Malware Analysis Report

2025-03-15 08:19

Sample ID 241020-t7r15sycmf
Target 2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
SHA256 55e25abc5fc0cf49010c437a6770f44fb9103bd0034e2cb0ee40e8115e5c5b49
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

55e25abc5fc0cf49010c437a6770f44fb9103bd0034e2cb0ee40e8115e5c5b49

Threat Level: Known bad

The file 2024-10-20_25254d694617c9f5e62baff92b13782c_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (89) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 16:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 16:42

Reported

2024-10-20 16:44

Platform

win7-20240903-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\ProgramData\KCokYIcg\fasoEEoE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\CuYMQUss.exe = "C:\\Users\\Admin\\dEQYMgEE\\CuYMQUss.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fasoEEoE.exe = "C:\\ProgramData\\KCokYIcg\\fasoEEoE.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\CuYMQUss.exe = "C:\\Users\\Admin\\dEQYMgEE\\CuYMQUss.exe" C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fasoEEoE.exe = "C:\\ProgramData\\KCokYIcg\\fasoEEoE.exe" C:\ProgramData\KCokYIcg\fasoEEoE.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A
N/A N/A C:\Users\Admin\dEQYMgEE\CuYMQUss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Users\Admin\dEQYMgEE\CuYMQUss.exe
PID 2348 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Users\Admin\dEQYMgEE\CuYMQUss.exe
PID 2348 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Users\Admin\dEQYMgEE\CuYMQUss.exe
PID 2348 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Users\Admin\dEQYMgEE\CuYMQUss.exe
PID 2348 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\ProgramData\KCokYIcg\fasoEEoE.exe
PID 2348 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\ProgramData\KCokYIcg\fasoEEoE.exe
PID 2348 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\ProgramData\KCokYIcg\fasoEEoE.exe
PID 2348 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\ProgramData\KCokYIcg\fasoEEoE.exe
PID 2348 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 1244 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 1244 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 1244 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 2348 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1852 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1852 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1852 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2868 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 2832 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 2832 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 2832 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 2868 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2768 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2768 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2768 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe"

C:\Users\Admin\dEQYMgEE\CuYMQUss.exe

"C:\Users\Admin\dEQYMgEE\CuYMQUss.exe"

C:\ProgramData\KCokYIcg\fasoEEoE.exe

"C:\ProgramData\KCokYIcg\fasoEEoE.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCgUsYAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ikYgAwgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OEMwIYks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YYkcQUog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wGcEocoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wkwAUQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FGAQEAgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vEAgMgAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HUosMcwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGoowwYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kOQUIIIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UEEMYAUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\amokwccY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AiskYQUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KSQQUIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\peEIEEck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tiwUgcgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIsUsooI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FYoccYEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zqwIgsIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UMkIIokA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQUEsIkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OOQAMscw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eiEgcAsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LmcwIoYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hWssMUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fSEsoMEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rossMYgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mwYUMgkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mSQowQUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oQMAEIEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aYsMMEUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JiwAAUAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VOkAMUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\reYgAckM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JIgAMgEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GCwwckEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KAMgYAAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIEAQUow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yCssIgEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IEIgkskY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xWQksoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tyUMIEYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NOkooAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TmUgMAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcQEAwgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SKIQwgss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YEooAMUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MsoUggIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AGwIMkIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zwkoYosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMUMgEYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hIoscEIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\owUUMkEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MsggAgIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cQYUssko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SykoEEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cKsEEwAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XwQcosIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lwYAUswM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xaowUMQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NAsYsEgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ACQMUYMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qcQoIIAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\myMwcksc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\essgYQsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.46:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.169.46:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2348-0-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\dEQYMgEE\CuYMQUss.exe

MD5 dfe743d0d640b8ef1a06f35db6255fae
SHA1 ba52fff0456c44e4c32bec93275f8e7beed3ac2d
SHA256 8590d81a971a82166c55ec6ced1cb50bb3ccc6dd9b89fdb805248d56e4cd00d9
SHA512 b27bc4fc0f59b93c25c65630bbce59e3703c8e6327ef7542bec459bd2ce96c69d1545d86806e65abdb35750d9676531654e1e432fab36b1ef7030779dd7f884b

memory/2348-5-0x00000000004C0000-0x00000000004DD000-memory.dmp

memory/2464-13-0x0000000000400000-0x000000000041D000-memory.dmp

\ProgramData\KCokYIcg\fasoEEoE.exe

MD5 8e62752ddee6b9cb2a054b660fe87538
SHA1 d930bf203958532768a29d60be2865afd06b7a8f
SHA256 e58aa0525feea6f4ef613879866dde124e20c3c741e9cdc7445bf9e89dacda30
SHA512 ab179ea3bbacdd57b5e470a0ec49400f2005f0206c752f5500b10c953b894c7e663c9a20081a02c9727af70efd1d0397d62aa01c40d5531099520af67c1911f7

C:\Users\Admin\AppData\Local\Temp\VWgQgMwM.bat

MD5 7ecb36ea94f313e9ef121fd460f2d72b
SHA1 0d071f2b448a2003491c60205060f968197b0dd2
SHA256 5afd6b12d596b2226d570dfb76cc8a2e783227fa111dddba460e74deda586805
SHA512 7733be5fc9acdb5c7c39fc861800f916a083d39d2c5d05b6efe8b810dba13596ed5a027706742a90bd0e1375543d7d0c7013d3ebe1a43c8d639f315fe39518be

memory/2348-16-0x00000000004C0000-0x00000000004DD000-memory.dmp

memory/1872-30-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2868-33-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1244-32-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1244-31-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2348-42-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tCgUsYAM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\iaIMEMgc.bat

MD5 0aae3faf7a9d3f840cbc22861b7671c2
SHA1 1b9930d2c238807733225e15a261b882e5318fdf
SHA256 8b57d9ce2986a4b9c0ac41ad388e36f590feff641ed191b63e37ca6eef5c98f2
SHA512 7922c51badc1ba2a5a5b86012a0cca85877546ee9d8535e2c6d7d48a98edf682cfed3aa3cc821fa561e63a243aff2263f3a2e9a81e596ef5429ddd5d0a5d4e98

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

MD5 5861d4e6983be2b92122bcfb7d239eb5
SHA1 892a1af54e23a9960f63eae6369c526ef325b77c
SHA256 b3de971f88cdd8219cd9bf4a1212107b4052f468caac1f196d756ddf095acb48
SHA512 af3ce9a9c4a7be34e1d75bd9e25b483cfadc18e50cdb3229c5bc70bf965f6c478a707711154066c446f84ae5b6216917dd34935ee69772c305a00bc6d5040178

memory/2832-55-0x0000000000260000-0x000000000028B000-memory.dmp

memory/2576-56-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2868-65-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EwAAkwME.bat

MD5 61d23ab5400af124419e0d0c88784879
SHA1 3587ee1667cc7693fee9435eb429430e1ceaa524
SHA256 c7ca2d5844408e645ce5264828588757d867f56311cce1679bd5d1893ad09d5e
SHA512 65d60c26fc2747fd1a264a72738e1340549459fc62c49a3dc2c882710acc726b254d778118c1b3989867b5d8c562944cc98da056446a4121df54a72e3c4741c7

memory/2436-78-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2576-87-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KOIcgEgU.bat

