433ce6373c9cab15fcca425f0a33d7afd95309b4211a2bccc920f4d137a025d9791701a

C:\Users\Admin\AppData\Local\Temp\ogYk.exe

MD5 e7a433cae666ba90562023d6592297a6
SHA1 a8c847fdfdf96aadd3776d9fb958e9ccabf72636
SHA256 560571268cffed57dffc4d1779105445bf95a98006808075c81f6097206683ca
SHA512 4df3d151f1195a829e0c27abb59078011d011b3bdb0d29a15669fc153e6b1b6a85e9fea5de1ecf12e1c58ce0f7c8a75fd9f0c061c8c303f4e59d60447cf52a3c

memory/4412-1275-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YQgQ.exe

MD5 144458c6cbe5b84b2372b01160e836ba
SHA1 6bbdb8097bf608cf0acd08fa7133fe73eb048913
SHA256 415fafe3f97b5c1947d76b5f7ceff5718069b77493127ef26153b20f1cdb4df3
SHA512 a7d78d7f5558744dbb55f872c361b3484ff80ce751029bdb6db1d089ab30d553384307e7b75c1234f29cdb1193d551cec2dba2de46930bc28119ed55afb10a6a

C:\Users\Admin\AppData\Local\Temp\mkok.exe

MD5 97aaaec87d1e9533b8b97acdaeef5a23
SHA1 01ff5533d54b983726b5263de3efc3018e2715d7
SHA256 a621c2c910db563e19172f68fc519f3439e99288bdbc5acb54b16f2b3086cbaf
SHA512 e63b1d17f21c6bd1ef59a2e8ea2fe39f1de97c050fbb3bfde87f7319ad38fddd4f49d0c8b2a0d997feca11d09a3bcdf103f7f744f69af7a7df93c30a2bfdfdda

C:\Users\Admin\AppData\Local\Temp\mksk.exe

MD5 7c1a0d678625f9fbf0f451f997347000
SHA1 ff840d41c1d48519b8dc7f551cd098975c684ea8
SHA256 9ab2f9e1020f0129d153ea8267d2f88d8a85bbd4948e4e4e4985cd9b56a99f35
SHA512 4f4e4441d2a5cf3aa4ddf30fcae7e98e99093c8df5b95e05e04000a0630cfc957a9473cbd3dcc3cf94aefa827f9662479947b8ae07b75eea213722da5835d2d4

C:\Users\Admin\AppData\Local\Temp\GMUc.exe

MD5 a974f0735c5ea55fc34cf318e1697cc8
SHA1 48b6c7a78cfdf24291016cfe6a2dd2085501c2d0
SHA256 0dfbb870bd3d127a2d29b4b4b0025d933f38023bc006e26c95146c84cdfb752d
SHA512 be89e56e6f0ce4d6c7582840a2aa76d230892a1810c2a7efedc0be4f220bf049ce5c552b932e9fcae8d1bdbf0310bdec8af80bad4b814551d4ad13d5f18b53f3

C:\Users\Admin\AppData\Local\Temp\uIwW.exe

MD5 c0db128faf16aa0767646f4eea8cf460
SHA1 0d3ec5f66527d05db209644fca83bdc62686171b
SHA256 0b01c44ed88ef83e67800c7dfd7938892fcc0636cdfeb1069779c7d3bf4bd11a
SHA512 b3dd6e5531d434fc4fbaa5b9f1709173b7fd598ec724ace51ffba9355fb4c31ff2b773a898dfdb0ca8c90a15db04a4f364d8aedb5c6d88d313b9209cb71f3731

memory/4352-1338-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AEcs.exe

MD5 afe3445b652e1ce8c73499460af7d610
SHA1 523f2c097df4a44912deedab3de965d53c91a303
SHA256 1d1e268d10b216f1dc948b77d1e3d21cc4187328f992c932d94cd0338150bf0e
SHA512 fceceead40d30c046a27318510ad2b97f353044300e85b33bf6f986b800361d90e0e0f45ad1efa38bf8e4b14a1dc68ba70680fb1204ed00c37b2f08ed485412b

C:\Users\Admin\AppData\Local\Temp\MQoo.exe

MD5 ea55eb91bbf18d7b6a18019bed8425e8
SHA1 85b821b47cd058c776b34394b033a76cc18dea4b
SHA256 25d95b23d206ad08172aa6ec3af465786a837c41b9840b97d1399b61f7b220a4
SHA512 bae16c48cc2c89498aea8886390ecb48a8c5ee60694544d4551db798f240e26b5d52a01807d027bd36d90907ed34af935d5813ab279c97ee7489ec03602a9a2d

C:\Users\Admin\AppData\Local\Temp\GwYc.exe

MD5 dcb925e93659137a1f3fa9ec2134fc38
SHA1 96bdb41bdd03252b3a9193f78776ed576b52c53d
SHA256 103bee6269178fd22335e2f1b3323739d09905a465bd714771d690b4aac99727
SHA512 94fb6eccf1176c8056826e5478bcb5f4fe33867ed030066700ee8ef4fe0e2d4ffb306e6c9252f5b540f52588b2fb29e636b7640fcc899ee7fe0172e5f2db569a

memory/4800-1388-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Qskm.exe

MD5 213f873a34bf16940b3adc7ae7649ea4
SHA1 51e9170a9df9567bc89a5f9c0f8b3d5845d98672
SHA256 5524a154bbf2f4ac97652ccb22c8e373954f7a6fc7cfcc28e0b6f73abed30ccd
SHA512 ee8c10ce631aeae1ab25e3be538840d49b8bf73dfc1155b6d1d20ffbfc8f297505b2bfc03c8feb24aa98e880adb42628c2d51853ee839a9119b7dc9937edc06f

C:\Users\Admin\AppData\Local\Temp\AAUY.exe

MD5 a332b7efd722421f8b0c878ceb7c5e04
SHA1 8d5521e25f00006b137b6764c1c5a75ad4fd4687
SHA256 98370984209c29b8e0b25fd46a2724608fc3fef0f01595ce20073c7ec16683ab
SHA512 ec6b0dc5272505814331cf9021712b4f8f9936b6e92622dfedb844e0aad4a410790571a26ba08860dab71fb67a1b0353eedc67493d9d89c5e05c25bd756214a9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png.exe

MD5 11dbf381d26409ae6668eceedd0361eb
SHA1 f7bdc356ed6395c394c8185094bc81b80ebb724e
SHA256 317de43db0d55cbfe19b472ad8b385a6f4ba8ba77c1139a3ddf5ba356b322007
SHA512 c6ca3f543634f7d02b855c5e68f149027981d053998532d6554e02c1405588fd68d4b93ee43567fe61f1483fcbf749af008c7a3bd6d5417fa3227de136765568

C:\Users\Admin\AppData\Local\Temp\eYoi.exe

MD5 4c23193b733b7204df69104da09997a5
SHA1 96556c15c1de854dff0f54939c3ff9b8cc0eb872
SHA256 3335b1ef04d3deaea5508073acf3e79172eadf94b7860446372f4b1499451a0d
SHA512 0a9c18e332d21b59a2515cb88c0efc15de858377a3c2238cfb3b5f59e1aef329e4ee9fc001d9942425855f8316ae47e105e9b197936bf2fdaf184428af5c101c

C:\Users\Admin\AppData\Local\Temp\AoUY.exe

MD5 3ead6b9810c6f3e40a119c519ced5a5d
SHA1 fcb226a69d27a2c600979ff7944a7cbccff3f495
SHA256 181b237260924e3da1a9aeec2b1b4c028ecdcc97c7795108da6d4292e13604af
SHA512 c4d8c9a6651b6a069530673a6ad628163c20fc65d5e1d8c1181fed131d4d98b8857796ea79bbebca9b5249bf0bf0bea7ba5e3b4f4b06f0cfaef7eae7cda6b7ad

C:\Users\Admin\AppData\Local\Temp\qkwI.exe

MD5 11cc392d0ff43d087279ed8906cfc284
SHA1 6aa6219496892e32f19e9c030f6a90e9f2210d15
SHA256 c2b6235dd530807c0d2d034999dd5169340a08517f389358ba86f44108dc7ecd
SHA512 fde5eb25b81f4ae9f99b7b25374026c906cd99b4ddc56d63ac0f2504fe293ada2d7c7c8138e37e758f2b3225939df32e4a2e8b87d807540a485f3445db8eff78

memory/1184-1480-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iMAk.exe

MD5 74e8a12f7db0c4ee4aa386d38f1a5610
SHA1 16a8a84869fd57fb1c493459db203ad1c3b220ea
SHA256 65baedebae1a2840dcd97a8c620cca46b5d223894027c596befff645db719614
SHA512 97a7a8a07ebd2ac2af88914d07b7035dd6e472141711f06ae2b598cd62bc4a1b6bd9b6f439550401a2ccf1cc3d153029d5028265c41f1d61ae1ec989b1b49717

C:\Users\Admin\AppData\Local\Temp\iscs.exe

MD5 0759a3cdf90b30c1f8f951f4389f60de
SHA1 e21c826b13e58fdd32edc1428b3db73c52b72e30
SHA256 4c7f10f9a9525a36d774b94f900bc2ea73c1e234ec13bf3b070c20efa5549db7
SHA512 f64d6d8ce09d790c268fd5d4ff313240d2fd35becbb4e627beb85b2c09f869c58111a62b5344acaa54d99cf80900c055532067a317699d7543f81bc3f5f14a92

C:\Users\Admin\AppData\Local\Temp\msoi.exe

MD5 445359f86aa6ef53dade0cf4f3c16984
SHA1 0665988419e5cd54a987433adce803cb988941eb
SHA256 4c39236dc87023b092d734201049933c085367b663a5323753027272938eb15f
SHA512 f19fe917c71fafcec2b97ff8f264a785d128f5be99a348c598bd6439ba40c595edd12949d96768d4f3e77d3a5b324520c3a1a6912d06c48b6602d34d97028d35

memory/4924-1529-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SUQo.exe

MD5 94c5178c577389b386d3ce9cd5ffc99d
SHA1 0e6200515522252b074373b167e3020aac90f7b0
SHA256 4d706dd9074cf2a9e8ce01f7260334481d31a075ed55e5dc52067be37326125e
SHA512 e51fdd90f073fc52bc4866f19750c41ab2d3eed61ca13884e482e2546d3a14e5225f967983e09b1fce6643a2a01b81d0135f8665c7ac4578c625eaa0dcd8db6a

C:\Users\Admin\AppData\Local\Temp\IYwa.exe

MD5 e9b120e9ef14dac3902acd19c7983df0
SHA1 f88514df5c63e5cf70f0fd6350cba9ac012dbdc9
SHA256 ad9db42eeae0fec9fc3e174b75d77493c2210b8c794f79349a23f1c14ea43f86
SHA512 3b581f897594e8012bb444590b77a8775711a16a9f24703ccc5fc247e924b703aed7811844790cfb1c42bb2e90ad03d42b11239f30336a64010d73fcbfadb42a

C:\Users\Admin\AppData\Local\Temp\agMM.exe

MD5 2959e7c91b101448ee90af88c408099e
SHA1 0638ef2c576dd32f7c97ad24e45ff91aae9f3638
SHA256 6e728e8a2dcccba9cc53d36c071f52373dc7f5f29ac1a6b60dede826e98cad4b
SHA512 77e828b7e794cc75d1f18a006fe6a145d0342589d85597b1108021e9ff73e4203882b8e877c1ed44db73b887f224388d83c1e81706e7dacba24801dae33ae604

C:\Users\Admin\AppData\Local\Temp\OssU.exe

MD5 403d0be6b77633a896cd83b146562139
SHA1 9051d2c2c14839dfa4b335289fc21e057565b846
SHA256 69c9b43858b312372e8127d51051306399416a9d05b4b1af6a569bc1cd218ebd
SHA512 f9b4486b39996c93cf2f1e17136b064b1124b401b2f337610c50d4ae0f3f10ca4b15285f34db98c6218cab8edf235bc2ce8f9c726bd37b6e3c39b6c4e5aa84d3

C:\Users\Admin\AppData\Local\Temp\IIoG.exe

MD5 c29d886121df6c1b45a78abff73916a5
SHA1 a23b99163bcc74c11bc67d2b9e6fcffe4704a91c
SHA256 580422c78ef8f379057c1350bf903799b03a044902cb67aa0feed37740841c8c
SHA512 99a66bd354f6a01287b25a17fac209542069577fc2699ae787475e26825e0eabac2f28a44a7a6e9b76c27ecae77ac7b83c117d7b9e37e3d4d173fa6cc06c771e

C:\Users\Admin\AppData\Local\Temp\YkYw.exe

MD5 5d7cb181b0c2ee8ef1e4e9fadebf0d65
SHA1 ca926f9f7c58ef9bba47dfd16cbef6f8c47e96b6
SHA256 952eca952731e1edec23bb489eb912cf238b65cf036b11a42a1d1e3f4884ca11
SHA512 38180a947b4b4665a7f94c9bea4b3cd57fb97c172f9b096901f080ea6bcb23b0507605a228f7ce390e7ae2daa8b2ce2aaeda3555f634693943a06cadd7b45d05

C:\Users\Admin\AppData\Local\Temp\IAIq.exe

MD5 375a0ea8ebdecf4b6be5239a42ea9ea3
SHA1 1305a67efd9a6b61cf424c5250b44ba92902a3cb
SHA256 1f8e489811997d3b375921241cc7bc140d3b9576f6ccb863bcdf94ead05c6534
SHA512 9a2f0b041de1846c43d0e81904383facffd9bf45c76fdedfb03abf62f77dff9c36cb999803a63d7bc138e733a706d2b6a48dd6dcc93195c032d299fca1ed81c4

memory/1188-1633-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

MD5 9b7e2a1b27ba969a4431b1b53bec2a98
SHA1 8d0ada50e94cf8ae20f4323395bc3c641742caec
SHA256 6802f698280735cba706c230a3395d8ff349fd032b7373f6576195293e977715
SHA512 8b67baa37473db53e955f32e46c96d2fe342b84145558dbaa249f53b6f7e4733358924d26292bc2821cb7c89cc8b6718204cc51a97ecc018c0cd9a45bee3bd19

C:\Users\Admin\AppData\Local\Temp\gsIW.exe

MD5 6d1d154a14036dbe49d80470976096fe
SHA1 f6a6f4aa3ef8bae2da7cd83bc5df42a216a5603d
SHA256 7e10e66c833d1717581bea72289f16b8ac4d2758788e4d9ce7c0a2f4fd8cd4bf
SHA512 e275122ba18b67bfbf40e01e643bf3424e2970f8c31f14344aed49e31c4826aba96d852bd6ba3fccab256c5f9de19fa8c89da0d8fa30a9c24b389ff0cd9fb77f

C:\Users\Admin\AppData\Local\Temp\yYcm.exe

MD5 0f9f29db1cd32b648234ba3ef0d0cbb4
SHA1 00dad57dcaf4b57fb380f63f9db073fdb58a78bb
SHA256 9cd73edc81acfac900c480ccff7524bcf367131be597770d59daeeee7734c42e
SHA512 bbb3677586993417b69ca99fa164f15b20998f40f4934c171a3d98cdbed8c2ecee10dcb992989d99d8c1e9ab001609779389bed578d60598e12ce8a441323732

C:\Users\Admin\AppData\Local\Temp\EwAa.exe

MD5 8ee5e863a1d28f542ac5edd9b92b195a
SHA1 a2e00f170bb0be242bb6d50ec3f6f0fc0ce8e259
SHA256 48867736926fe644a1a7135e68deae8f02bf13aab9f6b44e63bbeef3418951ed
SHA512 92a3541b55db0e246e113acdfcd36fb45b349a93c3eaa2737a59173502d33199125ef3ab580b5dd290bedfcf18af6264ffeade54f84d4df53373b2e706a1d841

memory/4824-1697-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YUUu.exe

MD5 b98e0f2cc4d575a7327fc372361ebf77
SHA1 2d7656cbfe5562fdf8325a41c19afd923351bc2f
SHA256 1aab1576380fe0f53dd6eff0401850275b4c4555fbc7186a29d7ebda398e11ce
SHA512 dd3a11d041cb42c30746110d37f7f9fa00c77d10a6d5ac121130e333184140fc84f22179706409eee8ff76b39ef445215d84a5048a0d90de38f32db0bb54e4ad

C:\Users\Admin\AppData\Local\Temp\sEoi.exe

MD5 cf56d8d502b6909702452f0911c2a99e
SHA1 398a11e4df0c0c9324eac10352f49a66091f664a
SHA256 d3b050a9570554b57c57f4c9e06c6f5a163fa19ec9011d44d7576af872b2aeac
SHA512 f8fbaa42f7b3b1d3e71aa84b791eba8da7743da58e792cc9e05b627b2f746b34c0424a9ab94d5c701a5bd721abcffc2cb485474e0db33b09f69664100cebcf5d

C:\Users\Admin\AppData\Local\Temp\MwMM.exe

MD5 cabdd5454fd5f621840ab6fdac94efc8
SHA1 5a50bd7aba73581c44d9aada856942db81fa9234
SHA256 f9c1a6d89d8a5da35fdd2792f56e0e54f864210ce3eeb0238c8b4b4007ccd6a7
SHA512 e185d8284e4b3ae4ad85784a21541b788ac2113dc7e7235d93416c42dcc824be000145bc06b6dada0394b632145e21d437e4ab789f1fd3acad6f9415715a2c5e

C:\Users\Admin\AppData\Local\Temp\Wggu.exe

MD5 422edc136c1bee59299698f2cce524c1
SHA1 fc673e2b5cbfca28276242469bd111a76cc892ca
SHA256 0455498d8fd2067e94739601cb46d55eaa9b29f9a462d986fdb0cde5c149a77a
SHA512 c9230ff7721403fab500d51a09af3f40e9b88598699bc5e669d7e05896fc8e46b62b522b56a0ec12e33ab1323edcdf648dcf4ef7dcbe615f446f6ecc6bd70562

memory/3608-1762-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1712-1761-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mcMa.exe