MD5 41a7ba1ceb916d836d361d3ba1aea0a4
SHA1 e72f21df8e9e40eb7f2ef4c5e4f819ec2debea55
SHA256 fc5b783256b9fbbf72d68eb8458e9a4a6b50d27c9b4bd89de2e74043064019a5
SHA512 0679d0ed00546c97874b77172396394f24d0c2cd883bad6091e54e5f98652caa8befd536e4ea29f5c0a1f9a7ab8fc4abd46cc55a1a14823d8338244bc5df9aca

memory/1860-100-0x0000000000500000-0x000000000052B000-memory.dmp

memory/1860-101-0x0000000000500000-0x000000000052B000-memory.dmp

memory/1452-110-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OEwgkcsM.bat

MD5 b49bb5abdd90f114f1efd61a4eccab96
SHA1 613bac6a97e66f8675aee0193543a10f703e7fd0
SHA256 1ce7371b5282e9430d03f4e9911122a560a279bdc12fa11751616eed75bacf4c
SHA512 6b2b3e7a2f8e74094c41f55fa559c8cf8b0bb6a250608acb072f3bbe7bf6dffc8e977d64d320b3abcd800c49cec74ae6e76fbb3d236db92751a88848f047c143

memory/2008-123-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1732-124-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2384-133-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OYwMIUcE.bat

MD5 920ace73cb9d23cf25abea5a3dc37b60
SHA1 9ae462d4b0c31b810df0df83ab20918f71a640be
SHA256 726a8837358a775d2e3f16337fea002c7b4655e1f0d37bf17154f4ff23f7b8b2
SHA512 a4e785ef1226760093aca27a537603cced7e6e2c70d1f9fb29e2a770d48a9b42e0d866b11c127e644738a505d624027cd539a77346e981f76e70b8ed983f14a5

memory/2492-147-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1444-146-0x0000000000360000-0x000000000038B000-memory.dmp

memory/1732-156-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rcocQQkU.bat

MD5 60e84dd2942e43c848b9a0526b2363fc
SHA1 762552644f56cef2cb592d1514d62166bb9b07c8
SHA256 328b7423825a2cfb73b7648ba898ed6c85a16bb07aca96e38441b605d8ee1f25
SHA512 f1ebef1015bf6c8d08a13bf7624333effa5c43c6a1051c3234db7769af6c66c5bf75edb87595ef1319fb6ee7a43274735cc2972dcda9d384433b38329b17d629

memory/352-169-0x0000000002240000-0x000000000226B000-memory.dmp

memory/2660-170-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2492-179-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VCEcQYkA.bat

MD5 00033431438d917c27ec85f4ad682e60
SHA1 2a43defbcd5b5c69df66c573c70dca57ed9c8f25
SHA256 3e727828bb3d6c8cd1aa534c8668f7a4c056317354e9053bd989c3834165d0c9
SHA512 907d0fbfc481ae92e8afbacabfaf69b216753f2c41de88e5436a349314879f5376e5a57e569b2af36ff217520d8227679f71e8e8ba6fa8b7669ed79562a92d81

memory/2660-200-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zeoQYYoI.bat

MD5 12281b95d087853b8c2441f6f8c00314
SHA1 d80118bac22e2fafacc5096b07ca4b61123f9547
SHA256 bf5a0be099990d525bcbc1c415a6d5faf63104af7d17bcf1b44d6a878aaace0f
SHA512 78767de72be0a08b53e199f0d5674c063f418869c1b661377a1b15d38e98a0bb749ac12dbb642c67d34a909d7cd00b5d238384bdd9f04ca48b41bf2a81166ba8

memory/2980-221-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PqkYYMAg.bat

MD5 1d7a37157a3ca62e8b3b9dc591666e38
SHA1 2b2a9f6c8c7f469bd124733200791332d540f23a
SHA256 f793dfffd20bf969612b8be7555b65063f5d6a735905db434e8adc17412ecfaa
SHA512 6e7d37d62503a416f3a5b949bd2490a5d7f41072ea33a74dbba4359eef23205ed2611d62840aeb3b83f8e80b00a5d00c9287952fec9f8a829063c52e7775decb

memory/3004-234-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2832-243-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PYkYgYss.bat

MD5 371217b62e9bb6db01d4c63662a46b36
SHA1 5b65a955e0a2112ee0136210dbd8553a109d552c
SHA256 63c5d585b7f653019d64d1dce5b9e8761c0590a8123f8a922cdf480089f9b3dc
SHA512 9097f435cfc6e7920c37946cb1b7dbe3e4bc10a6162722c3b3bb166599ac49fb3217c55d6a64b199b8b7fc9bf05ecb3540f2e827480bb0541aec3f26e4bcf070

memory/2132-256-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1700-258-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2132-257-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3004-267-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UiscQEog.bat

MD5 53da65d5b734442592502039aa77920a
SHA1 ae21b3a9f62c7550970700f11ec9f57914895252
SHA256 495e4bcf3d9a8c15adfa9d2af5055353fb6a8e3bcae1bf96ad82aa5c9d8d79c2
SHA512 817e2799acee7903a08133ddf71ac8faf8e85a332fd778eaa27896a2ac112511a00a2928e6057b0fca739c8fc9b4731e2795828907b648395d0cf8e58a9550fd

memory/1424-280-0x0000000000280000-0x00000000002AB000-memory.dmp

memory/1700-289-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uKIYQQYA.bat

MD5 98b71ab1c49e31e8d009cc2273e09221
SHA1 249ac30b3b43c5d541ab92a78946f01540515d8b
SHA256 4eb76803ace3b8f045ee060c696ea7dfd11602895fce4531f0c7e0487d3a1037
SHA512 ce93c944f972bfa5196f1e063e36bd8c949471a8e877dc4580a641539e43849a3670f3b54469383ffb7294e77d0ad77925d770bbaa786a6c806633c682457e78

memory/768-302-0x0000000000160000-0x000000000018B000-memory.dmp

memory/2492-304-0x0000000000400000-0x000000000042B000-memory.dmp

memory/768-303-0x0000000000160000-0x000000000018B000-memory.dmp

memory/1000-313-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wMogIUEE.bat

MD5 37f6fb5191d53f5e6e5c1fde616d71e3
SHA1 d2f245b8d3eb4f035d9b07c1bbeb3903624cb193
SHA256 977b12de14848ee7aac18d59ec1feb94ffec3d449790067f988bb620701049c1
SHA512 8ec38d1b2994ecedeecda327f8aa87bccd3adc204fbccac0742bd9acb233432379cccb5fc44f5673bfabee64fe0569517968b6e98d11a65937f1ad20c9d723e1

memory/2348-326-0x0000000000120000-0x000000000014B000-memory.dmp

memory/2492-335-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\giYAIYAQ.bat

MD5 e6fda01d5ca249e1e009179d8a4974e2
SHA1 2831ba7d090f34338fad35f330c525c205a455d4
SHA256 8d531ce94f06dd597ab7c814e7d4074c75d43c2841192d8fb706cb15b3211d94
SHA512 891e0ae6dc1ed332894ab18cb4e25791214e24112cb4880bb8cbe12c3d165351ed1cc4182cc3a923690b5c34ae53e38749ef8cf2228fffb54f28e55666829ab4

memory/2236-348-0x0000000000260000-0x000000000028B000-memory.dmp

memory/2980-349-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1324-358-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biYwcIww.bat

MD5 706828337e85ccbce67b7215a6538f1b
SHA1 64a9ab146b604c907391eee65cf8cce6048b12bb
SHA256 34b56263c660d8be4645829694462f12e9ece529720a542424d4a063b933c4d9
SHA512 b5650b3cadd9bc727c35acd4c232f346cbb91ea9181dfcf39cfba3891f942987316da41e8af11212638575a7a4d25a90fdf122945424203bc7b234fdfb3a0af9

memory/2528-371-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1784-372-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2980-381-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xcgscYYc.bat

MD5 76828225034ad0baae571a75f13f0f94
SHA1 e31c5d28850ff1129e10ecb3fb197e0f335469a4
SHA256 f8340f0225efed30339d842c8a4f5d7b3b1f616a742cf78d00dfe86fc290f83f
SHA512 fbda7bbf56aba4f13e6f60dc3b605ecfbaad44f686fc00b326f2a72f63a37c7dc4c92a527ce30166c156d94b81a8c992906ca3d927457cb25d8f212d521914cb

memory/1928-396-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2216-395-0x00000000001A0000-0x00000000001CB000-memory.dmp

memory/2216-394-0x00000000001A0000-0x00000000001CB000-memory.dmp

memory/1784-405-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vmcgcYMw.bat

MD5 2c136aef90ca8826946760caf632fcc8
SHA1 36b19d45e95dcf0135d2ca87c08e347d0962cd90
SHA256 529aa5a6bf91cf578045982f7a96661866c7b193a0b08c3550441ef758635d79
SHA512 80ffb9cef6dc6a75dad440e1e9a92ce2646b5495283efba86667dccc2cf0f6c5ea5e9143fa739bb315e586760c41ad07dcc4e52cdb8acc045c327966c48076cd

memory/2096-418-0x0000000000180000-0x00000000001AB000-memory.dmp

memory/2384-419-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1928-428-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jksUwcQc.bat

MD5 2d3d6f611fdfa10210f0ca5433ee6b66
SHA1 1cf4eb2ffca6e6692fa68373a522c43bb3168731
SHA256 d346ec81ea3f0f190c2f8af369c4e205ce7085f69668174ca31735f387995efd
SHA512 a50b852bd70445f88ddb4a891304c0b854f216d718e6fcec8a23fecaef445d8a5f6bff14c296b337737b4a37c45a108572c304e2b33125250131349aa964c708

memory/2988-442-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2536-441-0x0000000000160000-0x000000000018B000-memory.dmp

memory/2384-451-0x0000000000400000-0x000000000042B000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

C:\Users\Admin\AppData\Local\Temp\FAkYAQEY.bat

MD5 21429ebe299a6c45d9370e33e09d3d1c
SHA1 72c39df3e9d8878e21cad64902d91c611e60d14c
SHA256 bd201029739b22bfa8490134f6122b7b48b3ea53a7eb961333f34067f01fccc6
SHA512 dae5cdae46654dc361294dd2f5844a604e4d3b6c926d7136e3eadc183197f8ad7035f6f48afb0881f13283c08a57fc97ed4dbc3119ba4f538befcf714d974e36

memory/1028-465-0x0000000000130000-0x000000000015B000-memory.dmp

memory/2988-488-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SAce.exe

MD5 7bbc89ada5ddf6e935d71aa180d19b1b
SHA1 86916c27d382ac548b457ee828d78145eb2a1c08
SHA256 4e6c3ced01f4a4960bda2266b2bb94b29ea0949312230610b7673968cc9131cd
SHA512 35d65541e8613c870be524b5f2def689005ca32332fa94c9d5956a1e3915c3a02ffed659e58a8d008054a5d2ce7fbc2cec80d4355a90e5bfb748163869cce4b7

C:\Users\Admin\AppData\Local\Temp\uIIggkgo.bat

MD5 651c5cde9b8ed86a67c6f94ad58538f2
SHA1 fe833722e4a28a72829cd57425ac8b61c6703b2a
SHA256 965e419458f718f35a8a2eb92ac1cab94f52666d9ef16604b6e22afe7f8939ae
SHA512 8db2522e033b4ad2a0f3ef367044fe4a96215ee6564166daea61c143ebc7eaed8ce86e91a258a60785aa5c50af36d64aee9f99849979c251f0300fc89e6e5924

C:\Users\Admin\AppData\Local\Temp\cswk.exe

MD5 b8b816fcf82c763271da66cea7113205
SHA1 2f880abc6269efcdd5caa52de0d6a9eca4a308d2
SHA256 f2c2ac0988126bdbe8b626ea0cbc29a87ad0a6e10143ad9a1ef753fcc2b098a6
SHA512 bb879994fa0c583669e640853a9918a1166795ce012a95abfd341a7705fbd17773c234f3b4a81074dbf26668ca38e7b81567ea8873d123cd2594367f915daba6

memory/2256-511-0x0000000000100000-0x000000000012B000-memory.dmp

memory/2256-512-0x0000000000100000-0x000000000012B000-memory.dmp

memory/2832-514-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2892-522-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ooEq.exe

MD5 a58b02a8d5c960908d239cf809e5b576
SHA1 2d65aeceb3d3522bf951296d61dc7c75ec2df29b
SHA256 fb477fd70c2d8fa9c1fa2b74a1cf09b2a2cbf15c9dba7b3c9ab5caa136913f0b
SHA512 f93c98d7c0bb92a32899d1491161e7c0e8f90761d309c8db63983a444a185b4eaad2b162f3d9a9c1ea37a3fee2cb69f0d95a867eeb68b7789c6e8837712250f8

C:\Users\Admin\AppData\Local\Temp\OAgE.exe

MD5 ef299c5866051350acd3a642d6adebc1
SHA1 a1d0b4bcd3791f2d7854d774d5a0b6ee02ebf98b
SHA256 63cda969facc2bd0a597a87d65811cb4ec3173bf19667510b5e19c1b9bc4bb60
SHA512 6cf321711bc83ca81e75fe815284c9b4f845a6f5b454338ae247b15c6eac0a01ae7df376d2004ac3ce1359f1c115f3426d5d9dd49ada0f01eca9149c0f64a34c

C:\Users\Admin\AppData\Local\Temp\goom.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\SoAI.exe

MD5 345353467f4da1622c7ccfb4f944a2cf
SHA1 de8aff207e65532195720333c1e7c60d4fe315f4
SHA256 1aca3ba6695f3b4eb964ce4c13a22a79b862417e5d5a77b80ecb2a18043ef005
SHA512 40e70b8e0aa85688149f941c9549f31019e122b21ada7336371b29b8cf61b345d04016b743cdc639a3d9df009adbce24c5d2d02c331144cb8e0eabdfd81d3240

C:\Users\Admin\AppData\Local\Temp\cgkg.exe

MD5 68cba6661ae798d4fc98bc252dd9a2fc
SHA1 956022078bfdd46a7fe608d3b073a179efb00e66
SHA256 f4f1dfe7ae213ba0d793393b03f40cca972007d9f53dc573dde7a8efebec8063
SHA512 12632b0562355c42a0f582a5390ceb6b9053c8328e9e8a5f3b8d088539f3e3079ff355dc12ed2320e7af102c7a9448e958eecaa22143fd04049b369ef6e37fc6

C:\Users\Admin\AppData\Local\Temp\WQEg.exe

MD5 62e1f788cc54e751af2af00cd2f3d834
SHA1 e428556cd9bea21cd86347cb84be2bd98764ff44
SHA256 2b51c040552ae9316871c479c0fc179cbe7bc3e14ff1faac1a90e3140262188f
SHA512 b20983ec47de3cce51c2c9702e05704ff005d66896104072e71c700cec95dee2668db6f7845b38b742478fd5e7b932ace2fc397abd973129b870a3eda042840b