MD5 3923753bf2c5823df87ae9d98404de49
SHA1 d5a46304c70334cbf01cdbd8a3f97c7ec7cff265
SHA256 f489c4ec8f4884768b90026f36b0591c34c09c557d0fd48923a7bf076916ee67
SHA512 0d0bdca3b0cc77caedb027e3fa214ef79f0c532d8f462096f7e0230b8c9f8aeec077d1a35d111466d05f57da8c93238a3c383f6aa776bd453ba282097f959d10

C:\Users\Admin\AppData\Local\Temp\QAQY.exe

MD5 31857c9db22606bbcf6d835aa7d9b37f
SHA1 06b3e26b763dc1730612c5585065693c9e2bf276
SHA256 e739c68f15210e34dc1edefceb5be6bb022f46c5e5f7e054db6172f8f53e961e
SHA512 8ae57cf872bdb06dd5b1c19fb384b9ff284e948186d185e41b50fa0cab0acf4c6f597f73a8e48a802207c55933707dd19ee69b5eb08d5b5d6db8f51e220f0b08

C:\Users\Admin\AppData\Local\Temp\MEAM.exe

MD5 6786d641282cc17ebedd8f1216e78949
SHA1 6589a8dd3ccf02ec7f905cd8fcc6cd1316e66dd6
SHA256 a6723cf4b10ca2ba4c9cd83cdda593f5014d326e9ef8f14326a2f28c36c36fcc
SHA512 4896fd61317bca0b9b0eb76bd9dd9fdb085e6e7094800444741233ba0e9fa8575e3d9f2bd88fdb72ce3d42250d791138ef923db3a6b17adf43e08e036eb359e0

C:\Users\Admin\AppData\Local\Temp\IsgC.exe

MD5 032e825092a5658eef4acd9e10dca75f
SHA1 446d47684d1862fbd5d9e561ffd45f02f281b3e7
SHA256 13042110514c26b46a53bc2248a7cf196befabf6e668981f5a215f54171857b4
SHA512 f5852399f4741e1bd4a532f6c90b9e5acd99ae280eb3743d89c16c9e61d80d7392fc3ce7040626f587d233b8eed822b5f3d3aa0b226eeae17f6acedbfe2a8479

C:\Users\Admin\AppData\Local\Temp\WgMq.exe

MD5 687c0d3c1f557cbeb2fe4896594c2d95
SHA1 7e60789f8086feec8001178a77b046900c826582
SHA256 487483fa27e8f65f96a44fc65d6a48e4d6b6cc325043e0b94011c434557a5f8f
SHA512 dc52d5cb5e7793f7240c4f40925659ed9eb4cf32edea1615de1940d531f3c976ce8557fb61f5afdaf35cc98110102030a7d23fd083850bbc0eb95d2f5ab31d5e

C:\Users\Admin\AppData\Local\Temp\gMoi.exe

MD5 54f11525851495d9b758da6852690516
SHA1 f70cec82d1b764eea985deeee95eafeb02147a53
SHA256 a0299a660712215c629704ad4f4d9938069eae8cbf6b9a07c87130416f9ce465
SHA512 b1a0aaa33abc22fb49f0ca4964e1fe6a16cbf8f2d5d946c931a0eb9ebe96058e921e98873ff913901864d2a7c485527a31ea3009ed80a58cf29b5a96ac2fce1e

C:\Users\Admin\AppData\Local\Temp\AoEC.exe

MD5 c81a7d8c42ea17d5a958003c966ffba2
SHA1 ca6c6d275efcfe0e86af56e8f80ea96816396c38
SHA256 a4f1d603b3d44d04cbd693b2e0be36282f3331a7691e384ea6c9e4307a7b3de5
SHA512 7993da62e71f590ba3d58da2653430d8711399725c94c4eda61f6730ec3f842e773ff1335be8e8e72864ed6b66508ebc2d742d59a38badd7577f59bc2482395b

C:\Users\Admin\AppData\Local\Temp\ScMC.exe

MD5 439c7771361771092a39a93d46d2c015
SHA1 bcb62217f14274241357bd2d3ef339291ced6b78
SHA256 072bbbbd6de4996cd20f6938af735c33c075e5ca866f4426b3a3b0f26212577b
SHA512 32b581832e15b54a6dd5d869a5c7d35e684b5f3fb863f12658de3aebba86c3949719dc7e04a86a6bbbab6c4afa79a58160333c5e0df48292e78be4c4fa39158b

C:\Users\Admin\AppData\Local\Temp\Osgw.exe

MD5 339914ce7a03e10a567cc999211a2efa
SHA1 8e93cbc6185a812e3f97912035fa07c13690b442
SHA256 a8856255fa5633b288fbf658573a9a143fc990848a7d0f9ece9c766e8eba08aa
SHA512 c0b08f8ea50f477802297e4a0014d050e3ec83c45656c8ad0d900e6cd5b726a0866beb8f86c94c2dd8b903591508534316e7792e6c3664471eda5dea761610a1

C:\Users\Admin\AppData\Local\Temp\aIwo.exe

MD5 1f3b2dbed546b54279bbc2b7db1d86f3
SHA1 d276a3f880fc905f54e11f6d8fe4851d2a1034d8
SHA256 06f9a6a7f9347fe943c182f959e32e9c0d5926e662d7cfb015312beb759ad035
SHA512 8e90816bbdead6e1a60ee12b5b2d113155deae87b554ec5f83ff04b49de906c357a48be98614a373def43eec463908fa2cb1b2873d4b5637e91453c7fe70ec7a

C:\Users\Admin\AppData\Local\Temp\aQse.exe

MD5 8aaabfea225860cf1d9d5b0c8348601e
SHA1 0ec06c815c4736eef1b0e8eee30bd9747699e3d9
SHA256 24ed91d3b1e21a818f977200d5e78b39e7d319e50c10832475902cb6156816e7
SHA512 df78310648ad6ce4102fca1a6f7ccd08a5c4b9a3a4d1ae092d311623e484326c12cabdea6e059a77b5b89d57dfe7e73da9369ce9a86588900f682871c564defb

C:\Users\Admin\AppData\Local\Temp\wQAw.exe

MD5 d3282b75a707f4127ceb119b4df21548
SHA1 494141fc82fc98e7cf85583ad753c1f51ed8345c
SHA256 75f930efbb70229fd82e0aa4ae3bf23e4f9fc7088d6182ccdaf81c40103b8aa1
SHA512 55aa24607fd2cdfa77b3f8c8959139f8974d259283a27e75e6d4531b306b7d83882729cac85592bd57a0fd7e82b45a11fa8bc0e9e53b2c3a1a21cc5e8861071c

C:\Users\Admin\AppData\Local\Temp\ckIQ.exe

MD5 1333c53ea96d6a0c7599d9207d9dfc50
SHA1 827b957fefc825abbde459229b561e54db3d36bc
SHA256 8a34726e2060b008f7ae494aa8cb299f34b7d988691d77143bc1971884b28d88
SHA512 f1dadcd77441b5835cbca7b96a582ac59d65e634cea30a1d753d94dfedc9b8f0e08d20c5e58534885e5ca5e2d3ad6dcdf3e666cdb7cfdbb21438cb182348c2d4

C:\Users\Admin\AppData\Local\Temp\mcso.exe

MD5 b35f48bcb6b3218ffc0357153ef5c63f
SHA1 23587012ed3bb19c8277fed452150344f910c10a
SHA256 ce189f1340ddcae99773bc182d90ae2e1a221f768bca5d290dcd59b87f8b7076
SHA512 c8f112bffed8dbf7f85bc163c18fe34c19049c343f62958b2d858b153369fbd5c486bfcc362e801d425b7c2c5da1c3ccbe57ad931bb934c43aed03ec9c4eaada

C:\Users\Admin\AppData\Local\Temp\sgsk.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\ckME.exe

MD5 0f0933eefdca593727bf893c42b6e000
SHA1 d44818970f98ed3846267b488f1f51b15b1d8a26
SHA256 64ebe9e3fe1f60e0fbd9c08c71c9c44884cd8a8483025ecc0195b0ba4a074afd
SHA512 134508f2eec237cdacd910d1254ac017f346664d1f51f549e4d496a9dee2cebe8cf186ff9faf94d62a1c8267cb49182b9a550b8e8193ae4401bed454f5a269b3

C:\Users\Admin\Downloads\PushImport.zip.exe

MD5 cffcb20f306a650ef2c94f53391a15b8
SHA1 1a3de7bb6f0248f19b0989731433f7d32a0b9764
SHA256 851f3d77468d4ea4777cc7051d23dd5dd591434387967996e4a6a1fcb933c3f1
SHA512 d012c3f40b5331a3e400da4af470a02dbef9ef875938a1297066ba96af283f5a6718de91f57fbf8158acc1c81f10677171079068ad2128327eec358777cf8c94

C:\Users\Admin\AppData\Local\Temp\IUsq.exe

MD5 2c28a8a1646771679eb4f43a12a056ed
SHA1 44aba6c52c23829ef2464e642ac8afbe1c6b0be1
SHA256 d80bf31fe1a5f4f494e93601eb70a50c56e3575d9cf6f119928352bfea5716a7
SHA512 0349982bdf6954151b0336f4b4aa6300f2620dfbd362468916076adcb1474cdd99b3c67701d24bad88b7e3bd8c92fe6495e77bdd0fb246014afd15169c49493e

C:\Users\Admin\AppData\Local\Temp\mwMa.exe

MD5 fe24230eb2e44dae1eef9717c26caf26
SHA1 c3fb5b939b4e0d998838404157315d1d5bf88731
SHA256 9828ed7b0961ad97a81a0c75b01e1e120e627f90a30bf8f14e43255bd505ef81
SHA512 cfddba2e36eb2379c988a24d914a438d2c53f786b96385e5481699b16340391aa8940e9c0366c7dc0ef8167227ffdc2a60b7d43318db24fe795d56dae6e3023e

C:\Users\Admin\AppData\Local\Temp\KMYY.exe

MD5 495c94468e88be06c96251727d59f6bc
SHA1 35640a58f5b5c09138ca6f72570f305e44744781
SHA256 ea0a16d5026858bb18fbc9071a4dab0000beff3adf7a4c3ddf00d1f9cd64a4ec
SHA512 b009e1afdda9422c686802ca5ded50a489389bcbd44e1b0a232705d2b85a0c86ef1a3873364c4e3b2d72b9500a5acef2e8b133613646d1505c753de9a166e78d

C:\Users\Admin\AppData\Local\Temp\kkEa.exe

MD5 912294423b9b5f9bff44d75c5f7a092f
SHA1 2e1f678f0b135d332c58b4ede1d1da8ddac62d81
SHA256 3eab997379cf7eba3311fcdba5569499cf5d0868da29c1b5328ceadd22521770
SHA512 0b94b939c5526bbdc3a67b9c5dc5f6475602447baf3ac801d756b9b983cac856969267ecbe3ef18b15d77f2cd10eda62d7dace87a60fa11f92739d960e730f5b

C:\Users\Admin\AppData\Local\Temp\gwIu.exe

MD5 9092f8ac65d1983c08b589b4ea64693f
SHA1 4a72e7a492b4b62f6b78f761821391e14269fd2f
SHA256 4ea26bd97d8e056e6e21da58818c13083c1cd02f65f93101a2838e47c001990d
SHA512 619c45f0aabd4743a064405cdf4fa0464c5d7dcfc4643667ef13d1aae338d3f0c2b08dc478e61a573da3bf1b03de4a7eadb545ee8b2b4a287b4dc46088accb97

C:\Users\Admin\AppData\Local\Temp\IYMM.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\QQUe.exe

MD5 9ebaa31a7aa83e9bba03e92fdd63ff89
SHA1 63586d6b1adb06de51f405bd2ff26917f1333082
SHA256 f0bbf72366b499ff4662cef5fa84e81fffa1c96c5e44efbfc31e7539e20254d4
SHA512 576f49c6edded84722952326ebf26afc8835ca32a063cfaaf38c42fe75f455080c832a0410e5ef88e51b3b969748042ef5711ee7d8c3b5021791336f02b90487

C:\Users\Admin\Pictures\WriteJoin.bmp.exe

MD5 dadc2e10849f95261bca65f5f72c45a2
SHA1 5da9185b4fa21db5a5e240e2cd2af4dd9aaa8f70
SHA256 15fa17c8dcc6aac93914011c954b045412420fbaa9b4b540b2d439163bdbbfbe
SHA512 676d3e0860178bca31a9c3afd6354c58a206eec7b82c37783806ea9ddd55edd08c89dab0a03190089fbe2d20b7644e7f9a83fd1bd70cc7ae4f71d656101b3e74

C:\Users\Admin\AppData\Local\Temp\iIww.exe

MD5 ffeecc3d93fbf3ad81a338d4d6c2bdfd
SHA1 ea70b4c6b41225076cf7bcc2a60163be541f3279
SHA256 ecd6ebdac3c707ae8c8a9d2707f1f2787b3202de565c315085a16944ce8a3e8d
SHA512 b84c214776f235ff974bf2d3f1c6f95f6303aa3ce22f191868bb9b69abf963ab4eb5a49d21eb77804965e7bf2edbf7ed6b8643c311dad00aeb4fec73a3edabd1

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 5bf159b87fc9559d1c18f92c9c0b2745
SHA1 09079e13031bf4766c3df1f6825815d88ded3954
SHA256 ca172eb47bbf820df8c4990c6e04ec11e156b9c14b4c7a8fb98b0cbee4eb4a16
SHA512 be8e3ace36d695aca5ce4c5becb79e7558b60b0b990c7f71f5e48d42e2373842bb6ace77e61deb08c9ddc18f0435ada508dbd7f58f87ddeac63108cbf8beb3dc

C:\Users\Admin\AppData\Local\Temp\MEks.exe

MD5 5db673c87ca00d31bee1ef8a8f18214e
SHA1 be10e49006cdc382de4a75bc40577df9e9602e35
SHA256 0916136f50cb18487a097a97011dc4d1c50958b4b548c3c5a59c7d9e6349ce79
SHA512 4d725bcf5e33d812d25ed766195dbbde59cb384efcc9f4770996274b5126b49a8e0b488e0a81fd836832f2d8c2ab938ff613a376120a1646d30af595c49a8c11

C:\Users\Admin\AppData\Local\Temp\ikIY.exe

MD5 c0d17eae374073736d2072d65615c393
SHA1 706a101db76f9ba69d2463603b5c962d8fb10d8e
SHA256 55c24da7110c72a85ce4b3c08fd936b09b8aac78737f3629717880499028d941
SHA512 8e3b29438868a39efc59ad7e1613cc3b0f6d90ee3eeb7431679ef2364d46c7800c7c67eb5cc2704f841bf0fd9bc3a06f3756d83978500f6033e9ee78ce5c76eb

C:\Users\Admin\AppData\Local\Temp\gIIm.exe

MD5 1e8d0ae6f1e82dae555b0158aa7e0338
SHA1 04050c5df641f36880f6560adab419734e4d45a8
SHA256 5df751cf51119c477bab5b4cd58985495d9d8541b18e3162451ef6762f5f4948
SHA512 02566212394ea223db2c45c0be98d9c8f4865f146e94504d7b986c1a393c2cdb6c5f41095b9ab27eadbabd9ed0cfa8af8e31042d55234f8a80795ed87b8d3988

C:\Users\Admin\AppData\Local\Temp\iAsY.exe

MD5 cabc5d8be23ba36f0646e006467dcbc0
SHA1 09fdab9e59bb71556fc3f1f82bd4ebcedadf51d7
SHA256 59d236f7a34f324359a4c7a61c84851c1b96d82f6d5a572290ccc4fb7d597bce
SHA512 824174fa1abc2bcd5a1ab8037c0a075546fe778b723beccef9cdfe8a5a95c68684f646e25c60c212d2f6573319821b3105f777a01cfa75303c07560544ea839c

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 17:57

Reported

2024-10-16 18:00

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\pqIwgAIo\uOQoAUUw.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OKkMcgQc.exe = "C:\\ProgramData\\cUUgEssc\\OKkMcgQc.exe" C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\GmUAwUEk.exe = "C:\\Users\\Admin\\wyEccUUs\\GmUAwUEk.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tKsQkgIg.exe = "C:\\ProgramData\\niMIAkwI\\tKsQkgIg.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\uOQoAUUw.exe = "C:\\Users\\Admin\\pqIwgAIo\\uOQoAUUw.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OKkMcgQc.exe = "C:\\ProgramData\\cUUgEssc\\OKkMcgQc.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\uOQoAUUw.exe = "C:\\Users\\Admin\\pqIwgAIo\\uOQoAUUw.exe" C:\Users\Admin\pqIwgAIo\uOQoAUUw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A
N/A N/A C:\ProgramData\cUUgEssc\OKkMcgQc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Users\Admin\pqIwgAIo\uOQoAUUw.exe
PID 2068 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Users\Admin\pqIwgAIo\uOQoAUUw.exe
PID 2068 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Users\Admin\pqIwgAIo\uOQoAUUw.exe
PID 2068 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Users\Admin\pqIwgAIo\uOQoAUUw.exe
PID 2068 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\ProgramData\cUUgEssc\OKkMcgQc.exe
PID 2068 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\ProgramData\cUUgEssc\OKkMcgQc.exe
PID 2068 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\ProgramData\cUUgEssc\OKkMcgQc.exe
PID 2068 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\ProgramData\cUUgEssc\OKkMcgQc.exe
PID 2068 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 2760 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 2760 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 2760 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 2068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2624 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2624 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2624 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2568 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 2888 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 2888 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 2888 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 2568 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2568 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2568 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2568 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2568 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2568 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2568 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2568 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2568 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2568 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2568 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2568 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2568 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2260 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2260 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2260 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe"

C:\Users\Admin\pqIwgAIo\uOQoAUUw.exe

"C:\Users\Admin\pqIwgAIo\uOQoAUUw.exe"

C:\ProgramData\cUUgEssc\OKkMcgQc.exe

"C:\ProgramData\cUUgEssc\OKkMcgQc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jOEoIUYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HwQoskok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMMssQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AkwgEMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWAAoUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSYMEYUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\wyEccUUs\GmUAwUEk.exe

"C:\Users\Admin\wyEccUUs\GmUAwUEk.exe"

C:\ProgramData\niMIAkwI\tKsQkgIg.exe

"C:\ProgramData\niMIAkwI\tKsQkgIg.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 36

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 36

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQgQEkwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zUwQQQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HqIoIEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nCAMgcQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\riMgcsoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQUAcAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAMkwggM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UwQkQQss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fMYQEkYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HMAcYMQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lUYAYgoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQkUcQUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAsgEoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UoYsYgEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GSwEsUcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKoEEQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GwgoMUEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\puEsgwwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hGEgEkkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1996846711-141375339811044930174398698731734652599163216291-1501132218-2101275519"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pqwEEkMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bSAMcwQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2053657950-1448534598970516641-1138209088-105192762-683915045-6154864681321865949"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YCMEUoAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yCQkIUYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EEkMswMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1970664945172203365-1360865182836622583-176360585114261144191551685855-822967447"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YecoIUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13008743891756097600-5390318832968633181411607919-136582195-676825596-2127271051"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9629197031650094943-493838183-1948921462-1791331270-21775914-826878118-1380777981"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\usIIAAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "884682096-20958555178860974439881438195832295462016953569-5363876261574590819"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQAwUwsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LKkEQQgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "4031761441973066693-104078386620937374791601692608-404633338-295169065-1136356769"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lyMIokMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuwkAgwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "94573537863438226-59349681892570123019831466281811419700-218349845573230899"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMEoAcEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1862436180-1147906114-21193091691434582737357516249173159902610126509171920138070"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-192323560-965764843889334371805349963-2063508565-59204693424792381539394267"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SoYAIYwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wmUgMwEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NGgMAYYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LIIIcwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-467116351560340240715950109633035181229681578-304537653-960225529-304275672"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-915930821608826712155017176511947111791105401958-1275179935-1976367471106236480"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FwcwMgcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-459046997-195467274410020794311021775054-1208129185-938445406-1667604457-1039634196"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgEccgMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-787719560-696147128-8893582562010303731-519852979729068967-10388016661497601043"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogooggMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-38040671842905814988065591914486079-21082867961577321658-5393020961657447278"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qGIwAUYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\scQEwcwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIscUQQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "143587016-1573976677-15585618291601634641-2340653871917293130227763316-1302917272"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-11116316752066434658-384022949-18587567441554171520468664384-14449175731532933133"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DccUkwMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-179496490-1425839353-99335346317021942681079054892-2687550221408017349-1351655475"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HKgAgscM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "121030619613220938821142451374-577458610-829094058-14009962751375558-678477843"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VaYsYUkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\syIEkgQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CiMgsEMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1481956095-1452940822-17040855139037952527804322-1560502345-1545440455-268305970"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "153092679658332779391549044-80818038618561608517894751501166805719348074802"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yKcQYEcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2804018022079397736-2112918654-125296040415225928781365105016-2001105875-86281749"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\muAsIgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1501868802-1710106219860080367157581046618100200151540479751457004331-983429825"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PEkIUQIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6871315691517296817-2905749156157955832028070556726372893-6266580981754012355"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Vowocooc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FUEAokgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2133583736-1847363737747665915714534378-7324708761738485168358458713777444624"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "130917765-1513506799-13733257721433897849-1752426908689612579-13368922622094927333"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bOkEEwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "252779751-13048622521264831518-393003791534594081279921596-1914435466816206470"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "222919241444826355-257771693-212162798970900325-13023159501368094200-1525069601"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSMcwwEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SgkcsYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-564700513-1322868073566965270-1874123926-19986024511034674912-2039940057-1942985694"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3530780911383777368-1590795649-625495890-216357051151515376119291017991755368822"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\osUQkwII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wIoIUUkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hcAcYwMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rwsYgYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1157214688-118775644765565947199332477414640680825808507861662327277-669445124"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2068-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Users\Admin\pqIwgAIo\uOQoAUUw.exe

MD5 49aae32b5204464234752d0a76f195ae
SHA1 6f4bedc92cd50bdaa732d4de03e48848dbda6dd5
SHA256 e0c48143eb5e6f6e1c9ec3712018325fac19355414a097024bbe0b1665ba3a35
SHA512 91a3c07870906d38eb7e75bb89318c19ef218f4c3656ae26682f780730a06df7fcca850b76ee29015dfa74e6dcc231011cf9941a48486fa23bfead155fad438c

memory/2068-4-0x0000000000320000-0x000000000033D000-memory.dmp

memory/2744-13-0x0000000000400000-0x000000000041D000-memory.dmp

\ProgramData\cUUgEssc\OKkMcgQc.exe

MD5 166fe8f069356449b7841fab8c2305dc
SHA1 f198b6c62f2600623e067265878ed04ac4069429
SHA256 77665b9a3e5e6589c555a0e78668670947706e14c221c92abe8013c335892a18
SHA512 79fec6ac0793c1df9452429cdb31ce5b5ae1d18bd3977f4e77b58a8360039d0ed86a58c7d0839c32a2f6d91829e399d93c2f46730b7e3a5794e4a6a5624c103d

memory/2068-16-0x0000000000320000-0x000000000033D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\veUwoMQA.bat

MD5 328bad63ff114aa54e46148be98bf770
SHA1 82d195023133246f8369efc84e7dfaecbc433715
SHA256 b5402110880edbf5102c7f7c61f5d5a61b18057876ee87314e313d9b33eb4cca
SHA512 c2cc4ccecc38ceb3a8fc5b18a47728dae6b3db250e824e783def381f00d96308907a622ab6bb06dddd98bfbaf83d50d594e34af0c607f81dc667a66615fd3f88

memory/2568-31-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2760-30-0x0000000000120000-0x000000000013F000-memory.dmp

memory/2068-40-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jOEoIUYI.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\PoYgsYEk.bat

MD5 233c255b8fe9ae5d27793c3d7643b437
SHA1 2a340f3a243b223f9a60471efebc35a4fef528dc
SHA256 f7e94d61ff64b76b2a26f9d7da8b13a42f9c4927808445ca083e8496c9cd1b78
SHA512 fc8cfd8f788de5587dd0faae1263d26d9a672d74f5ed0be8ed2db7d05e20f8aa848edca4a1e306d7257aee6642685dae886ec5507b0d2a5ca847b3b035a8e51e

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

MD5 d715f659c83f2b95e8a4ce1233822e94
SHA1 c2a5cedfe5e05fa74d17bc6c9665d27823c3650d
SHA256 8a3d3787c7a87042010865e1d0aff07486ed919cecf52b21746ab8c6ec7de94c
SHA512 1afe9f4713af2d2e0a509fcf2e727bc4fec2099291480d2edfa9f4e0853376d690a42d5c7af37232d21f21afa98d5e8ddc6c45fa8f2829e9eb6930792f92dde5

memory/2888-53-0x0000000000260000-0x000000000027F000-memory.dmp

memory/3028-55-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2888-54-0x0000000000260000-0x000000000027F000-memory.dmp

memory/2568-64-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NawYockw.bat

MD5 c7b9f5d5043b9f4e6d36ca61ae8c2f23
SHA1 fca460c37e42382e625c1844e30e4ec24b06d28e
SHA256 d80a9985566bd6274c0f1d64f41ffee11b407e2151b23db9c2141a9db61ac5ae
SHA512 2389fdb1295deecc59ae1b8d78b27d7110965b094309111e6df51d5da8fcf5a1d9e4ec1d56f4986a19a5d9eb9b1168e3ac0694da1907a114f4f4353f06b3c081

memory/1832-79-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2840-78-0x0000000000260000-0x000000000027F000-memory.dmp

memory/2840-77-0x0000000000260000-0x000000000027F000-memory.dmp

memory/3028-88-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eicksAwI.bat

MD5 8c2fc05a01712e923be75b08740e7fa1
SHA1 bdf5e21b1025b95f91b3818235fb4df9cb507190
SHA256 2987770d75600e9794972d83d2acd494d10035828a22e9777bad93f4fa5a3c4f
SHA512 3dc47169e4d3d6426eee3eaf0599843391639e646fa839a22ba2c2911e2ea4d041df5a44af30a41d504c8c9af74369641818ecaa50ed3519f306cc169a1373e9

memory/436-102-0x0000000000400000-0x000000000041F000-memory.dmp

memory/844-101-0x0000000000260000-0x000000000027F000-memory.dmp

memory/1832-111-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UMgMwMEA.bat

MD5 526d4242d59bd6bac9e004f10419335f
SHA1 c2ceabee53525c81e36b090501189337f79ea94d
SHA256 0beb3dc8bae72100af3e780234bfee82c3b945b944afab5f7d526c596ba23280
SHA512 529c27922eeeabf328b659e50cbb8880ba3e61171887cc77294b93e22b92c63136a21c0ce1e0e4f03760812b5bdd766d3edd2711266da52c5a3d4e9e706259de

memory/1348-124-0x0000000000120000-0x000000000013F000-memory.dmp

memory/2512-125-0x0000000000400000-0x000000000041F000-memory.dmp

memory/436-134-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WeIkMscg.bat

MD5 4c1a0187e5ebde850fdc898cd0af4bf1
SHA1 0a51e9ff9ed687bc6cc16eb1fa8c0b7e3bcdfae6
SHA256 e7b72c60b6ab00e25aaff468c71b9fd597a41e8c45362f2f08630b6280c160b3
SHA512 5d103892f1a7723674222621d291b5d4bc4d4eb4b8ee4490b6a04f33180b7ebb7cac404ebbb74139aaaceb7f122861b8d8b9f5fc849ca36650977f00f08aa299

memory/1924-147-0x0000000000170000-0x000000000018F000-memory.dmp

memory/2512-156-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2244-161-0x0000000000360000-0x000000000037D000-memory.dmp

memory/2244-160-0x0000000000360000-0x000000000037D000-memory.dmp

memory/2612-162-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2560-165-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2244-164-0x0000000000360000-0x000000000037D000-memory.dmp

memory/2244-163-0x0000000000360000-0x000000000037D000-memory.dmp

memory/2604-168-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3016-167-0x0000000000170000-0x000000000018F000-memory.dmp

memory/3016-166-0x0000000000170000-0x000000000018F000-memory.dmp

memory/2244-169-0x0000000077670000-0x000000007778F000-memory.dmp

memory/2244-174-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2244-173-0x0000000003D50000-0x0000000003DA2000-memory.dmp

memory/2244-172-0x0000000000360000-0x000000000037D000-memory.dmp

memory/2244-171-0x0000000000360000-0x000000000037D000-memory.dmp

memory/2244-170-0x0000000077570000-0x000000007766A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rggsUIks.bat

MD5 33d6374ebf167c5e153c069399c6c111
SHA1 62c2797927d98f69d8652c19001cce1add22c1ca
SHA256 a3904509a878444b99f131344e8df5afe989dc97c0f168641a4d14508c8f67cc
SHA512 12bb10ce902161edf992ceeacb14259b2e5adf534eb28e77fdacc7966341f48a8c2387ae650044840132ba2e1bb36f3561663cdba0afeaa241b5172f40053df9

memory/2604-194-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xEUsAccc.bat

MD5 10219a191bf1db8f8b4c644f9d9c438b
SHA1 c808aa5fc5ef81489b88fdad32c77726a9076899
SHA256 055f7af7489bb2b8edbd184ea8765db0110b93197a8e3198072945b14c671285
SHA512 3b71202170b90a7ccab01e1204ec7cb3121c922527f1faa8084ba4b2be4066acc143b4e82d659de509bc844f576aefb3248f345e736c73bc7bedb9f6248eafe5

memory/320-207-0x00000000002E0000-0x00000000002FF000-memory.dmp

memory/2404-209-0x0000000000400000-0x000000000041F000-memory.dmp

memory/320-208-0x00000000002E0000-0x00000000002FF000-memory.dmp

memory/2364-218-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bOkUscgg.bat

MD5 c3c84e6df6a9f354d542c254411e5ef9
SHA1 b9ba6a38c5b6e6d4a33b59d04ab14ac8b382fca8
SHA256 28da4e6ac828b0b14a81d8f1de4932435e42f49287187359178a5dc4091367f1
SHA512 e345eb60a68788db8cab0aa571ca6eb856435c407be5af87c96c992f04d45d8204a4bcbeb48c291e39a9a9e325f801e1822bf927e6542ae50565633d98b6aae1

memory/1688-231-0x0000000000260000-0x000000000027F000-memory.dmp

memory/3000-232-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2404-241-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tGUsEYEI.bat

MD5 8b7c9120d4b0d27f1ae3dc5c4ce60158
SHA1 2fc87e31d1dfd5487498acf9786d9e017a1ba2c0
SHA256 ba39b9e3263c5a7ece750d89849486d934517353acd7d629f9cef89d92352ed6
SHA512 c96020ecbe3dda7b77f1e48b99555319e1989e9f552673cf38188c61941acf3531b34250aea482ea9e8a3c70d3ab1d1a5085b596599a84204a038318449ca13a

memory/2208-254-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/1820-256-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2208-255-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/3000-265-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qsAkcIss.bat

MD5 393ae80478ea64bd967fdb40bda8d9af
SHA1 bcf73c0fb7be94255342e321f20a5b29313e3f27
SHA256 3294a0200ccabf51456be43f640d974e13b5da615c8437500329b57ace8a0242
SHA512 815c3362f05cba5cc7b5dfb66f5f64edd2616c225417fd1806ee202afaf13ade208d4cddab043777460511ed0648d8e915855a568ddc6da7a7bd92f1f920c3bf

memory/1572-280-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2708-279-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2708-278-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1820-289-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KicIUsMg.bat

MD5 a0b31a2e5bb22ffdd7794b0a5730717d
SHA1 8c8a6e442f1b6923a3f2c5f0116f02092955e631
SHA256 418538d88d9f680bf6eae190c387cb80fd1ad8220385e6dcfd515e42ba5385c7
SHA512 62f891df64083d6eb491d612f6859bf8e49586e0bdc869c46df91951d0eb4c9897b484ad8017548fea8149c24b3c7ac53393769c039c05f70a010085bf3017b7

memory/1572-312-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2052-304-0x0000000000160000-0x000000000017F000-memory.dmp

memory/1716-313-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2052-303-0x0000000000160000-0x000000000017F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oSwAcIsM.bat

MD5 b07a925ae4a12fa40205af2645f19ffd
SHA1 98eac9016ba1474caba4cf1f834fb09885c14b41
SHA256 6b7395cfefa7106931f9a5b487d4b4da6149bb11385711383450593aeb24dcf8
SHA512 eb28ad2f0cdbb18003be7a3154871df204d0490a1f1e590db659454d755c56134ad4975b21fdb4acbd68aef92d6f15146d33ea868ec15348d5c54eeed1d9e916

memory/1804-327-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2764-326-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1716-336-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bcMEoEcA.bat

MD5 ea26b536a66d05a49ca5da412129de7a
SHA1 c6d6bee9e6c299dd958e4a14f1e08dd47193795f
SHA256 63cbbad1eb265306c8e53d3f525fb686eafc08b37fa11547b7cfe774fd2fa36c
SHA512 462edf0ab4461de341ef98778b6a7558764afc28bbc0d0f414bea3382f0df641768f12020049fca6831c0486b046546f6b9efc01ddb1951ad1c8f7d9d8fe90b7

memory/2192-349-0x0000000000120000-0x000000000013F000-memory.dmp

memory/2192-350-0x0000000000120000-0x000000000013F000-memory.dmp

memory/1804-359-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XMYookAA.bat

MD5 1e8b2ac79f531ff562a8978da9cadfd4
SHA1 5c0772b708d33446eac5f34d878c8038618f9057
SHA256 9b36d7b61f4dd0ef44aaa79e67b50a60ce40d51c554652873533c172e411a5ec
SHA512 2871802bce51fb9f962d77eaedaf5cfd16aab8cb828c7c29cf5ab41632fc9ceb9317159fbeeaabfd59f242ba69cb50e5e8185aea3aeb5f18a0a17d61d4a0cbd8

memory/844-372-0x00000000001F0000-0x000000000020F000-memory.dmp

memory/1256-374-0x0000000000400000-0x000000000041F000-memory.dmp

memory/844-373-0x00000000001F0000-0x000000000020F000-memory.dmp

memory/1136-383-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FCoMAEgA.bat

MD5 132c6d68ffa892fbaabb2e0575122e1c
SHA1 83a5d0aa5745dafa1200551698cafb8d3fb943a4
SHA256 d97df1711711a871b9ff7fd3dfb6e933aa85b04f7c27928239e7c5018725356b
SHA512 df215c40355b875b0e4a17d609a9d2e3cf03dddd2bdd50e610cae01adf2e280e70d8ea7e76f0ba9128f0193b8f88a1489874e5a3bc8f149c0c6bd53a02560ca0

memory/2116-396-0x0000000002250000-0x000000000226F000-memory.dmp

memory/1784-397-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1256-406-0x0000000000400000-0x000000000041F000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\mIUa.exe

MD5 dc00029bf1ca66ba56951dbf645efac9
SHA1 200d5e9deab0534c17aa077b67db1ceca2da8e6b
SHA256 6ec285c8e87d502b947f4e12455d70e1ab01aa1c3e578fb002e84fc4f5b4145d
SHA512 77aaa069ca70bf60be219aa762ef87f7579307fec2c75c872d9d275859492edffa86721ed4365de0da187d936e42c336c6c053984ecc0e8eb79ba58b39ea2021

C:\Users\Admin\AppData\Local\Temp\lecMMQgE.bat

MD5 53d36fb90578f0b5a57b1c694644e757
SHA1 6e8b6877a5a08ba83db4958d84a78b04e5cb8215
SHA256 f54ca8655b41ecfaa0141bbbec656e67bc5cbe0ee487fbb46b882d9885584b33
SHA512 9322e0034ec201f2c4eac156b248c223f1f9cd346d3d991cd40b3d11bf75f5b5297ff009c3f0343749008fec32b719682386a007e6ce1de931564c69866bd9d1

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

memory/1784-446-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2752-448-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1704-447-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ygso.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\oscM.exe