C:\Users\Admin\AppData\Local\Temp\ieIYYEoU.bat

MD5 be5e0b51463e837690055eabb10a9682
SHA1 aec566e7e82f56b6b01c6f96ae98d27325e38c35
SHA256 044b646b86d77115b20b3da3dd1960fc4bec26de2c1fad5eaed399872a6dc3af
SHA512 e8521ad5d2d51d813e8f5e1c02a5d9f81905d44e076efa2fa117ed5a2a6e841ce7940c5433e3b5e475f721e1364528a7c82bfcdcb0e5c86a89775d79b4bc7337

memory/3056-599-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3044-598-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3044-597-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iwAC.exe

MD5 14ec54335006f5048ea42e6b06e50323
SHA1 89dd251f86f062c5ab41613e6310adac739ca9fc
SHA256 786cf43ffb9c86e14407b0454e2e0f359cb280dd9273590c7a337d7ec9fa829e
SHA512 4c98404fd6cd2102dca1d926254d15acb73b6b9e915a10bb42d450f3c7b842276456beac68ec65a6b280d54f424fbf21b2f7874c6e954c6cc6cdb360c9afe14c

C:\Users\Admin\AppData\Local\Temp\qwAi.exe

MD5 ded0cc2a8b5e656ae83daa6cf215344a
SHA1 a350229734744b65809b55bd97f9f75522e21a24
SHA256 8ab885a3f93b86c6af68331779fe70a1584cb6f1e3e4b56b5c015d35c0c62cae
SHA512 3a114affbc5c7cfab5d58708668f5ce2d169694ff7f2258fdaf6a2dc2f7753ef34e7bc5c45d90b86cacda898db790369e0163b47b2e38822705561c9b2a8be71

memory/2832-621-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OYMa.exe

MD5 257f5a6d50c792fad2c1f9f2a9b23718
SHA1 15756ddc1f926311fed3f9d6ccf06079530cb25b
SHA256 62528d3c1cff3c6604b4d52d38b3b540c8bb20b3ad561e30f16d5b4fc7b018e1
SHA512 9c485ffee4ab8cd9807880985c75d0ff8552e842149cedf52192ec545d1dd43ecc204b0cfe425e8ae89e9d90902a539e1b99e37f26d9222194446af70ac70c4d

C:\Users\Admin\AppData\Local\Temp\MQcg.exe

MD5 467f65567e8edf4cae9d2a9517b66576
SHA1 9ff6a46a6b1c57b44a024ffce4b204628c0e9292
SHA256 882e9d71b0df396f2720f17131ba2aae8674c223cf5b9ae572b59308c3385b44
SHA512 dd5fc3f62d92be25073b454ebcb1597fb907667e8b5dc26b523e4ac80fd79cd7e0a77181d3f0124bb6d3e8668a9e4007e63baa28728d0b218e568e43b3aee75a

C:\Users\Admin\AppData\Local\Temp\KoQe.exe

MD5 603a32ae7a1916e069fc0b6a1c1217b5
SHA1 cf921e2e38572587a0b6be1963042d41088d651d
SHA256 211a2c6c422dc9b1a1f682d87e064f70fe2ff8ab582e28cfc6933570ee085bc9
SHA512 f1b0d450e8f07cb7d740f4030dc1cad19ad3381cb3c0e8b1c45edea036ab726f9ebbc0aa6681da52f1000de5264f3f02fc6e5f7d551073748c97b25d458ccfc8

C:\Users\Admin\AppData\Local\Temp\yeIsMsoI.bat

MD5 8a867766551fc539ed3c73d85d679b30
SHA1 28336b2ad0c0f0a9f841449c4fa632d0f2694b98
SHA256 f7b29ca095657f581bd4368aadebb6d4e27c975fa5b715ed13673c2599ad41b6
SHA512 0f607cd3894c8eb8bcdc40d5b5bc1d69ba5bf07ae17c3cd2df74397463ea53dad7b48399cb23a0cef641b37cea67cd75af542717d408050ba6bf578c70937743

C:\Users\Admin\AppData\Local\Temp\Kkcy.exe

MD5 d17f965168077cf113c64368c81b3c0c
SHA1 7196b80dd48ff81991c01639326073a85b8809b4
SHA256 7a62fdba21926efcba554a5085a62ab63ae5384fe43a15dd8f6478d5b7748675
SHA512 3496bab96ed77c6cb5b30f4b9cb6664e2987e294b46b83b0d2c80726de72cf72f9b0bbeb6f1d6c88ea161be4cc2330e537a88a435a7723426502232c9bb24335

memory/2940-696-0x0000000000260000-0x000000000028B000-memory.dmp

memory/2940-697-0x0000000000260000-0x000000000028B000-memory.dmp

memory/3056-707-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qokG.exe

MD5 a96bc3c3c0f68f6f5f0ef78c53243b2d
SHA1 41dd07ae5190c6c6e3fd29517ee93955970cf7af
SHA256 a5df71892184b192f07d60b195d43e398b1493474d4bc08ca76aeffde05a2f08
SHA512 c820e1faf9622c6b3e43c093398f7d53ef58a7ec31a38e29a2a9a309fce1922d096756e5f7278b953071010dcaa821be87716b028712aa7a353c0438c61d639a

memory/2916-699-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uIoI.exe

MD5 3388257eca0aa6361583bfb8cc1165c9
SHA1 b1a5224d7dd30b15c7df852be5fc50277299988c
SHA256 bd3b5d7439728aae8fbed29fdfcdb11e76f1dc3f0c8a01a95347c38dc05e9c63
SHA512 73fa4ec0ee2c0a41dd99cb4959785069b63adce564d6ef87c8f31544d73799a174d17cbe83d62823e971d19496f45ad6303f9edc5f390c3ae2dd0072bf57f8b6

C:\Users\Admin\AppData\Local\Temp\ewkq.exe

MD5 a81fc7f877c9919677482fba4e1ff771
SHA1 f1e0a0b003040860229e2bc0a23b501be9587100
SHA256 6f3d6a70deb3bb14c1a9d09532a592accc0a26c824874aeec5650d925656d6ea
SHA512 5470044218d52cb95d957c42edd7b00b668c245884b0930e74c3b6b8cf6469162d9e6175c4c595aaeaba9574a89245a212c4e9bb2698be4d37108b2b7e668b35

C:\Users\Admin\AppData\Local\Temp\ccAIUkAI.bat

MD5 8879ed75af49d3ed92f04ecd1142bb71
SHA1 5577b428d045e5dba8c6f831a080275be9eb9a5b
SHA256 9207afd3b67912e9dae1d56dead50d837619c01c1900347d4e330b09a2c8364f
SHA512 a20e1bcb50f5b25565c593c9fdef5d040fef0055fde76314352984defb207a8a6c1b7f7618fb86fe9e2f557ed94368e7d79492de8b7ec77dc0b74b0d68189554

C:\Users\Admin\AppData\Local\Temp\cIQm.exe

MD5 b912950dea28f768ab59aeb2d0e3def4
SHA1 f4749df2aed4a255f832321ff9b112bd9e073a71
SHA256 95d4758691d2dd762e62c0f71c7e745484a35b475d15ec57b04a83185cedfdc8
SHA512 3de6e5f59985355ad980f5e9a115570790f51ae7f6effc39b05adeb6bf699b792d4ed10f850a8b108802fd258997a88d1ad72e7d1d89188c479a1ef8e3ba4fdf

memory/1612-770-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1612-769-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1044-771-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2916-780-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OwUy.exe