MD5 2796c7423cbf4d41d7219c07151152b8
SHA1 dd277dcac6307e0838bd45d3700b3312309e2ffb
SHA256 e8f696bb20eb60f3899d4680a9a32b3b3e4ef4e047846a58a6bbc7bcca598f81
SHA512 f894e16f8ca8ea8782a0792a14a637faa8129966c32ef9a0ebf9fbfe078c09cb6be87b30a16fdb3969ec5655514a0b91b17a092856b941273258ad381bf91749

C:\Users\Admin\AppData\Local\Temp\GecYwQss.bat

MD5 47d854ac8040cd0b78fce4b45ea82988
SHA1 f2b94c1ef83c5eec680e7462f486f4300d9cfd78
SHA256 5121edb063313abca66b5af9930556d249c838bff932fee832cfc71f504eb850
SHA512 1891d32cb0e7a38b95bc973d386527db47366b0074523e4b2fca3687dc4b899458f5ea553790cd7e12efe9f2efa81f39918e34da775947eecc5e9829dbe6ea0a

C:\Users\Admin\AppData\Local\Temp\ckcQ.exe

MD5 a4d6028b68e9117d53c2526a56f6836f
SHA1 fa735a5fe662621ede487d83713dd4119380469e
SHA256 86eb7730952ad35ba5e5054adf8a098999faf254c3e779e5112350adba7989f0
SHA512 eed8c39f1f9c6514bcb1ed70757c6e5ac277bcb895c8dd567f06b2983c5823660ea7e0fbc46641db5ad70beff168f9c67ddc641df1b83cbea66134633df0e79a

memory/324-512-0x0000000000400000-0x000000000041F000-memory.dmp

memory/324-511-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1708-513-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uIAG.exe

MD5 e01adbbcfb386e69c79d477f5376dfb2
SHA1 eb8a8f6f9cb02323eabf8fd8607477fb8eaa5b45
SHA256 547204ecf403ad513458aa6d2af6546513a4a967733eccf47db4a04ccd0bdc27
SHA512 1a1c492e4a832b8afbf4ec204bd4fea5744ce6228527b9d757bea7d8b7ec51192e20ce3fd32c95526908b9c97f1f688acea5ef24a74d014f37048002adce0744

memory/2752-535-0x0000000000400000-0x000000000041F000-memory.dmp

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 ce283c3080a9eafeb5fd375e09c3c1cb
SHA1 ae78fff8267c705d8dfe32c2e786a7554cf8a4e9
SHA256 9cb515abdfded00077c5f851913c204f43e353b1480aeb0ee38151e3ec558ac9
SHA512 d80b78113f7e50a9aaa499efe35f7413376ddb618159749a62dd04766e0be07cbb3c12869c1a95e5a5f2ddcc0b5891e9f29c43442d79f5899dfaf620b8e7e88d

C:\Users\Admin\AppData\Local\Temp\wsYy.exe

MD5 abd51e0b1061f6e051f99233cd8e8a1a
SHA1 8836eca2f29c6fba9f57724c4c31ca2443d34262
SHA256 1ca58ece735df16586ab4ded65490a04978178a1dd6a35b378e69915675c7145
SHA512 a27e6ee8b3c1486264c9a3ea5c61b1bcc1ae046ebb106d88851fb7eaf9dfd8cb0718b5560bc8987cef210db2a066ca6feb707229e6d5f86a26519fa702b6ab4f

C:\Users\Admin\AppData\Local\Temp\yoEO.exe

MD5 085a6853f6e9b3c5c28d5a206db0542c
SHA1 3ccba9458af44636b6677b6cf7474be9b4d308f5
SHA256 e5ce578902d3c9ad601445e6aae3e243b43eb549634d9a84aacb6355284f81cc
SHA512 4852974d8bcc2af49100cd71577a53521c0606332c4f5ca0c5e0aca08a974de19740a9eb6c741ee9ff4dc693fe6d5de38a07543ed69cf071f387b4d5e15d5a59

C:\Users\Admin\AppData\Local\Temp\qIkQgMEU.bat

MD5 e23c24d57ff58c95ec4fe287bb948599
SHA1 c5c3757d62aba4f4140c6510ca1493087fed541e
SHA256 834ebd14e912414f4b64b591f8d15fe17c1a319360e26c284521d8afa70eec84
SHA512 98b4829a930892968c4e1bd9e2575037cc649cae12ef11ecf6b13ef3752632fbd80c33ab62c73ed7ca5ba829a540616644a3383e469fa31506d56d0f223378a2

C:\Users\Admin\AppData\Local\Temp\AosE.exe

MD5 6a3e63f8add4a69003dccda4ebf3c02f
SHA1 85024836b977d0c48f37a4feaf6fab129834dbf1
SHA256 1d64daa57a1969bbca923453eb063f8283707ae1db9a934a1c1ede10a6feeaeb
SHA512 4f0eab00f9d3426a7ef5428e58db2dca78f874bbcacacd3c39c3b8020ede08fab9094d5b0c9d9739270c251d84218e98abacb38ca597beeaf762a3e836574d56

memory/1768-601-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kQQy.exe

MD5 a9a9ae089d61b5df7a85fdccb4713cde
SHA1 93aa150fb9fbd8589ae69797212c40e7e8450606
SHA256 ceb527aa1ce6fb36e2e679b1922f733e2ac87410beaafe2ffdd6691e7efce09c
SHA512 5770cf80846802a3a2e98d5f51a34d446dc80dff01530d50aacd2561c42e48cc2451474e3b856e9d7d04c9a0cd52a53822ee4b859f402fbdbaef23a55c25f4bc

memory/2468-600-0x00000000001B0000-0x00000000001CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QoAG.exe

MD5 9f11593204d6b47b565be54a13f0bc45
SHA1 6f7fe4c79a1062da9a2c869ac9acc5e8d990086c
SHA256 cf8ae34ebf5f34f487d883efa54890772d1214c13ba9bba0d149f3dd3114e243
SHA512 1dcbb0ed15cffe67c053beecd1744b14eb9a3ae418591b0760a51dca9a307fe6ff72868f889cd7a35c14cfe90b18150cc4dbb5c331c5c068b23584dd4414f5d3

memory/1708-627-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2468-598-0x00000000001B0000-0x00000000001CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uMYy.exe

MD5 8a52072d1b696cd2142c359bf4848e53
SHA1 eccf027bea3fd930a8489096587d0f60854011ce
SHA256 bd0bc7cb096755a2e3074f7bddf7bd237d80322d9d6a3a0c62265bf39b0f764b
SHA512 e7164eb6bcf66d68f857930809b6ea88c6f5f1007d43ba8ceffa64ab6279c8ce6a12217a5b653f0d41d4f1efe963b3fb7e8ee8fea4cf84950440a06b6a9425f1

C:\Users\Admin\AppData\Local\Temp\UQEU.exe

MD5 52b16a3381cb113c7910068109a28538
SHA1 97df189f254adeee0528b9b10c2d1e90f56119da
SHA256 b2412c3884f0a610c360acbc0f28f0cc8c996c20e64fbc945d6a4f5b8b25d59a
SHA512 f221c7e03e0cd36c1b7c6b0162e362864b7502041fa09117caafee0ba1e6df9fdf5946390a9ef79539bfec76301ba22d16d0e04f5da925654354e4ab893690b8

C:\Users\Admin\AppData\Local\Temp\QwkkAgYo.bat

MD5 95d84d0118c6f8ef4ce9364e5093f37d
SHA1 5408fe0109d4c2224d0eeba71f7ea6df314388e4
SHA256 f94e123eda663c54604077de21f4b6c852ee87080ec572a7067b99d489152a11
SHA512 82c93c1871d0b256c3af50471e771f15bde3c4e038ede31a6e32369d7959b87ef65e449cab25d98c570b7cb367ccfcfd28c35374602a23b516ccd771985bb196

memory/2120-681-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1564-686-0x0000000000400000-0x000000000041F000-memory.dmp

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 4628f9fe9717068c8137f3dd0252220f
SHA1 ddd4b6cc3dbd453f2f6e4b3ff5b3387b2b73c7cc
SHA256 3b16cc7f85ec0e430631cc568f404e078a8084609a58f91793522a16d749d396
SHA512 f84f22bbf4dda623f7b074fb2628c707bf93cbd92e22b78d46496ef2725c110e9d930d4d39c2209f685faff4b4973bc9ad5b43b6d2773610be6c71c94340b948

memory/2120-676-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1768-708-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cgwy.exe

MD5 87cebb1d329c38d7bdb9c5eb6cb1cb76
SHA1 a8853bc4260825b00f1c32811010ddccde1d7cbb
SHA256 53de6c7d760b05082b7ae060d96d0e666300e4f9cb2ca75d4ef473b701fa2ad9
SHA512 c89a2021c8301636a9670ec209f22e5d6569b31c9f1b5f86528587b46ce7d8c2b9d006e405fcfbcc3a61704d1d73f4d4c8c5959dd638c7bc00dc81f719c33b31

C:\Users\Admin\AppData\Local\Temp\kYkw.exe

MD5 c5909033cb9d3e734ecd955c63b2b8f8
SHA1 be4467988b734d4dd592ada96bf7ca408e2008af
SHA256 e2d20dd9d450fbcb2fc059b1c24e0fd7adeccf01856d76e297df8ad74b3f047c
SHA512 5883b44c81ba6b029a45bbfe3f6b53d8143bc73f8acb454c67d6ed9c75e4a7f0c01137b38327ee193980a9c3f3c7ce552e535e34ab4c5fa3474e7a7e72638711

C:\Users\Admin\AppData\Local\Temp\SAIW.exe

MD5 06787f0a3bc6b5504f3157e000ef1fea
SHA1 831218fa19aaaabfa9f4479df50581762c14b754
SHA256 e5e2074bfdda553da38bf2cc4b67df8dec7016eba3cfe149eae85ec8843b1077
SHA512 100ead167c7ed3eaa09b561263b37dd1e591637ab79e3506138a539fc93649b5850e1b2a7851ba7cfaf9334da632d0b24132e8d00da3c4a4b5175b80516d00bc

C:\Users\Admin\AppData\Local\Temp\icEC.exe

MD5 d90a57cfa0c58a663469c3c62a7314e1
SHA1 305e5431fec5372bc151d615936dd28645e00c12
SHA256 c344d4b7535a65912795f93cb1118ca1086afd6232140105ac173db54db5860e
SHA512 8668a4a42f65c2482ae0150548e7fe7715f31fb6d007db6babaecb0495539d7d9f4757eda2a3b2fc0520fd5c7b6d573933e360d345d9ff77f80987582f81c3ad

C:\Users\Admin\AppData\Local\Temp\CUQswMQU.bat

MD5 96ad0eff52f2b83562018b303f9d277e
SHA1 a86f481a5e0a887a4a0db9a5b0666637ef7a11d6
SHA256 731c65476c1cebf7d31fd9280d6d6ff3d333fb877e3b0e47f583691380444a1d
SHA512 faa02ac54db8f7f6f240c9d14cdc11e453f2a027c6750c1e79ed4fc84f7849338232f8b2fe0d6a460350451f4ce225a39d4f144dab873dd2b59362cff6121f55

memory/1868-772-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2352-771-0x0000000000160000-0x000000000017F000-memory.dmp

memory/2352-770-0x0000000000160000-0x000000000017F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YUQe.exe

MD5 4737b7d3882d96d2c8f84e7c1df76c47
SHA1 0e34920a3a894519ba0b5c5a0eb7cf9315e16125
SHA256 f387b099a47908a9955f7883afb4c1f7747147f9ac79569c1f702d09c740a947
SHA512 325a84c5e0b4866a3fba8d7bf2694396c17560e657248ec6268aa1c876fde4703090cd1f70a6de6fe05d648eea6f50d225610d9da6b8863c38e12064e7e80759

memory/1564-781-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GEQS.exe

MD5 d92044b7ae27667424c21d7d3f6648dc
SHA1 7609e4b43c731c49b5edaf7a99e49c82d52a1629
SHA256 7ef34ee12ac180700896c817363614c8a52eac3b1aea09404f65b3c5f91dca19
SHA512 34da9d4129f2b399389874fcbaec3a013acdcc212a9d385543d4e72415b6279baef9f9818b7d7d73c8dab69dcf024bc42c349eb9c8f692e405a96c53e72a3070

C:\Users\Admin\AppData\Local\Temp\yEYe.exe

MD5 7ea144b5fd5674972c3ddb85fdd3af60
SHA1 8272c1c67a5e37e1bddeb81433ef33e8e2c65e0a
SHA256 e20c36a0302bed9b2f79ea9bf1650cee4d10cea38c78cf7f3f145294f8c6d6b5
SHA512 42b0435ab68a01aa8298cd6365e95c05c6a71e12fe2bdc199db36bb54ead130a3f2c8da0fdad39696b6740578901f62ffaa4f48085ca27bd95575937620cceb8

C:\Users\Admin\AppData\Local\Temp\MAAq.exe

MD5 140207ed37d679b488836e015f7461f4
SHA1 4a50d47e1c9c40d85bc905368299984e00f7dfb3
SHA256 88dd6ce01bbf209c51b8c6a2739f5d23e83cde7d576d96bdede6a8382046cbcd
SHA512 9c7bc533cf3ec505757d50ee31c17da820b60dc838662dcb4e10384f787ed81850a8f490c5f258d6c131ba166afc361c531586d88d86b1a92e7b0387ff270b83

C:\Users\Admin\AppData\Local\Temp\uwsYwMUk.bat

MD5 e2b00e216158526a603a986639275ee3
SHA1 559b139c6a7967fea0c0d35fff41cdbd1dfcc020
SHA256 3e6ed1b8f6f83512e49cc4937aa6d4491d2cb6cf775c48204b55fcbd8bb7d75b
SHA512 600cf819efc009406883272affde15896a70691f25c8d87b76889657a0a264dcc11cced4a6f63eb1f7970272e9ad45b9267d883bedf03ed99ed8fe93f9544617

C:\Users\Admin\AppData\Local\Temp\gMwG.exe

MD5 3de0baa593cbe0d292ecae38a5abaccb
SHA1 d943b3a7d9852ed7b399f81a8c3a5eb528f48361
SHA256 b3e15d1da2623c842388a8885493bd23840b936912a9f982fc9ee76e4d12945d
SHA512 d642c6416e44d88fb4bbbabae4465c5136888ee4e83431efd6cdf685fdc94270a219807ff1fc6d93c0666a32d12d65339401b3e7c2f6aa03abc717176b8c54fb

memory/332-845-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2680-844-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2680-843-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1868-867-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wggs.exe

MD5 bbadf51d2b0282a2708827715e0e727b
SHA1 0e81c1b8d33d672d51d67ea36875e218bf9ae361
SHA256 0a8706dcc8308971305fe555a3f35eb8efb4972f08bc2a451bdae8ab979077e4
SHA512 8031b812004134f0b2959cedaa9317c8109b1f28aa92a6c0dbeea5c721b87f7c1570a236a67425169bd506daf48f3ad4eee432f1e9106ede78f53c55fea3c1ad

C:\Users\Admin\AppData\Local\Temp\WkUO.exe

MD5 f2fa0ca8bf073485e0592e309879f1a8
SHA1 f011f5418914d54d0c339b6fa61babe691c83f18
SHA256 e4c70c745f4ee1be2f022603c1259c1c24c9d97694284e1a675e15f2eb6836ab
SHA512 7774c6301f1a13ed517356f5d01bea7f95c0a6adcc511ec98eef718b7b0b972f602e703060e76df0477e49451bd49e3494e4b7eac073e0b15111fc93bf03f95b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 520add0cf7d4222ba19d5d454fd4649b
SHA1 c2c0a29a59de78805a886d31887cee2b4afa113e
SHA256 a7e1206c188052429fd6e131a7f7567342dd4b28deca72283044fc93585e8be2
SHA512 0b8e35e1a8ee41013f004fd8058941a3cdc157b14cc222d22c8b90d275209ea0d565793e4d04ffd7829d5a40cbcf56ab9a7932879e856e90951abc2211eaf4f2

C:\Users\Admin\AppData\Local\Temp\hKwwwIcI.bat

MD5 b6993d93b131b8ce25c440e93931ebfb
SHA1 0871d272808d4f0a2938c89c805248a667e6804f
SHA256 1fe6b8f0c654783e60a9aef5f61bae9830b528595dbe200ead6d9afa0eb922b6
SHA512 078851a2b184874ac882f6110c18cff7143a1a8947ff3ea1475447e3ff841fddc3e5f3fc2b69f399e34ba9e033903ed38da3db3beea8f8949ff4feb4c3f952cb

C:\Users\Admin\AppData\Local\Temp\WcUI.exe

MD5 2493347891c8ae3fc52621360fad4e11
SHA1 c9a66ae559046937f0af3d3bc9f5c313812c68f1
SHA256 14e19eb2f91860d494f66aba14e59e58094b01eb1560ae0345c895024b006d1a
SHA512 4de13161e147d30fbdee6f08416846d87f275d218bc8306aae25ff4e7df4d8aefcae09594b0cb75489e50511aed97730b39c73e748b5fc48f4948d31442ba92c

memory/1648-917-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2596-916-0x00000000001E0000-0x00000000001FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IIAi.exe

MD5 ae5314dbd7cd63be50237d5a9c0d49fe
SHA1 1e09a8b81dc565f3281082bf39428d7a307a68a7
SHA256 07271fc7102327135f40f909619d958ac2832cfb5c7fe6ac9a4e2bf379112859
SHA512 0af02dc74d7c16fb7468f7562f72d9b53ad2159da7338e5846883c44b1ebf309b695acd58875d97a0d8d80fa959b34083f5d2caae9d561576e8423d5fe5ff5d1

memory/332-939-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YkYM.exe

MD5 9d94b1f35e95381bd982b98feb9617d1
SHA1 d11aabd54ac34c08915b6e884040b29255649227
SHA256 ff3de4b3c6e7544da6473194d41ebcc0cf3bfbeb88af8766ef7511a3ad6f654f
SHA512 b827cd7c1c467c3b55bcfd2c1ad25745bd74b44f30f86a51a08ccc2139415206462e3213573c2309676d8adc914b9809e7d3699114e0263620cbb80a7898e18a

C:\Users\Admin\AppData\Local\Temp\OgAU.exe

MD5 fc097e25b21674e135ab772b6ed7f1f2
SHA1 897d609d098a7db99c74103ffdbf862bb5146636
SHA256 85c0d8e5503c1fbf91552959025d63af0f60d40527a4bb2453246d8f6c7ae479
SHA512 2017f467111c1d76958bfaf63407bcd858768ed48f36ca00f27390c26f3f4ca69e7a8b7fff6d8e5cd532bbc3f7473460377b0d6d6f4afe2f7629f0348fc56bf4

C:\Users\Admin\AppData\Local\Temp\WcAU.exe

MD5 195abb90cdcaec667619f9ca7681b53a
SHA1 3c216e9aa024eac81a1d8ec9194afaeb58535913
SHA256 19a1fb45e9f07790c487c799e071483d5d5411a1ad700fb4dc7750993dabf8d5
SHA512 efd3ab3411540506a0676c2399664f420ffc7085afe1555023cbe16d699a6411237c18d1c9547b59c47c47b4e6d871b825ceb48bf1a7000e3728890c44d14eeb

C:\Users\Admin\AppData\Local\Temp\iwsI.exe

MD5 fe5194a3f852c676ba5bc81ad36c46d9
SHA1 653cd89c5c51e0e4302fb1bf081b2e7f79ef6fe0
SHA256 c1bec6011e29dd9ecb8e373764083a159be8790a049f066eeb199108cbddb677
SHA512 9040df9027f635949eb9454c82db21941d62c5a99d4366852bbcd7542e602c327b0f91c97b2d1590a08885d545fd1e0fd8f9537adcfbb33be83a184fc35cc890

C:\Users\Admin\AppData\Local\Temp\JiEwckYg.bat

MD5 0d28fee892866516b5921f4013ab2ecf
SHA1 ff6c34ed6b813d23f65a7217126c76730623f9c2
SHA256 c93e7549ccbc89ceb800d3012178b4f7485a8069936910d385d7c518acb5ccfb
SHA512 8aa61f6171d187f7e4dbdcad2b77ca7fd81e57c127d916f17993bdf0542189351e78fa4b64f103065de41ec32fbf63e57a61bedbf1cac4e85a0a094257dd0709

C:\Users\Admin\AppData\Local\Temp\Ckwo.exe

MD5 6ca9ecc098f113dc4a4eb896aaff6b52
SHA1 5ba1d102ece69490d9e454baa4fe8bc6aa6e4dc4
SHA256 07b57ea018dc047a314f12cbf38c78ae103d3335163e89b885a917a2e0c25a34
SHA512 a8af533470a5c3ae4dd31eb0ec0bcdda52883891ddf65978443d4f1d9b3fccf9e727a6216ba3a48b977700dffd8e48507b79865d9952df9b16b93bf43dde6468

memory/1952-1015-0x0000000000170000-0x000000000018F000-memory.dmp

memory/1952-1014-0x0000000000170000-0x000000000018F000-memory.dmp

memory/1648-1024-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WYMI.exe

MD5 605451b26cbf874a65bd75fc13c183ab
SHA1 e71a53b269753ec5b086fcf8310db9b716e9f0b6
SHA256 e9459cf0212f9928cac8881d16f1e39a13f1560cca883201399154fdfdf12167
SHA512 81324786865800f8e9dee199dd4933684c5eed1106923d729126c0cb275183d350b420a801e18dfca1f344521162c43b39906b4b0edbf44559bc3fa4dcb0494d

C:\Users\Admin\AppData\Local\Temp\UAEw.exe

MD5 ee2eeb01f23bb4947f8e384c03c5a0d8
SHA1 8462b031927385e3b48f38084a065b8dad699840
SHA256 499b61dae78c51b1f1d6c84ad57f35f7112a3804d683f0b992876eecdc292548
SHA512 9c000ab29d1df2ac843aeec031c6885069a0015a419495e7f9694aaac209272ee14f7a4b2f4840f47d74bce9db9134e0ea1a432941324dae6e4d404939583a4e

C:\Users\Admin\AppData\Local\Temp\EMYC.exe

MD5 8423791de1a6464199f9a403fc5f6f8a
SHA1 0592372eee5671ddcb8da7425d04ad98b58d0fa5
SHA256 13d6c142c2da0181e88d98984a67144c2a787630842e4e1360f8150ee28b286b
SHA512 ea717fa8d906b883e5bb8025dd891059a347729590841a940ae2b7ca5788476c985ae129dff81bdb21cf587ac616c643bcb6cf72ffd890762b437bb0cfbec2e1

C:\Users\Admin\AppData\Local\Temp\VIYMooEQ.bat

MD5 605087256b62299dc19b4f4af1dd52c6
SHA1 7edb38672fa0cbea9a640b20fa09ccc73c18f58c
SHA256 c7989ee52b38c733a35302d4007a9616214949adeb87b4eb8ed5cc715c7d6002
SHA512 2712b364f39516ad909121b837271399aa9de53a9e85a2193f320ce089e3e7877db4307dda50eeed98c9026d5b68d1ff58a4cc971860746703c523400f57d819

C:\Users\Admin\AppData\Local\Temp\WEIA.exe

MD5 2a430481764a064959dafc56d9d2bb94
SHA1 8a70ab72132c19bff500cf9aca587ebc081a933b
SHA256 1dac3ac8c4b2e9e811388afc2dcf5eb69f92a85a3b70f1d07664ea055d3ac312
SHA512 6d597f19fb7ee188cd643cb5df3e907f85ac3a980af783f7eb40a242fb61fb54e3969df1879a16c7e5a7e50f77f980d032e266de5091e9ad8785b495fa1aa84e

memory/2936-1086-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YsIm.exe

MD5 bfa80b02c6fb43d880adcd8b41eb8999
SHA1 3b64b9b6cb4e5e8fb6af91b8672071f7903867a6
SHA256 f453a1ddf73de6eb7f0d2da727fc2eca26c26c85a5f29f4b23c2f986006a84ab
SHA512 adb94fd3fc2691a0a9836b9dffac73cc8f974028c2c8e23a919b0563bd3b5acf52c4f0b7c8f495278f30196993d6fb798b719156e85523432e758267ef1ba220

C:\Users\Admin\AppData\Local\Temp\wYEy.exe

MD5 aeef8a64be5bf039d1ff149ca08d37f2
SHA1 7b8ebe7d3dd25475753a7150fc64cad2e0b0c54a
SHA256 a720a3d1b51d5293a0a059205f2024f64c920e290a89e7035ea69a2e4698e359
SHA512 e7e8ebc8784b3e043374407f5732ac424fbb58b224d0f510b2cc1d6ee1e1603ab34c63bf3a16e8e5d1248d60511d35bd3b6e1d767d0b60783b2776c36a924ca3

C:\Users\Admin\AppData\Local\Temp\kcQs.exe

MD5 65e3f155abab4a1c19483c5698dcafb2
SHA1 0234991a3dd871721b688027d5048ac8635221f4
SHA256 523882d47a98cbfe33eb747887d848456240836fbf2e2ca3f6f11c2f417fa9e6
SHA512 84b0b787abe541f05894435b0a584aa0c3d580e8e67c946cd5e7f2a3f6a8f7c52655aac359c80846df1d078d2a817898d2e036c6dcef00837eafe8d0e01a08f4

C:\Users\Admin\AppData\Local\Temp\jIsYQQcg.bat

MD5 1358b1c2de12a9afd5d7ac9788f79444
SHA1 996087eeffa9b0481c4fd0c6aeedb2cf84aa7296
SHA256 d4fb2aefc0febaaa2b1570aa4549948f33860f003a147896e89cd8659b25bbc5
SHA512 12a49ddb700e72d94b6e70e78b84d4fbc2859028908a508fb7c555ccd9c3bae8a16b8580bfa4dbe9c9a37656a1db4720ccca4860aecb42317b4ef57eaa2540bc

C:\Users\Admin\AppData\Local\Temp\qgQY.exe

MD5 d66e616848826dfbf478b339fe1ae784
SHA1 6772d3513388be4b2857d83167161aed792b79ee
SHA256 a233fbeb386ab126775bcd4280903a4354c1e1280708b1eb9b4d7dfc467d4050
SHA512 82ce5fbd17451cfd2af99f2f4e2be6319e22dd34e7d11470dafb29716267170012b6f66e10d1a07c1f2c81d01b80bf1b99189be59212dc9add4af074e949ef37

C:\Users\Admin\AppData\Local\Temp\AYgQ.exe

MD5 daf819426e2dd6dff012b9bfd191e238
SHA1 ba7824fa686fcb07b6eee15c9e5e2ce2e4222cfa
SHA256 20efeaa54d9d8d2a2c011508b2976faad497c3d64c7856aade40ce6da5e45d9d
SHA512 504b6a1ce5c891a36ce678e9bae31007c3ac9150f2bd892b7a99909606caf068f73d4684b5d894fdaef981f3e22232fbeec9d66a5a0564b80495703f7dc90ccf

C:\Users\Admin\AppData\Local\Temp\Ugoo.exe

MD5 94daddf868981f512e04ac30b65e7da0
SHA1 74f57915961c51634a17797c48238002cb914f11
SHA256 4475ba99e17c346e853d7d06f22f6ab3805bf52ef2c14f7afc26f0de5ffa18fa
SHA512 7253337459983eb51b40827659ef954d483d452ea13af92fd2c213d7b629ae94d749422bd461d75019d133fe92cb1c19e8f303d80a6f9a7528045b901d198c8e

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 717b1e0be1cf6411203ba01ad6f7ed1c
SHA1 6641199595eaa51acef7eac11fed719075fe5df9
SHA256 d53b1d15201070b54857d3ce7e39f327da614ff8f2d572a38c834efc25e789c3
SHA512 94c43ab879359c48750a221adfb05001a8fe20f24661d02c06a6afa5f5bd7815da9a9a6709d57aee1c6a44b1808f589a086addbeea127ef58f9daa3226ad963f

C:\Users\Admin\AppData\Local\Temp\zIoMQUsY.bat

MD5 a47e4a8e9c631e825da3eb386b4ee02a
SHA1 af4f258d1d65acb885a5cf5ac9f523b13ab02b75
SHA256 a2dbfbd26c846066850f64e94b58cedd3ab54872682829ff86384803861dd3e5
SHA512 81c0353978c04dd0e5f7dadbac2699257893141828198a48530e4e108c4ac12cd1613b0e4119b65982413737d8d722c9764020e18d124b7195373197667e2647

C:\Users\Admin\AppData\Local\Temp\EowA.exe

MD5 49d1b256437c7dec98d1f8a3c1e3ad56
SHA1 3d68c8a0dd86b3daf0b785f689d31fc33f94a00a
SHA256 c8ccfeee33222d7be0de5131f17fea59b6a8e1a69ec5e234231832093c72ac39
SHA512 9d814d1502ab5245c7c4d78c8f1eaf3a67da1fba85bdc8632969e62e4abba6ab8ff8c7de4c9eaa3df53b07ea02a689b09a460545245d6814730e51ea533e03c3

C:\Users\Admin\AppData\Local\Temp\iMMq.exe

MD5 4feb24be00178e51eb6c24fa877c014e
SHA1 4b12cdc4eb1197581418b90470811b4eb675b34e
SHA256 602edbb0486e47084969e1a28908f8c545d5f6e5726928363a1dfaa579b5a832
SHA512 a84ba42f3d5fff5437cdca1c0beb36ed84453667477f15a52db910214d3793d7b7bca4ae01038dcbeed00c33b4c04a9fc78e948ed0e3e5831f3e92ed63f250d3

C:\Users\Admin\AppData\Local\Temp\CUwo.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\qUIM.exe

MD5 825d0df2ab8bdae6585fdd968455eb89
SHA1 a7271ca509cfde27ad3784841f6b2c996667fdce
SHA256 bfd883ac3179550af98d679ae71cc43c81301159e4a47883931ca69180cf9fb5
SHA512 eab7481b370a4514c580123365486cc0e773bbe4a3dcb91dba6db7a8135f60efe27ea6cff5c1d09cd7c792ccab964ec94970932c70f0210bf92b776ad2d62bb8

C:\Users\Admin\AppData\Local\Temp\KocY.exe

MD5 98b1528b826b5d19d0862ed2c97e89f4
SHA1 8085aca0c4a04f0e44f460cc90fcaa712f53ff61
SHA256 a0c49878c7749801a2e7fe021ddffc0739cf14222818698b1e5b53d18c0d28f0
SHA512 04a13b1408c8c404167ccba4852bcb5d3b8c2c388678107a64fe5a59cf52067cb78df6f657f19465600063763ba601d2ecc658d820b23078dad4a4553b19e258

C:\Users\Admin\AppData\Local\Temp\aAoY.exe

MD5 b467f9d83abf8c0ffef085aba4cc4047
SHA1 8a3db47a7833e754f9be669813f9c3e3c19611d0
SHA256 591aef0ec9a8f5a4ee707426560b1504afc612ed44372addef91c96537534bbd
SHA512 ea9d05eeb138565c3c224d01649978753670150c4b14bb291d52a85480b7944feb000a7493c7cc1cce6ca29e80f56bca45bc3d2621376d42497e507a8765c397

C:\Users\Admin\AppData\Local\Temp\imAkEAwQ.bat

MD5 f2edaaa76e324d2dd42609960fcc674c
SHA1 621071c105dd92447e70bbd5928c525891f4ab0d
SHA256 f6bd4358f97ab5200ad40b95608353b8b360da95d81b22643787a20c57c54284
SHA512 b827191e3d8bff10ebb612710eebce103a76a5a0ddceb5a5061f1d03fb329bc9821e6d71af25311d2b219cb6cb71e827ba7c6859d6bf97f96af6375a405785a3

C:\Users\Admin\AppData\Local\Temp\QEAQ.exe

MD5 7576fafe126c13bd8edb78cf0d176dcb
SHA1 b0aa3cb0f55280811fd5dcea7fc99a08f60bf32a
SHA256 aa8d8d713c429d8aad3abf61fde562b2fa156ffc1d842d122a219f900fa52d3b
SHA512 94c616c82bab22e281bcac0e29bb98dc3af83fd829a4b2e1dd32d4897fe801824c54abc8b49afeb66c22238c8908565cec296caa8c9485245e42517023f05511

C:\Users\Admin\AppData\Local\Temp\gooi.exe

MD5 f86b51c4f66996935e1223dc839e3880
SHA1 b088fb79090303f8ba56e5b492581f3b756ad4e5
SHA256 65bf21d276219cfece8c1c29c0e383ad0ef7ecc973ed4808c7fc4f6ac3339b41
SHA512 dbcc6bf86a0b63a72e5ddb743f277998c27e730d71a38da04a4c8303d9870560231a66175a7b200443cd1f3dd875d188255e1b04676045df137c57790bd0b96c

C:\Users\Admin\AppData\Local\Temp\ikcwIQoY.bat

MD5 a8da8123b2d16091c9b264fd91355083
SHA1 f25764ea816c948c847de3396359ebb5ceaf6e66
SHA256 e52b8399cdef753f011f38b3648bf3f381850516437ba048daacd12287723346
SHA512 aa677958fd063930dfde9fe8de91da97c211804b7172301487dc0fcd4eb54de2ff267c7b62cc46c8bc711c2580ab179dfd294c1d50b9f8d9a71d0eb51e27eb66

C:\Users\Admin\AppData\Local\Temp\IIEi.exe

MD5 22cdc35a82125965b4dcf01fb3f71734
SHA1 ef3f71d8a10bd05fc47e0e6d7a7445b0472d6fad
SHA256 f221ae626104804c8d110f6d02cf04648991aab4d9dedcd5379f46715a5ed867
SHA512 c395d4ba3b3fcda952a0b28a16d6581aa42c6f6568d93001af5af9868eb6da78b83045d1e9f330f4fd30c81645f883ff3873085313aa9112eb3648b0cc5dda83

C:\Users\Admin\AppData\Local\Temp\GIQY.exe

MD5 a562836720637e4d70aa75f31c7a82c7
SHA1 681e1eab94c5b253c0e9018604b73c8587abedcb
SHA256 124b291ec48417e11fcd7de09eb55bad384344112dcb5590d03ca8f21fb7358a
SHA512 7523435298e1b76420eaabc98468fe03e34a285d628df98360a66f1a481a61811ccb4a57751536fdd73f531648e11f76a488cf5413dcb95c5cf2f8289cc69f84

C:\Users\Admin\AppData\Local\Temp\SckK.exe

MD5 16095171e1cd98f5d9389b15952e87f3
SHA1 1f435268bb0e4a6c05bbb8edaccb4ab6e84a793d
SHA256 c10b633aefc60d6ff001c419eefa4de77fb0c9ea67eacc8cea9ad50abdf39815
SHA512 94353f4257326334a4183f7ea0c3756c0e5fc4f7c04837d1783ed854f5ea6350693fbe9889717f41191dcb3ee414c843a1108ec807e85948a13904e7f8411621

C:\Users\Admin\AppData\Local\Temp\KEgs.exe

MD5 fcf47896bea4a1b30e5150d14b23e4d1
SHA1 84f6133b85d811c4eaf8c0b6535c913e5cdbf00a
SHA256 18c8d155a49b940150bb59c4472dd529b7e9296444eaaac6d41a15ce6720410e
SHA512 44bca7475cf2ef826bfb5dc4d14407adc22495ec208412ec85ec46493dfc6bd15832e4ff9947acc9b92ce887932e8f31102e7b1e59ab42ceb8267e8979472af3

C:\Users\Admin\AppData\Local\Temp\SQMM.exe

MD5 4171f951915502dd1e8ed90833134628
SHA1 32d4defd05849682969909508981992c837f614e
SHA256 de95fd07a69413c87baf8155a90cefc2b799fa207697d76b8f0c051c84cef694
SHA512 f68f41a65676276e92502f0023c53556633e87931926d37ad1cc0db38565df49c26c74f760b676a29450a4b2cb9a429911410e60e8b304fff98ec7d961e8f3da

C:\Users\Admin\Documents\PopTest.doc.exe

MD5 17036aa61903b35cc5a9ea0dbb95553e
SHA1 6a635b7fea8e4da11e1e574888d2d3ff5c7ab44f
SHA256 a6a4d81596b85552dcd26f2401f5091a37eb6c4f08a4ed6578275a19b23978e3
SHA512 ecbe47b8268c308b4d1276b6d9128554e8f7c5ab92fd702aa2e550e4aa09591ffae4a7193e1726d6eeff8b3a007d5ac81e1392e0fc470c9887a7ba172576d274