MD5 3b81435f37acb1ab2c5ea6a56f7a9627
SHA1 fdba6f4d03007b07cd1dd7902a7857eb9b595b11
SHA256 176d25b81688e684691b208c1f54d9eb5c67792c1f43c0a20dad9eda55791fe5
SHA512 50414233e9ceba8232b2da3f4017f847542899ec9a82c12d585a81cd0d1fa764d3f243e966ec440ab41d6aa071cecfa1d4a6244242c99afab5cc9c210fb29ac5

C:\Users\Admin\AppData\Local\Temp\ucAA.exe

MD5 c586ef08657b2eb5c3623e917e93ff19
SHA1 c1c97b6a94a1cd5524505e3101fc9b250d869db2
SHA256 e9ad64bbfaa9d601c2b6ed9088de7cadf224be7976d096927762ae9f98cd1d31
SHA512 95e20a409cd808350354ce28e9269fe5d723190bdbca037bb767eba55ba3623e24525ccc8b247bc61023d4cedc637544df2189a3aa2af7e181faeb3d5e637824

C:\Users\Admin\AppData\Local\Temp\aYQm.exe

MD5 4763b5be23528e1247ebf4b46befe8c8
SHA1 84f46fb3b94b8918faa73b5cad929f2bbc2e092b
SHA256 fcaf1808d4a59ce7f75479f717d4ca730d0c0a2febcf5fe0d69c4d2f2b472b10
SHA512 c864beb5489f3b67e682b53b96e869dbdfe686f487a662b1a03cd362cd3b0195ed97d0919a47c333ec98d480daebbff990b15a5966fc48b24416bb2e30c3cbb9

C:\Users\Admin\AppData\Local\Temp\GYMQ.exe

MD5 7897f6eaea4c3b5cc7772f0e9f006262
SHA1 2b7b34bddd81ed5e6237fbca1e884d279a52aacf
SHA256 d0120157c11201b5742812d7146543eb26cb8b1745176f25f1d2ace00c53b6da
SHA512 8d357f5004dd9baa289c48b990f24bf3e1c8edc0103f065f8615d009c24ee852c07143ba272ac8965f65b9b0ec18cb749dec5d9cce88898839b4583f5c1176e1

C:\Users\Admin\AppData\Local\Temp\XmgIMUYw.bat

MD5 6b23bdc8cb9307efd461863904ac0911
SHA1 15a3e136944c550f9ddc9a23cdf8eaac3e2b89e6
SHA256 387d6b95b8ae489d49d5e2090f8b858cccae01d987a1d29d222b76287b40ac73
SHA512 00e8be1bfa21907804951798d32357f2f2580da4de32885eda0b3d919d1f0a6262d3c47c6bb41b5e9e666fe63c8773b9c304e755a5344ab2461d86633ed9ab64

memory/536-844-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1152-843-0x00000000001A0000-0x00000000001CB000-memory.dmp

memory/1152-842-0x00000000001A0000-0x00000000001CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kooE.exe

MD5 ea6863604cd920d78f3bf455b7ee6ea7
SHA1 7d5cb38b25d8503cd5a2e32c4af4d23245eb7c58
SHA256 9efcba51817f7854075f976fc2e1e4419bac20c4fd96eb9ea28fc0cbeccd7ce1
SHA512 c43304768185147600707e996e0028dde266151f91f1e28639956d7978a6f5609fbb822c5691812691e498793070c2fd3a9bfaf98b13704b0c1536f6dee5d9ce

memory/1044-866-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aoEg.exe

MD5 3a62ff3cc0d4cc0accde03a58285f143
SHA1 d19f172f0a285f25d11687f40a82cd264a4a4dcd
SHA256 aca314a18653d9314bdfb006ba226493cda78b152884450c13ee3250ac729730
SHA512 e74891ce59a1e58563c7936ce13f6e61e77f098be9b76132654588ec6c9c6afd03ca2b336c1ff5c26782708b4cff81a22313afa1f0a56888c4d07beff5ee0316

C:\Users\Admin\AppData\Local\Temp\akMo.exe

MD5 7899f1f65bbdded79f3d9b6792467e2c
SHA1 34469e6a9437e8b8fcc0e0291a722c10790a6c22
SHA256 58da4cf5558929266c89c69787ba005e95bbee8a0f954c1b25696a05b6f78efa
SHA512 3bcafc51f76c6bc6ffba97806945119f1311b61964a407670417466332b19ec9ded7f984ec392d8359859bcb8e73f387d8b1262cede69781d5e4f9c9262116e7

C:\Users\Admin\AppData\Local\Temp\ygwQ.exe

MD5 2e5ceba35dacdb96e462101cac1ed3ba
SHA1 f6cc2068d644cd2949c26a91ae0e5a1d7b387770
SHA256 fac8041c6cafac75b8e18681705d3ca3f4b0489e4491b94dd02d52b7f891b182
SHA512 dbfc720f12b289c6da8324aa46ae5abab6c28f714844e6f20a3c0fe623e2ee05af35f37e71c12d05c72c8fdcbc2f94705ddbf2193964bc1efb110b8eac064259

C:\Users\Admin\AppData\Local\Temp\qIkc.exe

MD5 23e6754467aaacea5d2d41732b17e561
SHA1 d8c96d6afcc45593e18b35a70a5c21bfe05801b5
SHA256 08f76fb369fcfa30648f68236f854a70a515bb54d55d6140c902dc4c518dcdfd
SHA512 ed1451c397b39a0d57d064c993a8f44e3a7a27e59bd6a83707f4fdfcb5a6974a5014d6333c88c6dc3e6ab78c370b748eff59093114e9692c83e48136b534cf50

C:\Users\Admin\AppData\Local\Temp\zEgEkMUs.bat

MD5 a6ae6973732ae8a689a5161693348a72
SHA1 c6984509bd7b41af060b1dccb242dd733bfb6883
SHA256 d48e7a7f9dafe91c9e95f7a91a678f970c8f358fcaf7f9903444b1cdf49dde0c
SHA512 74c5fed462ade4eada2f94bcd61b989fb883116706606cb9fb445e348e0525cee4cf0a2e970fd30532e9746c16176577def4ac9e0ea46d6fc8b65331ad7e43fe

C:\Users\Admin\AppData\Local\Temp\yYMQ.exe

MD5 119024f8a380b273d3785d1303b77254
SHA1 c0a8af3a2d429e663d03e90c236f7298156ea8c0
SHA256 47e47e1b39fb883c25013ab5ecb83e119bad8b2807448ce060a48fc13921d40f
SHA512 05f330deeffffb10b79f8a487f6784f71d656cb4f933b3eca69cc5696d0f8977094bb17d523270e93902d2390bcf5bdd262672cdad4f44d3a431531d3f7f009b

memory/2684-955-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1520-954-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1520-953-0x0000000000400000-0x000000000042B000-memory.dmp

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 55871c18e8d86e99457e2056c97d3c57
SHA1 610d10f218bb3594a4f71b4c007431e7aecab723
SHA256 cf2e97fc48fa8c0844cbf11822e8948f12254136a982dcc93670d078a120b18b
SHA512 b3ab501776731f036be3e9c86c0a9cc9807408f03d96f4048021ca4b51be2161f6df01e46d155cf42a704bee04b39402eac1418eed37ff08107b443f2073039c

memory/536-977-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GcQy.exe

MD5 6458c0842c72a412e23fb38907596149
SHA1 a7e82101f85f1450da5f48a64692592bb6568eec
SHA256 6bd2823444bfe8b7ad000e44b452f7b331ef523104ef3a7d168b4c5454598f33
SHA512 1047a14861adc4e901934c5b8326e791d7c9a26423763c32e4c6b42c5ce313c771a9c005e95e13dfc6d4884ab4c7070f5db38d5ced620830411173ce5ac3aab8

C:\Users\Admin\AppData\Local\Temp\QwQM.exe

MD5 cb0dff9a572f8fd3e609eca368534b48
SHA1 6d912637c5dda73a15e9c20c97c1c911508fb71c
SHA256 05b695af9174dc3beb6460901711e1a24a0e3c91b3aa30fb4917ec522b04ed61
SHA512 8ac72dde7bcbf5913068bbb8517af9e0e4f78d6246c7e4f6a503f72bc79fdb5918f00619e8fdeca16eebf8e4d0dba83f6349730b7f01ec7856a9844e3ff13931

C:\Users\Admin\AppData\Local\Temp\DEkYoMQg.bat

MD5 bd819b604fc127f076408bf6e88b2c7d
SHA1 f7c981cee3a356c1cc6fcfca416447f6addd6c87
SHA256 2429641063c712f0e3ee5d626a8d1bcde7d76bb150404f605be33bc17fbf9754
SHA512 0765b9a222ce7b527894a0565572f1a8017b9d2b589c6c0d55765493026e84d1ef361a126374d9f07f185ac31731d26126c073ede5c434d19831dfd85ef06596

C:\Users\Admin\AppData\Local\Temp\eMcg.exe

MD5 167032253f740ddd1654ac019d8fe08e
SHA1 5e23e2e1cfab83729dfdd592410c3b687d36d891
SHA256 665306988ff6ebae3d827e514749b125757ddd9326b987193286cf6e730996da
SHA512 c1d90799f6da5e1493ed4bad6500aa88f9a7fedb6c3a24c2f06f5b5a0789c623e1b229b068a2ae9cad737691307e6806b852cf5251e246b94ca0e0cbd5557707

memory/332-1028-0x0000000000400000-0x000000000042B000-memory.dmp

memory/852-1027-0x00000000001F0000-0x000000000021B000-memory.dmp

memory/852-1026-0x00000000001F0000-0x000000000021B000-memory.dmp

memory/2684-1037-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AwsI.exe

MD5 f4b6b7c361d59cfdc8fd6d090ee41450
SHA1 f79e1e3b63fecb5f755edb1ae5a67b48717aa058
SHA256 d43ed1701892bb7c87300460dbf00ebada8eee3eaf671489449a71f98478c1d1
SHA512 7b19407a33147ceae9125885a4a33a3e530691346b016b62de62d47d128ec3bb2d69ea4f2830beba79a3240855d6809dec2c7a978bf418611a311a362a1c6513

C:\Users\Admin\AppData\Local\Temp\GkcS.exe

MD5 f91b6cff8a4a6538fa890d102ff75d3d
SHA1 f4ed806cfb9eef36978b1c60b949179af839e9e2
SHA256 c6c7bc45d545c4c39b9cc194e230466e5e8ec4976f283259a0ab2fab278d2360
SHA512 35e5c749c075ba1326f7fe27147d5c584f2c31beebdf977744acc29e0b8f32d366fd47ca5a6348cd7e8fed30edf181fc882f6adb7778e0bdbdec386581479911

C:\Users\Admin\AppData\Local\Temp\ekwW.exe

MD5 6a2bb1f53442e46838f9d7470e76e1c5
SHA1 b7caebb44ccca5f62ddb6a140f4bad867f2596cb
SHA256 301f2f50e61ed895e7937f9d12b02159a9ac027a877d8bc9598d3cee1a0c77c3
SHA512 1f72ad52618cf661fa4efd0845c3f760037acf1c43b3121d5e7c124784ae06c630e578c96593acf5302842e9aadf1dd0a8b5d7e36d9cdfaa186683bea5cd2543

C:\Users\Admin\AppData\Local\Temp\uQMw.exe

MD5 5ad1985d62a14606e651c3853c53531d
SHA1 d6532c077a1a6fae80dd221be2b965e2d13c381a
SHA256 81cf57924668d709d05d642674b8603370da00ae740c76f4988943ff50f45407
SHA512 1b05e488a0caa12af52411366768cbfce7b384986998da182fc0c32680413c6a852577465ac5b343fd2730123dfae9adda308742c9e5f4ab25ac5c46f1f9c387

C:\Users\Admin\AppData\Local\Temp\GQUo.exe

MD5 d10c589d7890cba9d2ccaff2e4db8f56
SHA1 3e49d4a6832475ba03c309406a4a5a82b13bf059
SHA256 9ae09669baaa175dd10abfe96934efb51ee2bec962d2909765d47114bbd61baa
SHA512 0fbdcee224c36738b603d769bab15c576d6d8188b376a4e3839faaf06154b7ea7b2aece0be8e2b1b425fd68fbf1c1abea1b82604552b425afc07dba4cfd4daff

C:\Users\Admin\AppData\Local\Temp\WIki.exe

MD5 b1537c4dac934955430ab87f4b30bb02
SHA1 7bcdb11b725aa76797a31ecd81b6e2a07df93e47
SHA256 0f94e3e6950c890c3d5b80f34d0b4f3f8490bb658301d092c5dc8c89e6db7458
SHA512 97d69b3dd5f94e951b0bc35271a0684ea70ba867b1522bff67ad30ec1d15b0f95e82df7c76e3e11fd61eaeda44593021d8d977299d61321a9ce658b735d3f2d6

C:\Users\Admin\AppData\Local\Temp\bwcEAIEo.bat

MD5 cebfdb3312055ffa722197413ba28a95
SHA1 4c9e9d79d957ef275fec14793917ebdf001c937a
SHA256 3e14c96361bf23a4ea075d6ff068cc8f278f4cd112c6145c795ab6d16734b431
SHA512 cfd14a9666d95cfb5247542d64188e282b193f08fc500dc265bb1ae32eac2f431a0d49b1f4abdae255d99831063720f4d3c392b9ba74ba2652b9d6049ce6ef40

memory/1920-1125-0x0000000000130000-0x000000000015B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coQw.exe

MD5 85f556c15a24267100663faebc5fe285
SHA1 250c1f6ddcad7bf93467fe21c90b8c2d390226d2
SHA256 e82fd4ad8968c2934d9447ba7d70f7a20a76f14556fd5d4d1035e2f9aea1e9f3
SHA512 8c977197c8822184a8761727d9ea54ae3ebbb1b3ddbe932c4424c857a1bde61dcdb3112006a517b769bf5bd9ce0f6023dcaf2de0c23b562bd8d4c94a26a67695

memory/332-1147-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OAYc.exe

MD5 c8f429a5c42e4c02cda95ae7f8c45af8
SHA1 61e271b86cb18dc1e04af968fcf4f15b11cf6ee0
SHA256 daf5147707d51e83ea5de522ee6e60bd6805ecece17b2f279f9607e112c328dd
SHA512 3050e29bbeac76074f0a6f17c5ad2491ab2412427846304d0f22e751d6fc4244147d41e15002d4ab5bc4dd5c6edf4b119dfc8d9c82ff01073143e5ff816cd3d4

C:\Users\Admin\AppData\Local\Temp\sIsC.exe

MD5 0a54159b7a80351579c0b093580b2703
SHA1 a7f3435478f91189ef5703c813f01e63b1afc5e3
SHA256 87e6349303d0078c990893fb21659597ea85a519768c8916b44549f517a9a2e4
SHA512 f896a2395e07455a1406b5413d98e286544a770408f9c72d95bf97b1b6333be0c65b315bd46864fda909e98693f02319685ed7c223586fd61b32b74bccacd9ce