C:\Users\Admin\AppData\Local\Temp\CKowEQMg.bat

MD5 c2652feeb850330db9be44c38d2ce75d
SHA1 a9004b5e457a99f0fb3805a4a3f41d5c086808b9
SHA256 857f59a6399cfa58a527362a8ad502f3dc8e2ca91bf8aac342b6b2b23440754d
SHA512 9ed2c19ec4c65935f3bc313bab98ddc05cc48c7d2dbd905d1f3afd069a1e42ad3a5af63c5e654f21014cc54b4656454dcf5cfc1d3434518b623029f08a63c448

C:\Users\Admin\AppData\Local\Temp\sQAu.exe

MD5 d0df14edb2113be052de4253e7b05e14
SHA1 44c59e5391d4f12f8cab18b4dde8a33061a1066a
SHA256 5d0e46950141fa4ca1e35440152ef7ab2058a22c785c5d5ea5d0e8e32e2b8d04
SHA512 141b3660c13acf9ae557545f7853f1f6b868fb0ac7126354411a77c065354d983cff4f0cbe46627109db6a74033bb51c1213ad0916956ec8603b4a6884bfe4b3

C:\Users\Admin\AppData\Local\Temp\gkYS.exe

MD5 6aca85b44511bbfd0619a9e431355a3f
SHA1 0426d5413a03acdeeb57718fbdc30b789a68ced0
SHA256 72e7d40d8ce8377240e185c7d517a4b70aa5ac75454f778f69bfd9bed9ffdeff
SHA512 91f4f9a79c7662602d74791dbf181b459ebc73358cdad59e35d0927084f3a90ce102fb784025764dbbfb8cc1a8c9bd8893b69f40ab17545f5545cc1b84d00895

C:\Users\Admin\AppData\Local\Temp\uYsS.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\kwQO.exe

MD5 d4feb2ffb2cdbbd567b8f6fd88ae4ea6
SHA1 ce4c0a4409ee5e1583798d0c14255d921dfbc599
SHA256 bcecacc09a015c615b01037a0cf9f6c51e0bf42c68e87236e6e6b9de9dfb460f
SHA512 78c2bf99dcf4813fe65d7e4f33286f5e88fffb56f0d05b39d1f15d3ef275d95736c8446f12811879af0a49d83fdd06aedbb9b7f7a268f17abeec0bec9bad0221

C:\Users\Admin\AppData\Local\Temp\QwsokIYA.bat

MD5 b2c798ae83babd9c47c6cfa68251928f
SHA1 2c27ea13ec3b2b90c54061b408de288fd3325435
SHA256 a9d6ec241b674d2acc19334a34ca32de1fb878c1f7bf3514b1f205986a0f2545
SHA512 a0454fa2a53a926720e4bb1bb69c36c6a69611a2d700e2e344c3ac120bb0230940d1ffa006bb15376e176d91fdd906ae0ff95bab20e72c754dcc8d2c1b6146fa

C:\Users\Admin\AppData\Local\Temp\QEIW.exe

MD5 cf39f03f74d6cfd3ef5975cd3a05cdb8
SHA1 8cce912f92e88e372f7be14b3f1adb36eefeda8e
SHA256 efa604767e68ddc810aa71a2428fc15309e6e6a2d9570f09508c294aadec51b5
SHA512 2c1dd204e09de2467d4b78155552c5d05bed7ec78968ea8cab557c6386535bbe9d4476ed6fccb8d1f8bd5c7937a17236028647e95e460384f5a50fd6340578ef

C:\Users\Admin\AppData\Local\Temp\qMMI.exe

MD5 0156b65c18124fada83e291ce8700e53
SHA1 2f2c3840762806ae9f5103f54181f3c6ebf1f093
SHA256 50660c78882aae91dda31c3b6c41135e99fc3ab695f28852f458970d5adc4b86
SHA512 e97c7e0db18ccffea209f2f3026fbaeb1211bdecdf24aa8961fe95f83322dc3a2cbe7b348727360acdf82f63f5cb5f4ffd04ffcfd3c12ce7156f496507537529

C:\Users\Admin\AppData\Local\Temp\owkG.exe

MD5 3eb7114ea028ea2c69938a7c59b9e9e1
SHA1 568a581b9e8b09b0f4261ed4bebed0b6b800c579
SHA256 5b776cc13af99a175832c19b1d194e21215c06d820cb1c6c02e83b9399e0abc2
SHA512 fdd44a70e67c3cd878dfc31cfb403e55acff65687feed86b8f0dad58e047cc4c0ccbc05a8b4530f7bc960c7906a5b01b53227287fb7196b1f304001cbee0f252

C:\Users\Admin\AppData\Local\Temp\mkMs.exe

MD5 95268d892f47618da33bc710fb9a150b
SHA1 99abef97692e4d17e29c8671ca1527f95511e938
SHA256 7abe794abe259bd14734c35da1e2b2c471b5be5b1346dbcd0c20ea6edca38abd
SHA512 87b4db2de4302bcaa11b72854d5f994006d82ba7bc658c9876f00cce5afdf5e98e0f6af119438a230e0ad787ad89db7f17b56bca76ff410884dab84eb55def18

C:\Users\Admin\AppData\Local\Temp\WkEi.exe

MD5 176ad2f4b89c8dc0f2d4e47d5aa645a4
SHA1 8bd116edc086b4ef5a83e55ea0c07225f92caf8e
SHA256 7676a98728f3ae4748a9cb1a46f9eeb413d515df676572de509f910e932437d5
SHA512 b7a7cb23da7ec9fe4a46b42ec014d2f339db271c8ec2b1ff6c211b2b8605ec1831a29a321501f3aadbef1d5a1a207cdb309b15446dd8d099506efd6c17ded84e

C:\Users\Admin\AppData\Local\Temp\Qssq.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\Owki.exe

MD5 071105450e76ffa65b22616e83b14dfc
SHA1 0cd3eed70fc28cd6d99e19bc32063539ebdb962d
SHA256 9a728a336ce01d88ddf1a3a39da5fc13d456f047093079896418daf4fb5484fa
SHA512 135a87e1eef94fbb271d0225d79d52474458e62d5aa895b2f4b9e90edc931bf8f817f4b520a66220dc28b3f032b864e95c8ebcb860ae8e95e55d766c64e58fe8

C:\Users\Admin\AppData\Local\Temp\BmcoUwks.bat

MD5 87a1ac84041abf553472ce8a6c54ecc9
SHA1 732a2745b9ec587470122d9caecde52412e79998
SHA256 6eb4c3c815a7040162fea187a03010dd3ccbf6f8fc9bf09bceaf188b2e961b70
SHA512 bcf607a384d09dc130eaa3e750f5faaee85cf2ea404699532af7c447e87f0cd277b74b8a64beb6382c2065e6163fb2fbd340bf87c2b69f6c07946bcbbe44cb7d

C:\Users\Admin\AppData\Local\Temp\moMK.exe

MD5 b6fad466110edf0474d048496d45386d
SHA1 800516a00ec5084b8eb8dac2746e115299433cb8
SHA256 1435ed85ce7c6229f77045a499972f93f7362704d5cc21ba8b92b6889669dd4f
SHA512 03bef1551239ad64521b9a78f9bdba04a15a9a378a33fa6011df54e1e6866d2b5a2d115677acc9576020ee53ccdc7d8a032d3c84fcbc9c60b657b81da79ee73a

C:\Users\Admin\AppData\Local\Temp\KAow.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\Pictures\OutRepair.bmp.exe

MD5 c57c87288462ff63361a23188c78dee8
SHA1 ece1693913d35e5c6b948176b7b310d0fef3b724
SHA256 4aa89cff03f8788ca957713573fa50f0c675ff2ed205cae666793cc846685eff
SHA512 e68c2eaf75482011a27069aa34e16832ed32e0408e33bfde25a8b035c06c821d65356e9f9d772141b03515835556ab41815a9d04615081fe89b2f8d9606f2b07

C:\Users\Admin\AppData\Local\Temp\mgII.exe

MD5 192a70dec7c5b53353c2227739c25d43
SHA1 58d3d8e3c4651c0b0c45e9070154f0dd6d75de4a
SHA256 84a040270f2b0701062f5db528f6f8887b913f42338f1a36efdccf2b941e1a85
SHA512 be3cf9ebfe83d7d63752a31ba35d2e15b5ae62a98c3719d3ed5b0856e6d1f6181f4a8501222aaa908d18a5a6454fb7199321480c7c4dd13ccaf318b95e4a9b90

C:\Users\Admin\AppData\Local\Temp\icAM.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\UUwO.exe

MD5 67f9fb8e1f7aad8ee4099a461ee5af46
SHA1 81bd3a57c3a7c22856b6d0c5106d6424f4141855
SHA256 2fc85beee72999edb599f1bb8ac542e01036b165008e15b5204e830112fb7055
SHA512 fe2ea07db5dfaf2da258089c56d637c70437a7af756b851e252c0405dd30f38db6fa067a712c2f55b707a162024cf075674b04d73a4ab45b20f0bc1943e54bbb

C:\Users\Admin\AppData\Local\Temp\PwUAskwA.bat

MD5 6876ca3b3b86577c6eeb793a8165ea2e
SHA1 43cfa26104795c0404ddb9e539992e4a228d3de6
SHA256 9eaf3ec0f0a6527dd652f02ca1da826711b61cdeb74b280eeba50a9bf2ed314c
SHA512 4d59496d7ae41c07f0d3b9bb78ba47a457abb766aea3e308092aaeeecf1b60989c811016559db2e3a80acac0c8cd05e4f7cd9ab1af0795b293b5791cf970b2c0

C:\Users\Admin\AppData\Local\Temp\AwwC.exe

MD5 20d23f597898f0058a4e833ed965e421
SHA1 ac841faf107c2a11a41410235b742fcc3ed0431e
SHA256 d2c01ada70d80b727e829848a1adbd16aca7aa9b287c5c0bea58fb6532d2a9a3
SHA512 cad07337bd597c3dd287cc2265f0e98801f11522aa3272b517a2069d086d3e795edfe8ebad6a736a3ebede22f21d716b639b4576d587232741a35e870451b659

C:\Users\Admin\AppData\Local\Temp\gsoo.exe

MD5 fb8d6e585ab3d045965900037f744194
SHA1 a54b67740bdcde58dd2c09b4be97395eebb1d357
SHA256 e0ce550d8d9133d60cc78e4d910a989e978b5876f6a4e198e04def1e391acbd3
SHA512 b5e4b367b9815fabf8b689ac2e1f29ff068bcfbcbd556771dcd3e0894016c86b3139ab166df192886964ace3930aaf9e956c465c69808f6d1a425c7b954031a2

C:\Users\Admin\AppData\Local\Temp\icUM.exe

MD5 5412c38a80204d3bbb3e26f2b09b4922
SHA1 030316fb8eaba6328312f1be4ca97c60d088f8fb
SHA256 63e0e109c3ca0349685ae346cafdfbc7d885f50844b98fc666fc48bb18cfc476
SHA512 f2f755dfbdbbbb39e6e9531af197dea4ae367a710e05862a1e13f4ced213bd4a1a2879eccf02ffbafbb235c0196d6591cca892d493efe179b3045431bd3b6ac3

C:\Users\Admin\AppData\Local\Temp\LWAwYcAo.bat

MD5 293d8f6a00dc6d4277c4a344c026552d
SHA1 2d1c7b3c71c0b10737cdd8f09eebbc12f280e48d
SHA256 0e41de664da84df03b624b196db26f7836c4860cba0f6f3515b2dd94d6a933ea
SHA512 98092b034b3f7112488724115da4611e4944cbcd3e84046a13e1fd68296d87ce73b22dfb1b84d22411a9897c4de4f5da3e4f43c94c5a9559fe5f6382765c266c

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 e97edc20f89660711ccaa5ce1d5a44c3
SHA1 91faaa8f86214a1141d5d828bf6bb0d4d5e66e0a
SHA256 3f30decd1753e3372474fae2da1a1dee406f6ad9b6032efed2f43f4d8926b9cd
SHA512 aa24c3f85edb05b2ac247a6555f9501d800395380816cfcedda16cc8733de7bdb0802e8b2b69025205d1fbf20bce1ab4488c541150e9d81461dcc8ff34037854

C:\Users\Admin\AppData\Local\Temp\okMW.exe

MD5 fcd5b3898cd9c79a8c25eb2feb04e445
SHA1 3a4421186a5df2dad3aa390186a39eb3d98671af
SHA256 453c970b149740d852cd56013ee1494ca118f31011e9e468eaba5295c8101048
SHA512 4d5ec9bb20dc267c6502bce9505c4c8b024708fbd1fbb163bc35fe8fdc05489b1ff862f065cd48a29ce40811406ab9ceacd56fb6968c0d1d531621b482a02fe6

C:\Users\Admin\AppData\Local\Temp\XsIQsgAw.bat

MD5 0726739b7b7f0af275e65c939ad49e11
SHA1 6be2366f61d5b4057611be7ccca8f77956378134
SHA256 e67863ffd94e056e92b6c182a2bc3b2c793e3ba2ad9e92bb8e51dae59cb4ca95
SHA512 b4cd096decd2733df2802ca0487e14b14745004d0b5047e0db9a4ccb4421c564e4237dc3a124c99e8ca98e10b454a50ad0edd4a78b8526f6b1fa08080f4faac3

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 bd5c1c2077a8dd27872ea7155d21b05d
SHA1 9ea460e39c6389c3f95a0b86798d83275dfadb8b
SHA256 c4a1f7ff799889edc40b13481070545a3edaacd2dfccf41ed43246219ba20cb1
SHA512 4df4aa5e479ef8c71f4f9810b7d6f9b0c1e121c5c2f46f91853ece6667ec3ce620c34a24b3868c37052056666fc0a058098a42f1847936f98792e1f02c87a1b6

C:\Users\Admin\AppData\Local\Temp\Ekco.exe

MD5 453d557794718ea08019198292701e15
SHA1 1cafff7dc45e88b5ae74bf0b420fd41bb3b5e2ed
SHA256 20b07ea3db18e078b03b47c94fc00e17d1193f1ee29af8db3d305da7bd2d50a5
SHA512 663d8b9f94db4cf88c7c657e4e393ee0e1bc5542014c54cde2920136fdd9456ab893387909a3a11b27b05235bb8a1af40616ead89168aa084b1e674d77dedb60

C:\Users\Admin\AppData\Local\Temp\ysMs.exe

MD5 930e6d8f6d2dc405572a788419022b1d
SHA1 8b0e7e8ff2b9b5df188c4c20e89f3e57dbd59363
SHA256 a614b9a28dddfe23434bb70271a43315d337dd7f61ac44337d495b4d291ccdb2
SHA512 fd493dfa147a0d947074eb267ac7030f99abf95d2b2058c9057d519e16ac78bede1def92b5d39bb43c86af2a3306060dacd1ceb0de23c4b747aa4f569eed477f

C:\Users\Admin\AppData\Local\Temp\CkYa.exe

MD5 61673a48db897a801b26af129a97a07f
SHA1 7233c13b1119ea3af01a32580e9f3c4bcc8d4e91
SHA256 962835a6963d16c4ef4e9c54b78ac3ab44829986648da61ee980ff769eb14db5
SHA512 8229c3b79d751185e29104948491924dc65d2b8ee3e15ef47dcb168d211685f1b8eccd8a21a0b4e9c3fcb925c76afcbef198f4eed26ca78f43671bf3205f32be

C:\Users\Admin\AppData\Local\Temp\QowkoUIk.bat

MD5 b8027f4f1c6db5f4763a27bb85845dff
SHA1 443bd0dc251d448e948990cdd0075638b6dd21fb
SHA256 cb9da55ef49bf11efe2b78cad0229abae8188f30d23c11b60d29460612043cee
SHA512 2e3ebc0a83e67c4d34897c59472f49c924a9144605bc4c05f3d2941fb755bd66ae5e678f39b38e7d8983601e5345305cb13777f1dd1f0ecd1b7e8c879214cd7f

C:\Users\Admin\AppData\Local\Temp\SMUe.exe

MD5 67d1bf1245e3149d9bf0c9d40099d6f5
SHA1 e25f1deb44dd6d235f3efdd51d742184a06be695
SHA256 280fbe48172b07e1a6acd18c586879916e1dfb795341e688b48f96c02f01bcd3
SHA512 84924e683f7a9cba8e8f6dbbeb75512ba22f26cf5585efda9a586329fd4ec99bf57ad70c67d792cf2b0aefa8031cba7f012a7414dc1a0b7d81b307fd6e069e51

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 45b0b4391462147e94dcba8d2ebbcacc
SHA1 e6359c412fc72c2c50e37edaac1fee9931506500
SHA256 ecd03f950d22e893a14318e78752a738b568eae13ab126d255ee258905305773
SHA512 72edf8d1d62bb6bb2b691490432c93a17de48cf3a8295aa228d14b6c749b91d0efa6b2017842694b0ac7aa15571ae8fad50cd7496f567ee061b8c846a87987b1

C:\Users\Admin\AppData\Local\Temp\yCoMscIc.bat

MD5 a2c479e148fb7ce4d2124ab51bdd55db
SHA1 0a2246c1826f026c4e3389de64a9132e93ac969d
SHA256 f2cad291a8148ee08a0f12fe2a727ebac06f1a5a01288522abb3400f4887c27c
SHA512 e5a74ee347688b2179c6a94215205e50c94e85a02651b90e3207b9a96ca1f2401cd97666aa2089dffb9d842839f34dcdf8b0efdac6fc90056114129a3cc0d4b4

C:\Users\Admin\AppData\Local\Temp\GAIk.exe

MD5 f1896b47c1aa77da76d18ab7c80c632a
SHA1 94312737a8ea7cef71e58731e5fe4249d6b941fb
SHA256 2993ecffd847206c6e326250c798335d11b58a4b03337920fc49f965983ae127
SHA512 00243ab74566b9365fd0147df3958d0ac6edd326eadfcabc79799f48c241a5d16d62f865bc362f6731e5bc13ad3528ab0863aa1b9ed37db31da57058d5de73d9