C:\Users\Admin\AppData\Local\Temp\KsQK.exe

MD5 d43dcaa3a1c44d9bccf3208da7a5f0f8
SHA1 11276cc142cdf9a53120863febf6b498024a3486
SHA256 f821cf743541ee276a5f5a6830ab5ad2355f6a6d8bdb37e0f3ac98cd6f9a8541
SHA512 1f76ae11c1707f84f08986299559355204a62f80ff8dccda4ab35daf0c34bf9ad7ef59961b8d5704cde6772029a7b266fa9c3c8150532abd0faaccecee985f8e

C:\Users\Admin\AppData\Local\Temp\iSAMQMYY.bat

MD5 1e17a93c56d72695656b81e7357625b3
SHA1 c1bb6b1809d216338174e8439e48105934de046d
SHA256 135eff6a5ad1bd000278da64bd5608793e86992a087ceecaa7f5d7aa1112a6ab
SHA512 ec4c8b15c110a4a4132a7a3133acb4b08b82067fb18bc33d231743703cdbcde7cca33b01b7337aadb69a3b1681cebb4228b6c68562fb78bed25e75d3ee9382d4

C:\Users\Admin\AppData\Local\Temp\Ekgi.exe

MD5 a1d97e01639de0ed5ca9c1066e317d70
SHA1 739a5e6b9488dc22568f583024fe53a68cef198e
SHA256 2d359a66cf324ea8ba74c81e3081c4fa28fa9e8f9dd2c4218a9d5c7fdf7f4ddf
SHA512 1be6f5c56def7a53fc6fa1f03134c56702ebdbdde67d966ab8091e8d84768e843641889633bb0401cd42c2f3b5b653d3ebd06b7afc3d9d312370766115422d1b

memory/2672-1209-0x0000000000120000-0x000000000014B000-memory.dmp

memory/2672-1210-0x0000000000120000-0x000000000014B000-memory.dmp

memory/2584-1220-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YsEw.exe

MD5 2b3a5eabe4cd671b19c249f9b559988c
SHA1 aaeb49e504b1fbea7e07d0b90ad1074a2deea68f
SHA256 b29b005df195c3843dff216bb2079a95c5631da675cd5ad1b6a8edb8dff010cd
SHA512 9f619eaf9e2f9d1eca058d303e54d2cc07ee82394624e124bbe3e5b4ba15913b287f21403d074e77778495fa4d10e5955126bee31619a6d38d79992de65e7b83

C:\Users\Admin\AppData\Local\Temp\AMEA.exe

MD5 e1de71cfe4e031b52fa5225b475e9c37
SHA1 8352d4c2d899e33dc27b4824e3a36d530ae170f0
SHA256 039b56c6978b95c92545e074e91027b814b9d3f1186bea531202c599a37bf6f6
SHA512 2f7fa870ebf9fd43b2573a38117f11e2a5d43a273948d02d826df7c386d30f58e1f1e44be981a4e994395133c26749eceb52b3410a2683f3b2ccef7516ac1efe

C:\Users\Admin\AppData\Local\Temp\cgok.exe

MD5 88f93a525584b798329e059dbb819400
SHA1 705efe6bb45bb95be58ac439bd7d99b44e057d62
SHA256 28c50d09e31429fc398c23f729a108dcc8129c05f6e9ebd7f1bb4d587bfc1af9
SHA512 fb529a37369d0cc61ff1af20e6fed9f0621299c3ab10f13db7873ed4656cb28fa1be8d3f54d919d6dc0d7ffe6f958e1fc3d78e250f2ea3b72a9220da851ab8c9

C:\Users\Admin\AppData\Local\Temp\GoQY.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\iMkG.exe

MD5 7caf386daa873f9a13dfa628d1f14b64
SHA1 5205feaccc832bb9f6abd351b6f007996489e85a
SHA256 3960653cee334e70cdfc1ea140bc9974aac38e2ab5f69d99b299476f9ab4fa4d
SHA512 115289c43190cab25b1919a1636c8730ec7e628c96171cb5ed0448335a6f9c0d3675429d68f28df8c1b918d88be00add712a678ee95921bd85f563bfe5f7b290

C:\Users\Admin\AppData\Local\Temp\KEsC.exe

MD5 bc912623fb93c702fac9f80f38c93201
SHA1 4ae4a154e4e244d80c26a94197a8d016701604eb
SHA256 cba70768dc6b197964e1b42f595f19ade024bf45aea13d3fa293b4a52f3e43f6
SHA512 c7d7b52c6f3ba659523a372deabcc88b24e3fde5880f4868dcf49dadfec1a38341ff114be98a00fe1aee9b44a2948b1390edbf29b3e222ffb3e1aeebb827e5e0

C:\Users\Admin\AppData\Local\Temp\CkMcEYQM.bat

MD5 850ddfef5585423ff3d5c9b798a16b35
SHA1 cab32047042031fa1f7948c73a32e6eba2ef5fb3
SHA256 ee248dabdf0a0458a72b01a16cc0bd21e13c1bcc8ff1171126ca56f0b5747d66
SHA512 df29849790aca7672b59079966e998ddfdafe1b8c35b7aa79024b093c4e323c8fd2f0dfbcc1ee7f1f1a480b86ed438329937ae7913c454a289c516cbbd329ba6

memory/1844-1294-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cccm.exe

MD5 226143fe421c247cb7c6bce0ec483730
SHA1 d8ab7220bab52e9acd9b43b0c4536f57ebbad61d
SHA256 717520abb020bb6e0af655a037324f3d60bbed48bbee9d1c15a1aaddceb12e90
SHA512 10ffb162dc7d87b68b944a4f0c2bf3c62030fd7ccd4d281f3989a4008223f4e676324e4e667cf76d1045c9b724df183ef5d302f69a3d10bedc1f837fbb8373f1

memory/2892-1329-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eMMG.exe

MD5 5dab57df5ad77da23ab43b3c73114d8c
SHA1 811a1044074deddfb22bd2a67f47695ec7d4064c
SHA256 02fb36e45d23ada72eb43a64a835cf9c566971715d62ae67568b3f67722004bf
SHA512 da1deaa88f690d12cdd3f80cfae2a4c968e38ee998213afa07c6a89b3f948380f189b6a9159c34a09af305a5e555cd842719087b80c3bd025d2f10a95895dfb2

C:\Users\Admin\AppData\Local\Temp\Iocs.exe

MD5 4537af5249ddd7b84eb4a2b538652790
SHA1 4dbacda26a57e987c147efd0486d711a3bc515a6
SHA256 606e53299da0dcf00d534b4d4ffbf7b854c54574a3df3ddd2fc9027400f6304d
SHA512 3e6abd8799cd5b3f0afabe167d6d9b3dc92371aca93cdd3b1b09b1a973763ecf9960d30dbb93ba1aabf9ad3c5099b8463e6b02735b2001d684870c5313cf42f3

C:\Users\Admin\AppData\Local\Temp\UcswgYwo.bat

MD5 36f63ad0c7e85aa1b9622a3fd683fff1
SHA1 04e6e72d457717366522a2b018057724dcb0ebd3
SHA256 a5064d4d25e4e752d76483a8de72e9268e15904313a7558577da60fd6a5bbebb
SHA512 954bd9a334003f86de46e520c0d9e4a0b63afda9e2be595b59b284474889318c60be5300a6966561dd82f622701709bc602ba03422c1baf92113e958e82d3e0a