C:\Users\Admin\AppData\Local\Temp\iMMK.exe

MD5 3072414107a5b1a8c4bf1a85b6acdadd
SHA1 c07a3580ed206e8f8be284786d7295cdf71b5510
SHA256 003be6bd1c4e954d40fbe3b16232bb8494f78612f4182b36308bfe8ec61fce54
SHA512 09b7cc408b48e7284a88246229c534121641472f5a6aa9ad39846332df29ad4c242a37d864cb7a231b01f6b1caaa906fef5cd1d82cd0f6ec21db59adffdc0e18

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 0e125a59d3f15b0ed03def688d7ac703
SHA1 f994a69b58a6195a5d969c330793f350baa4c2e7
SHA256 8fd6a599e21e2d84ab3e2747a419314b663a89c548407345b743e077fba70d74
SHA512 535e92a9827b8dcb6bcf7d344bc5e5ed6a2c1a357196e1b84e62aad7dc6f7c1949c4d7d163bf8feb35e72ff25fa3593775033bcabc604e30b33eeacf74d1030d

C:\Users\Admin\AppData\Local\Temp\IEMkYIcA.bat

MD5 38c3863c817a2a7810922ae8e7cd0f7f
SHA1 f6b570fc602b14c584863d2b9c16be62bc9b6088
SHA256 6daf7b8cd6f4eb05d8f3889170ef2bdc26d5b842dae90f1a499a47f9337a9a72
SHA512 faad3251f5ae1f08572de3875e7d075bdeb25a44fef066e7f4aab3a9c0b45d489001fbec36525fff5c9c92a8d8d70bd956724214e795b7a726c6dc7ec4c7785e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 09c922bfee0489b519fbd528159d75a8
SHA1 61a1d7186194233ae64b4156c4cc9b76eadf044e
SHA256 32cabd34cbcf15f2899b174b3cbc39476bbcab03194d99d20d18e741644948c2
SHA512 5de8e396ad3ccae099aacb6c73b223d5bc10791c92688190b04b584dd5ec2aa2837cf88f7606ae21f542f9bcfd4bb3dc7143c0342bdc2673de854e8dccc1b172

C:\Users\Admin\AppData\Local\Temp\mkMK.exe

MD5 fed7495dfba31af6a42f01de9c194f12
SHA1 2f59255ec9b574914e0492321ffd74437358d162
SHA256 c2ad0c1f6b85220867b60875c2d6eedfa5086c5ad1b4ecfa7e74ddd94ce5b042
SHA512 0410aaaf7add2a3cab1c5bd8fe1fc8a350964d67fb794ddf42e5d9abc26b681b94baf9496e1ed8a5d0270ac21fe28fd48d05b259eae564437dcda2dbd6dcb287

C:\Users\Admin\AppData\Local\Temp\kocy.exe

MD5 5cd703f48e980ee8d24dc2df0d75e61a
SHA1 febf97393ae2eb752ca693ddb30fd76c081e4000
SHA256 8f66f0f90d0d14701c2829595ea96909fa481a8bccb9f104581438a013ef50e8
SHA512 6e8d0785479e7dec020799be1b2ed33c102b06197113642f922f5bd065fffcae8e67b8db43da6a7f2a876ee1468457fe4ba74d6254fd752428818019cb1ba4f0

C:\Users\Admin\AppData\Local\Temp\nessYkcM.bat

MD5 a3f5d7f40bf13b73bdf1ec9d79a4f9db
SHA1 331c5bcd64a90e9335b64fdba21e0cf7a41a9ba1
SHA256 162588cda49aad71425930d7b633f7c7d61885a1b2e59536560f59b70a9b1d3a
SHA512 59c320aade468316fb4fdcc9ffe8a60566549f4b1371708b42909a128dfcbea67486f5e35470f10efd613ff1f4bff38a9498212414a0c80c75b35b9119836360

C:\Users\Admin\AppData\Local\Temp\IYEC.exe

MD5 a3a84971992f30e79d7709642a087996
SHA1 cb336a8ed871e044e9217112b4f750ce8c99b3e2
SHA256 1f910fa060b333bea7b6b2b35efb774f3d3b9d64f5d0f16c4589ace77a678d3d
SHA512 0deae61a62252d483af08a2b6bcbdb920a2850254019160ea8dfbdfcc9fa2d8a9a0a3bbb4c8a21c7d2f7c3e4e18005d86c96eefc21734cffd468f19c655a71a1

C:\Users\Admin\AppData\Local\Temp\SMwU.exe

MD5 ee9b3a4eff9cb28bb476ae9278cf1789
SHA1 e3e21f5b9227bafee78780ebd7078a46531af65b
SHA256 48cf61ba513103d735fcf01048aac08d3534dae016cc49f3e64de5fd5781ea0c
SHA512 8c2e7d9f4fa3f4b39e21e4ad5a99508d1e0d2bef7e2f56f2f1416df77e6be8fd7ac89232c18e25ad8c4026a8de744cd595c1cfc49b7106ab0f2134e53314b473

C:\Users\Admin\AppData\Local\Temp\neQccIAk.bat

MD5 31326fbd47177b185a4c426fd05a1468
SHA1 b8706e0d2e1b021d178c7bdd36d81a6802aa453a
SHA256 d58488ec44b149a4584d0620b7ae0880939a7f77bb63cc129d270246ece8800a
SHA512 002550f240045e61a0c94d6ea92b1599a58cd8c92446ab3516ee87b9d5d7f980a98cfe09976f8d4074515f69e98fbd4603a3ee063c40b6b31da4d8d57969bbff

C:\Users\Admin\AppData\Local\Temp\WsgS.exe

MD5 bb3a77221cd714e0fa3fde276f64f2dd
SHA1 2275382bb62068e51913fdfa2cfa68e91832e6f6
SHA256 3c4d46d65dbf770858392c019ff1acbae92fa84af8fdac67ab1e488ff97eb5f1
SHA512 233f41ce8d27d9816cbd7c49476289a9c5adaad58119c603beec82e9282d8fd65e8670edf9e2b80270470580a69a7ce6515e2e0bda945556dd5a3724ae19dc2b

C:\Users\Admin\AppData\Local\Temp\KQwi.exe

MD5 2d197ff10b3df74792fa51b92949df7d
SHA1 d17a28cfec5af413d38c60efa8a85f84f3aedea1
SHA256 28a4c57d363f4539d6e7634f8f924e958dc23fe4f31b430c040b4ce5ced6c96a
SHA512 6804f1c0a77c8a8a52e89633262dc4b06e7aca739fc57ca4a1f3f782354791ae07647aabfd78197d7535bd2c57deabe47a5946a9a2a95992d83c7dbd003513e3

C:\Users\Admin\AppData\Local\Temp\Wkow.exe

MD5 fe1b7dfb488c6221d062702658f2c0c5
SHA1 a7d82f7b3b6232d4be442a1c7bea64e648a6bd79
SHA256 e4068f6031f858f51f69d48f430627c03a1ed904e3d047307805f50b7636ce69
SHA512 3297c8760c2ae71f75d5b383d4b840315a0991b5e4debaca49fefa6495546a82eb3f12aee449b1352ad20baea4f028d97b234563bc6391c74209b6ad081ae657

C:\Users\Admin\AppData\Local\Temp\HGgsgAMQ.bat

MD5 aceddfbd2a8856bb537e0e869171be3d
SHA1 71f2ac8f92a369840c3cd0331e2dc79ddb9c0ad6
SHA256 948bf8cc2adc83f65b0a389ce00dc50311ec9c0ae41147bc26338da63fc2ccb7
SHA512 97aa66ad640419320679368b439bf43839356cd951a5d458e0e7829ffa3dfb1714d51ce439a96ee367ac90721d5bd5112f3ed1430b7cc7d13241f750e312e692

C:\Users\Admin\AppData\Local\Temp\EAMc.exe

MD5 0a02743cc7f6ec871783055b1ff565de
SHA1 03d08e22f82b0af3ba40f00672ab2f5cfaeba112
SHA256 e6108fa3449593bf545b15a398959d4df079c3dbe3ef6d66128d5a81c94925aa
SHA512 54e3313dc18bc9b6d86ec7863035dfe53fef71ed8639a2171079898cc39e763c37ac32388e3d2539a6f6a24b0310a4aaf07746b859f8cfb9db5a23b6f4eebbe8

C:\Users\Admin\AppData\Local\Temp\SQAs.exe

MD5 1e8f516cb1e7d04322e1a9c46cbc46fe
SHA1 f6da1e20f52a7dd9b78bf0cbdfa5251deff846ff
SHA256 d4af3d1ed824732a416992989e00e7a68e09c98ac4a76f6e83e1ccd278ebd262
SHA512 3cb2b4f339386eea673c6660730c66cf5eaf282729dadf76dab4e98f8f4b28c6f8cb1a465741709786664e3686f8123c9b10324296fd3f35c7e1a38722c47baa

C:\Users\Admin\AppData\Local\Temp\Owco.exe

MD5 7868e88726888f8059b8fe44167c9039
SHA1 1ac84254bef9b2165b25591e20569f929ac5af45
SHA256 36e67698f59bbdc1f0b488caf8dd93f2186a2b4b3bda8e74d9f307b37f7ba35f
SHA512 87798b755c4bfc13950d41689ef851d0e0cc66c354716360451c4ff2a9d18f54a5ebce6555b0382b8d8bbb00e0b7f01364a6748a4eef7c2026859b0e8ff95200

C:\Users\Admin\AppData\Local\Temp\yAwc.exe

MD5 51a75b48427b7b149dfb715e540b89e1
SHA1 709bcb98401df01d2031155c3b683113c995d379
SHA256 7200f0d9e7c257291a763eb894c0986972115cd3e268e955fa5d46eec3b3f9f9
SHA512 60597f127e566e6e1288ac24c151210847bcfc2968b110ecdefbea35295ce0a3fe30c1c31ba8440990a79c73b74fe34df0c174e37c88a35d3fa248667ed0d0a0

C:\Users\Admin\AppData\Local\Temp\jKIkIUAg.bat

MD5 dce219a73d962410f9e43d1f8e8f1caa
SHA1 5d974e84c0b9df57d7c9f1247eee788ba6ac6c69
SHA256 0eb748a4097f61798a02e55e5248ed2c2551c9a520871c03de7d90a96eb807c1
SHA512 b5a6053462099ebdf7fed64775f20b3a0dd629d653327c4b8755bd5a515436f0d0d5982492d2f3cd8c30f023c39f4b11310b632dedbd4c2654dfa36df0ae73c0

C:\Users\Admin\AppData\Local\Temp\OMUA.exe

MD5 f91cc5f19fd8e9704a6fa8974d0ab30c
SHA1 742d557af18d0363b0c61a60fcfc0b071f98d9bf
SHA256 45c8b416d0323e260108654a4c3d1fe8c1a5e8e2f1e229653578bc13d07e0311
SHA512 f15d7d13ca2629a9fb12b889928e16dea1e1757167775c78e668b25f5c4bcec878353c9c3608064079e9ce770224ffc7c1e532c02457541d0b52bfd56c75761d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 78a38f9b008ad7a6b907a3eec82514fe
SHA1 c362abeb197c1a62fb7171661ae42e574d352f1d
SHA256 7b7c0ad29283def43af2e8e730f6e1fb595cd082fe8194543f485d01c611ecc0
SHA512 8f2e007616596b522bfda70c8313092ae3e806ce5160eae4e9743f09054a6daeef34676cebe58ff87df4c1a400cd87aae347a41e6b67cd1a3a5e807dc8205f7b

C:\Users\Admin\AppData\Local\Temp\oYkk.exe

MD5 38c93e5702c90ce5ae96132868f84222
SHA1 db66831b6b9708ac562a0aacc2decf7314bd4642
SHA256 1fcf6c2a5db0d3683f696b06c9e00085b496ef252536479e92506b9fcb5141f0
SHA512 bda42db5665daa6bcd997c31affbdefef9dbb271087058f1a7f4a53c0bbc14bd5e9b567d33ece02f8aa71060b8a28438f3e69e472b259c06ff89756d1bbf0964

C:\Users\Admin\AppData\Local\Temp\aMYI.exe

MD5 d7dd6fe0cbfb7d395b89ecc7f1ef07ae
SHA1 953914f24f9df83300bf4ad6fe23c5be1200aee9
SHA256 e2e0b234784c415f6c2bbca3b4f5893525089040367e4dbdff3fad6bed4b9b76
SHA512 671bc84c0645e23f7482542dc129cecb4f5fb018b51085d6b92d41fe3e9249620c092a2664c3ffa556ecdf29656831c789ca2597c72ecd14bc702262811c532a

C:\Users\Admin\AppData\Local\Temp\QwoAgMso.bat

MD5 da43e754d4a2aa3a7750ad11a6449b5c
SHA1 47a0cfac1c2455575795036cb8c37b1513f9d9f7
SHA256 c60c9f7fb25bbb1102bfeb4f13b3f64f5e42c0d8eede2aab353a8ae187e8f943
SHA512 0822d3600547bbf6c04d98094963bbd59c011c24d8700ad69499c5dcc439f031d479a365c13552a08264ae0ee1af4a08fc40015a2c33a6a9a6ee9238661bb333

C:\Users\Admin\AppData\Local\Temp\KcwA.exe

MD5 023e7f47956e09a0dae602fcaa335ae3
SHA1 d1be1ab2d29a0fc50ee87660d366455fe7a262f8
SHA256 b8c84c9de46d5d4be7a6e073ebd26906700671f9fc7e62fa4cbcf14a36aead78
SHA512 0359ebb7fb96af28b88703c92ce753d2325fa214e72c0c4146b529cfa79b841310662617614515979447e123e783c8e825ae1be057cc5ac5af5172ec5320c579

C:\Users\Admin\AppData\Local\Temp\GUAM.exe

MD5 4c05ce6394a200ebc0a2721834e5850b
SHA1 10283c2f858d79768c1c0e668847884cbceb2863
SHA256 ad96198b1cb481a60f2c4a74ece31555f9b7b8d1d335beabbbf517137ec2cb14
SHA512 a1e73d740f10b16facd5ed49ed838f2e05b3047e64181443b23294246d9ea661e34c9933ab1fa7b6a112b1095ba1f54f065d30fc779f7d2731083a39ff211019

C:\Users\Admin\AppData\Local\Temp\UAow.exe

MD5 b587dcc8eae0f5b40a57f456cbdc197a
SHA1 39ac4918227450d9e3a1b90caaa6f602cb55215c
SHA256 5d7b45365509e14cd7276fba13273cd2488247f77cd5d2abd84c48c1551acb4c
SHA512 31a729cdee959665eedbb274f64f58ecf4bd961f61406a27019be613811323ed06d6b4d85326d7b614cf5f4e45069483ed589a54a33f3b59c5f71e1efd725800

C:\Users\Admin\AppData\Local\Temp\GWsEoEgM.bat

MD5 6f0a5bfd2c3a022756ec2f1fc61ec833
SHA1 7f0ac1dc92f0265f3137e107771e478cd75f06d1
SHA256 2e431cdd4dc2deeb9df12f297d52b6507eabb8532cce4cd41a8197d92a67bd9d
SHA512 13e647f1f849c74b9f69d9d45d904686397cf9c984bba97b843f3581b50008ea6e1b29c40b035cdac066d4deb7c531225dc28ef2be06d14f3256eb0d57f81801

C:\Users\Admin\AppData\Local\Temp\CIoq.exe

MD5 a2cb4a7ffacd9fe2d8b3e06c8d2ab1b1
SHA1 ed527a6066494d911d8d29a2196bb5485bce35c1
SHA256 c2ef01e0d0186cb9f97108f67dc3a6bfddfd09ba29074cbd790d3e5498735377
SHA512 f82f678cf3fe815de5e0162a7e22a37a0419ebf59ae42ecb52afa9a79aff145d961bdc0cb6689879497afe831e9bcf636c152b61e01e5bacf6eec74bdc7c178b

C:\Users\Admin\AppData\Local\Temp\cYEy.exe

MD5 30d178cfb519224d4429cd967ed16ca0
SHA1 ee4fbf4d92207d7bb5969600dd092cbe33244232
SHA256 7783db2c65bfa75934c43659583e749d9f1dbfc6454b22918a9cf55c6f23800f
SHA512 b826ccf976c80475aec167fd9889312e1465cc91587b3f862a97134410af9e93b20bac5800a285d88b2f5bd74cb60c440e506bc9a3e82a0162af8b8ccb6a81b4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 ea41314998cbb6a211ea26c631bf0f96
SHA1 0e8398ef00bb848c1b6980080fe1118f371b10b2
SHA256 a78c9b2489c88154f0112766b2194fdb9416419aa075c87029e8a789230f95ab
SHA512 f2efdf23224d52c5188c88bd9654741106748dd68049e3bf527db29c5e647ab1fddfc975f957d2027335681c90811e17af37faa2c830d7e3e0efb64278bd87bc

C:\Users\Admin\AppData\Local\Temp\MScEIMEU.bat

MD5 85380ee041f3265121a6e0fa3e552d49
SHA1 0f56eb4ae47cb81e56c21df34a3367846f8665e9
SHA256 2cc2b9138c62f1268e3c49d2a9a57d57c58ee7544b28ab6635ef341d7c121b7d
SHA512 bb26a767a8f93554dcc902249fad0f2361ae640222ef1b534ba978a3368dd9776a0c69d36447d1439948d71b14d58f417fba639a5744faa09294a8b7f37f1c47

C:\Users\Admin\AppData\Local\Temp\cAUM.exe

MD5 89c54b5a003f2d9c79f1d7001438c557
SHA1 0627c0f2c485c0fedc6219d1493a05bc5a3ea13e
SHA256 106e862f14fff123c2900a6792ca275cda7814d4c1c64f5f61294fd99030bb33
SHA512 722a764f6213d3cb0076ff5f5fecdb9b70b275c606bc18a8644b975f50fe938214e29cdf187da78dc7c9566d49db9cc5a9a5945e3756816a7556b3eeb1df7f83

C:\Users\Admin\AppData\Local\Temp\QMwI.exe

MD5 b198f4cff2500ad3cb5104f07317523e
SHA1 90000c10b903560fa147c401f5672d92575b9c67
SHA256 8a43984e66fc2ba76daf9ed405d34849d50602aa1fcf610a925859e1f122e9c6
SHA512 5bf538f544c924b4a148839a3f3d90dc3b42a4eccf75f2179db7b8624553c959b554c499dbe1a537aac660b7d29d30c2e60975b3c15dcd56d1b033f2f335dc7c

C:\Users\Admin\AppData\Local\Temp\Akki.exe

MD5 a17bd157dd0729c6b0d8e59bac492293
SHA1 75ee98c860dc4b77a19c82b181311cd281856d8d
SHA256 ea45fe21743688208b28576ae65c781dba1a53fdbad3c198cee9d259cde5b641
SHA512 c78d4e5e1db5b70ac1e61e07cb81efb75f7a45cc8d518fe87101a28f4b1b075a160737b1c5dc26db9f6bc6937abf5033be95ddc6615dc754963a4222a4be87cd

C:\Users\Admin\AppData\Local\Temp\UYwc.exe

MD5 77507993ff7944b1f515d955b7a6c286
SHA1 ae6accdd7b2a03ce7686ad1a6b6ab401ad17b203
SHA256 4a9e214f91de6145b3e777b29bc818b4fda6693c97b2e45c80461e611e5b832f
SHA512 e577b7ef799b15e2f99806a74a725f329080dcbfd30f5b76a90c49c07e523b52e7cda3d608032ab8edb52c479f80528bcc45d26abe8baf8418a9bc7bbb003218

C:\Users\Admin\AppData\Local\Temp\gywMYkQA.bat

MD5 69b5b3b9051e73569a7c0f6115781a9f
SHA1 5e121e5d1daeefb4ab5633c7b17978f75f23422e
SHA256 faabb590e72dd5d7c5f5550779b5df20005bb02962ecd36e4b27fd26e062d300
SHA512 0cf573f27775284e787343ec06fe2f8bac91d63ec2ccc97b99b01678a6a7b9bdf8f564217e11763ad76e3f22762b05aa2af03f13aec1213802a31c0f86bf54d1

C:\Users\Admin\AppData\Local\Temp\ykQa.exe

MD5 7dd9f9a1bc2d6c4eb60a5f33de745216
SHA1 2263ea928979642c5ed3f1657fa2a0b278ff87e7
SHA256 6cddbc2c5d85c9b804358f104a2596ba31734a38dfbbb4525ddb99f49e45a6c9
SHA512 2768dbc86307b94bc6cdf9d7562e85867c79ffedb31c182584959c3ee4b8f1b4ac0a989f3df7bf8b8f56a087add2ab2b53d45d5453c2de5d368467851e28d1e2

C:\Users\Admin\AppData\Local\Temp\VAcUwAUw.bat

MD5 2107c6a3d68cd7df509bb7b5ea61a358
SHA1 07dba502fe7a2fd5f284ff7ef3d5dd81c8854388
SHA256 4b0cc6def7c51c6f9f8c2006e774df9b13033cc666d7f96c28704de5ca8cc519
SHA512 d8be4672b8c212f784688f4f819fb0ac2cc792938352b115051f7ca46b0eca91b518bd4e913997346c30b8f0e4ee5747e38ab756eaa9f8bc247590de1508a563

C:\Users\Admin\AppData\Local\Temp\OIcQ.exe

MD5 27e98c9e49a0b4b6fc40a5ed318c7985
SHA1 9e1f38afdbfcc8d8f7e611899821e3763132b90d
SHA256 7f1f459dfd9656660cab2930e20bfc25f3097fa2afeec3134862e59c2cf6a3f1
SHA512 b85d0636bae817b2b0926738452e401a97ed99aad681be6d9adafef33ee670775410107343cfa8acced30fef6fe982014e8c60520e9cd6c2e504cd4f932416f5

C:\Users\Admin\AppData\Local\Temp\ssIq.exe

MD5 ee1ce3bb82949a042690f758b0379f33
SHA1 ddb8cf05e4bbb07c5be3b6f2b70cf9295b26460e
SHA256 5a3508b887d96233c2b1f91f20cb71fa7f97460257afd0efe1655254f144cd05
SHA512 7493167155c3d430e6bfeecadd4452826a07d45d29cde353ccf819c12cbf369dc687baa2839469ef0815bd2ec3923b1adda1600499a9c04d2953bef459a4ddd1

C:\Users\Admin\AppData\Local\Temp\nIQUYMEY.bat

MD5 577ba0412679867ba245ebfcdcfc6f18
SHA1 8a1a5c44b446e1f22509dc7dd03730683c607aad
SHA256 9c463e2f9c100a3224a41fb1a77652c4a53f78e4f4825af980694c2b9098db72
SHA512 ec2fa908a162a07847c403abbe239818b8384ffb84a676b58fe38389d943f7bcf6803a455c3c6c94734d8319e5eef9026c7b5c17da77ed82a1ec3485bd4b2b69

C:\Users\Admin\AppData\Local\Temp\Qcwc.exe

MD5 e752ef2987b52fb5a8d86f64f3f5e24e
SHA1 345849fa2f735196690a357d5941319d23530a6a
SHA256 0946113fcd7723fa8dfaaba3b4b0062536689623e3804a815129e33c1f730b56
SHA512 e136d4250a0153371a66337d9894d4eb23dafea02a62f567607854ae44ef962f9521a5c9670ddaf49d03144d0dce5a51f9686f108cdc01385673622636302254

C:\Users\Admin\AppData\Local\Temp\SkUW.exe

MD5 f6eb816bc6f9379ea42810e204b4f196
SHA1 0997928c68ce3eb6279df579837b3f932c0eb65b
SHA256 c83448cc361561cd710c74c8c2c1b027e83649ac56f711eda79de736de0a8cf9
SHA512 ed9d27352dc3a3ec8a8b79e5ac558b60270da416ea225c6faddedea4f23e7ff783581f533cb0f8075012a48e3885708e61aa887d16dbca24006c40b7b7b8a9f8

C:\Users\Admin\AppData\Local\Temp\YIYs.exe

MD5 afa258add371ad8afa07e2e148470281
SHA1 08b0dac8b5cd2fabc5499d1ad36fd6aa7fa6f919
SHA256 d3f5224e345eb2c4bf2e0e26132a7428975dbdefe71b526be83028768ae7c8f1
SHA512 40ed2bf15614567a0d63e205bc755839d056fa6bf4511a82bf06d22fdb47281dc28d02040d648692da681b0a2a5ad006e79c7c8e694512fcd77e6b953a7181f1

C:\Users\Admin\AppData\Local\Temp\MgIU.exe

MD5 ac88752c85d6066e71b55b91a97a973e
SHA1 344a309be999de4525f9853a1cc8f32bd32721ac
SHA256 47df30450b6ca025950e5ce8d65f85d8c7a811e1f12b920c52331fded0041e3d
SHA512 5ec02ee116bc7c89e5a99b084a4434ae2861f2eda1fd1463fde26f096cedf35cc570593cee1f0a5219441847693d90c36f7aebefa0a0561b04a1d55e429a1446

C:\Users\Admin\AppData\Local\Temp\mYMa.exe

MD5 eef51f1a81fb257c748dc282b71ce33a
SHA1 d94f905039f32e5e5273ff86ad014705ef8ae682
SHA256 0a8411b0643dae252c936847637f99792eda7262ce029e9502c7d049d686af78
SHA512 07ce9950c5b2cfc75bb71ebcf875b2cf97f9e7915f1c0578d1b61a6903f054ae5183c4df6f77690d3d349ca1ea767437061753cd7206e4c1ac48dd47a0cc1e9e

C:\Users\Admin\AppData\Local\Temp\YgkI.exe

MD5 374c043167af3bbb74d30f6a5046aa8f
SHA1 ca66aa7bb4c25082fe9f8bb267d158c93031d784
SHA256 b77ccff48ea017734626063776cdf2a849ce1fb0fcb2549338ebf8e477edcc4a
SHA512 21fbc2d9986204d69214b1b90d04aecc0e678d72c41a4e7c443d2d93b851ce6354d4be34fcb34862adbc959e79578c9e1fdea5b2f2d9895e364fa83d6fb22338

C:\Users\Admin\AppData\Local\Temp\cgEQ.exe

MD5 5ac9e7553f304054323e22bf99983160
SHA1 2df790841a0ffc32876e15f33c16ae9462456876
SHA256 257550bda283238bbd2af96c2b194967a99488bb0bf2aa8b64e4a8b68d11f41d
SHA512 4fd80a7a388aed0b977df32e58f7412431cbca356b6e35f37b246c011d0d802289cd7ea40e92e77aca2ddfcfe45dbeac4c3560060313e71cb3b6f7b8f6bba8ba

C:\Users\Admin\AppData\Local\Temp\wUom.exe

MD5 aafb41a561dd3e794224baa61d019b6c
SHA1 81837a01d94d03d5f8bc2b26097e65c8ce2e88cf
SHA256 b7030512a66bd5a670df541a6d62827f7b2a7813b683c15ff25bb0eb393f3f1b
SHA512 f3eb177fbeca49e04927e41e5d9bab43c49e5b3e300f84277c727ec17523f0d7b3ef601f7afac6240db5a678461b6074c68ace880264aa6b400cb3ee98452682

C:\Users\Admin\AppData\Local\Temp\miAMoIME.bat

MD5 ebea7b555523da0e9a4a72946bd65c0e
SHA1 e8ea014a9329554fdb0ab76104448d1592a95ece
SHA256 0e0f4cb98c541ffe8a55fe65e2ee420a655a3903df00fbafdb5297ded0dd4a88
SHA512 0084902313ce89577959e8cd9025999875b4081e05dbae0ef74bf3553fb00a55b0ed6bf844e0a856cd191dcefb65ade8e4fb3609f3094a5ee457159172d3ddf9

C:\Users\Admin\AppData\Local\Temp\MEEC.exe

MD5 88204b0b333c61cb12957df479eea290
SHA1 604fdec6dc64504850ace3486c34bd403b03f3dc
SHA256 b952c9de12876fde073467749e5910bbc07a514749a0a8c6117b7d590b820060
SHA512 51543aaef95d751cb695a3502706f7ba1b71e277fdf0f1cf377681f9adf8d7847f63b0c5fce1100cb3fbff2d170af6bc6def63f2caa8c595b08b664a1452a6be

C:\Users\Admin\AppData\Local\Temp\fcMsIQAg.bat

MD5 bc1ce8873c3ef05e9fe41b47a19873a4
SHA1 62f3b28827897ce55c9c2717747a7aa8466ff8e4
SHA256 e2faf70df5efadfdb47383739c217907726bc28f3004b1d5380338432486c5c6
SHA512 f3f6989af1737b19ae07b0d0da7cdee036a427a383dd162624b6baadfae672e81adb315a84d7c6033eb0610ed7ff7ef1bd14bb1676acb5ee534b3e1e12138ff2

C:\Users\Admin\AppData\Local\Temp\qakwEsAI.bat

MD5 d11ee3615c17f3b234d1be530b67112f
SHA1 192f3415e03698bae5b2ed4a5581ae2e82e0ff84
SHA256 f930455cb5c6233c820caeb7e57f40c7befea66fc94547846251508b70724f70
SHA512 27c19fe7ebb925a6d1951a404c94b71d951970d47c26ce8c03b22d128c760bc276c5afa6ad133ebe578841966241191342a41b67fd8b8923e6194ee6c6b9f935

C:\Users\Admin\AppData\Local\Temp\GMQowAMQ.bat

MD5 112fdf7d04efce5da46e4ca3d799f8d4
SHA1 b97a4162178eb373fd3934e6190d59ef002d0712
SHA256 428bfa7ac1260e8a70c5ab17b4c0200952369254d6d6fd931b1faf18e0d60aa2
SHA512 b4f6beb7150f35fc748f4d9d007f3089583eda1250d417a89f539b2e6ec43445b9efceea4b465cb9cb3c9fb96c90d54a597fa5fb9ed63a33343598bff08a9798

C:\Users\Admin\AppData\Local\Temp\qUYgMgkw.bat

MD5 162aed88901ec50d855aa6ed6b351ebb
SHA1 8f408fcf7dddfaf95b8f9d2ca4b85d1ed4bff99a
SHA256 f31511d9bc754c7b5a1b8e8ea2ab439bf7a153f8b87bfe742569525a2b224434
SHA512 f12965cc7afb635f229e250688deef0c3133026b53ece98047006a3e8a868367c5c434ef074d960ba7c7602ae0710dccbe69799c03bb6b08d4518c39b8a15c0c

C:\Users\Admin\AppData\Local\Temp\lAwQUwks.bat

MD5 2191a3a7d64a16fbb1c20db2d7891489
SHA1 924e1f869d964355185a7f976f42da325c1a5f6a
SHA256 edb8f297634fd457ff699d1ed3bf8a35eec70ecaf0e3d4f0f968725946301712
SHA512 5a4623318741d15699277250bfc6283ffe38d05ff307c1ecf24009eee100e8adba68fad44005b7cf1e37a7f8ad1005c4c5be595459812da9b2e3350b437c0fec

C:\Users\Admin\AppData\Local\Temp\JmMsEIoI.bat

MD5 d58ecc32c837ea4d5fbeb10d4bb76889
SHA1 0de35c9837cc998f573ef213b584164dff3c0b8c
SHA256 3aa1decc4530353be90fb936ec753f665428cafe399cd02455482d4bdd980793
SHA512 85945f2188b53bc30c1ff191262854efc399c09d9019852cc6e24d5e8af9eeebbab99cbb8bd977e99296f7913f367906b4dac14dae735f125251224e398b7a38

C:\Users\Admin\AppData\Local\Temp\FQcAUsUA.bat

MD5 c8d3af389ef18895db4cb477f34231cf
SHA1 a1a8fe30963e7a8e002908530dddd214203ef7b0
SHA256 1e0ed04f9361cdbc81fde0da865467cff11d22221ef74788dd10a169144116ff
SHA512 d4bf899d1c75b15c896a67dfb3146a2961f3878b1e7d10fe412116fa7baaae34fcc9517f73c4f45c5088b70edef27e27d329fbc25aeed02ea6743b1ad49920f3

C:\Users\Admin\AppData\Local\Temp\HcccQYEM.bat

MD5 f31c4c1dc0bbad7ae9cd76a17d146c00
SHA1 b3e37ab9e432d25a78a9a9cb06342f72bb13a12b
SHA256 dd480cba54529aebb8de4b1bb64e905ec3673bb1475ab06797f921e38aa745e9
SHA512 0e1eefe1720539c255b0a679e441b0edd3f779da71d927b9b5e3326500345a04606b61cdaef1892df718c55cb4e07389173311ad89795952eaf930a8df723ac5

C:\Users\Admin\AppData\Local\Temp\eIcMIQcU.bat

MD5 47e1231fc48701e6ffbdcba5e4a02aa8
SHA1 c73a1cf6d2add0d43eacca1f6003f84b1e0c88e0
SHA256 27e5fafe7efc7a8f0d971aa89df09fe0016288de3bd5efc2bbd02de195afb813
SHA512 fa740d809b6788957bb965ce3e5205f52c82c2b7351ccec5fd7d9b020968231b05863148f8dd1b44b01ba2ecb2db6ec145149f278a7b26a49420112dc051095f

C:\Users\Admin\AppData\Local\Temp\sgoIEUsA.bat

MD5 1014355be0d5043b010c53590a587587
SHA1 249098a74d1ea2a8d63031f491197d001beef5f7
SHA256 5718d0c4687508812b36352f543b67f1d81210b7fb5b9b6685a3e215e01240a6
SHA512 85de6b823f0c0a56437b5c8f59fa135f7d7edfdfba39f609cf1f8b7185f5318f3c3edc4c8ca22b1b1251c6d110f3149e836b8b6000c73054c085497bd8abb818

C:\Users\Admin\AppData\Local\Temp\GUQYUwgw.bat

MD5 03f410269bde1bbda8bb675f8371e45a
SHA1 9a3b006889363bc788b5d3b43ffdc9953692545e
SHA256 732d711cc3423a0c8b648a06d51e67c074aa4a345935a93f46ea579f8acb1b0c
SHA512 8bab2ff412406026e0e1ef0b1c6f79e7b59e6a35a86e63c22e5d1915650b87b5a39e8376429b49671c9a1d964e1c511ff43d8cd45edca1789559f3ab189fba2e

C:\Users\Admin\AppData\Local\Temp\gOocgkAw.bat

MD5 3952cad75252cbb363812950ceec0ec5
SHA1 dc2897bec2d89e522f5a79d105ca7febe4636eed
SHA256 4fc925e45c7baec89bab7a84b515076c29eb8ec8d592e83975752c48745d3198
SHA512 80a4a91c684e0bb2b37a5b8d2e22d3f3e6e9ad8a5fb8aafa89d5b1c2bed1fb72bd79672f4d5c8c618c0da6b49ad6c031de3ac0a9e2a80cb24efdf0bb2c49781f

C:\Users\Admin\AppData\Local\Temp\psEscgsU.bat

MD5 78d405a583bd9ea6b1d952ef5794e26a
SHA1 5c71cc7e1ef18ab22450a1013e16617cb1c53000
SHA256 8c27d15bd79d5499bd01ecbc2d6ca27a51db3678d99667b7bc21e696cfc66853
SHA512 260e977b16d28cc632a7a8416f997c45634cae7f8e8330206316dc4d0d9a946e3f9707fa965d7e854328b025e64d03588fe88cb682575faed4ac5c6944412da2

C:\Users\Admin\AppData\Local\Temp\nuIwgIUw.bat

MD5 ecc5c93884f044ecdfa0b2c47cc068a8
SHA1 d611385e202ee14bb4c99dcfc5dc9b7aec328757
SHA256 83b43f451b2d6789641855be0a8b2722168da23b2ff46a88e52a4a01facba9ff
SHA512 ec6973a9e5c282624e3a6960f6ad2484628bd64632b600122fab78179828b234210ef59de6506a5a50b23a3331d210442624970f6f355862886000fa730af327