C:\Users\Admin\AppData\Roaming\HideReset.rar.exe

MD5 d41e9ee841a61335fc4b8d94210a546e
SHA1 a86a7f600d22fd55870e1b3f81820d4726590707
SHA256 aff6622142e492155d94b511244eeea476326889ed287b2230bd087dda62f94e
SHA512 d5804febcba7d2e9a5935b530ce44dd3dec0331b63372845b8c0470fc908f1358151d4b1bb9829bfe3d53cd7681bb8b1b2c83e72973b521b661dffd4aac7d9de

memory/2464-1365-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KYUw.exe

MD5 ea81312d611b2a4cce6b587fbcccf5bf
SHA1 1a7973cc8c274462e1a50b1ed1a295b3a1849667
SHA256 38615b12735908f23b40c441fe68ee5c5fe064f4c8f2035752a5d57230c13807
SHA512 cfd0b48002e7ebaa2713ae26bb9643ff37d9291e53c49435534bdb53ff8b156d2ca5fc9d36e9556f8b0ed62d51e3f260095a183f223fe43fcdeb5670892d54cf

C:\Users\Admin\AppData\Local\Temp\goUa.exe

MD5 458742510ee4ff3e213f97e64a2a46c8
SHA1 e5e6c4eb8cae2798e2d3c9e9cf0691aa57f2b222
SHA256 92d3f7eff3c780ae3eaa7ae45a0129d04a8b525d805026fc8d9099c591252ac3
SHA512 78b1e6368b36e3cf4f9260b5683369723f87008b2bc06591ea265755d598cea9a647734702cf817f0d8f1aef671d14c2da22e562b1098edcf07b1f156605722f

C:\Users\Admin\AppData\Local\Temp\AAos.exe

MD5 afd9e0c7dc9c036f3f3e4fafd6930988
SHA1 c17db2c8322bbd71d2ed697793ee2658aa6bb3e1
SHA256 148fabeecde4b0f8f45b08c37a062be20aaec275279f9effbae9eeddd0b728e8
SHA512 28fc8097da7fa631ad2161ada1dfc452e6dca32232adb2746b30fcef6a486384a3d1fa72d86d8623a210ca9e20770482b243ed3362716131e825edf48b6817e5

C:\Users\Admin\AppData\Local\Temp\yIAG.exe

MD5 b91ce6ed351e93f8f343b113939b7662
SHA1 5ad18d7c6e25b8ef411fe82ddd8eb8c7e95a492a
SHA256 889a37895d0146f4e66fa58eacd6163e0272e905012a3c2894cf0a614eeb4c9f
SHA512 3f4ae78118e3d7947e4e758d14969cbf45f039d454336c2a04e3a4b6718005f2dfe6a757cf2930928eca5b41c4e9005f73fb19b85fb0ee5d02c3920718ce6e7e

C:\Users\Admin\AppData\Local\Temp\ewoi.exe

MD5 0374dbbf8ee60d262a34c1bd00c6c502
SHA1 c7ee35a3076dbcd7c6d9bb3e8643582eb469a41a
SHA256 a230540c8bf0ba2b9fc3c0b7eb7180a60ee7439b2ec911ef5fbf530821c288ea
SHA512 7b9fa03d4cb0372fc5dedfa36170767f2e192543a7b15087694cbbab7b437768c04411c29ae3456e4f17c82b80bd540c01434cdb8d59f42dd6789d89d3d1814c

C:\Users\Admin\AppData\Local\Temp\GaskMUsg.bat

MD5 41905373ce0ffc2b30e2b5615fa147d3
SHA1 a2b36212175bf97113aa9f938ffdf494b3a8bd1e
SHA256 8b50d6d93181f66e0bc6795cd687d8e1de18fece836ab55b6417b79ca6d5691e
SHA512 0d706f2a2fd30cc0bea498a8b47178b47f78617094a694ccf1159a981626e42b2c769be2bf4bd0a12b8f6f35adb46e73dea63c9cfd37d9166f891c11d14c77c7

C:\Users\Admin\AppData\Local\Temp\WAQm.exe

MD5 d296c4915e9c33dcc6f325686f887055
SHA1 6c856fd3814d735cf5c67aeac4c5f9ddf9d6de60
SHA256 f1f155012444210313c173884af18ef5a1893d9c9ae4d4fc7b72158f3ca59757
SHA512 73e6dc66b0541550ca99336124e2a679a8cec7d497026850123efd68ee419c5239dd1954805dabcc30e10f39437851940767fe5978f671670ab34dfbbe39b498

C:\Users\Admin\AppData\Local\Temp\awAY.exe

MD5 311eaaade2f1665a03d79fdf34582fd2
SHA1 fb3d378c49aebe6b64e517630a98353fc875d80e
SHA256 7ae3c51659cf2e1832b70daabd83065f0078f345efa33426b5321c0191fc985e
SHA512 17d5fcf00cd6822ae6b4cb3d11141774ac4536bcb143cdba548282b55a53868cded6167cca8e4acb28d3dcaeebaf023d94b959331b6273ed603144d9e9025cda

C:\Users\Admin\AppData\Local\Temp\kMwc.exe

MD5 0eb0f277dc672f333d322c6bd43827f7
SHA1 be033255028ca9165bb8967718feecf9660f5daa
SHA256 96544cc51231b85d1457289decccc773a7556f5d19be9f55a289eff7c7747214
SHA512 1d849915814b3d3201b0cf591b1d46d37089f442e9cfdc56210d1c14b0f9c14c859f03503acba5304492ae08f943dc33417fb602969ac831598a6b8d4ea26a06

C:\Users\Admin\AppData\Local\Temp\CMMY.exe

MD5 a49c97a1722481b4019f47f092beaa9b
SHA1 ae830bebbfded96cf0ae620e0da9ab5a6cf4432a
SHA256 01f5a4a753b78ff471b5a567ebee1f93761a00d0a54545e9b40f45765658d32c
SHA512 e0a67a4c70523da444e6a3b3a4b32bcea8d9b9d97c35368468dd546c580a2ed50c6655f26b4e5e4024cdedb8632db913a944830bc72a22111afbe9b5548eb81e

C:\Users\Admin\AppData\Local\Temp\qgoO.exe

MD5 e471547b621f49ef6cd36b76f5684db4
SHA1 04102394c114e2518e7ad7e603d3faaa3fe9dd2f
SHA256 577cbd89de53ccda6b40f3eb3e0df8bf2c4f9afa6013fd56a853638d8a01fa8e
SHA512 031850344985af0a6bb6651b2b38c0235552b6b4f6b3a0f0806add4ee0eb81e74da58be994059690fa640fc5d3bb98e8ab19bf7ac67f9de03f56d1f392f23655

C:\Users\Admin\AppData\Local\Temp\LiAkEcoY.bat

MD5 3f0be73723b9966cd20c9fa168c0dd67
SHA1 d3c9457ece3468739cd37cfafc07b100d79f9102
SHA256 403c14cc93e1b955518338187bb7aecc3487670873b29508fa6a91bff855fb9d
SHA512 08050dcc2d1e264d0741b3ad47a79d2b893ea33f6d9eea131d123d2e123a4e89773547442d0f743b1f82b7d6d27230ce80fa963f4f5b731eb5fa7f49fc5de3a3

C:\Users\Admin\AppData\Local\Temp\OgYe.exe

MD5 614446adfc9f73fd02372868cc15607c
SHA1 91e62af984700afe8d2e381ab88ff498c18b2744
SHA256 3f6aa13f2e77de59a7c7c282891e44e0cbb71a6dbb61f121bc59e938c584d7f3
SHA512 21acd9f2beea61e882335f19870e3ca61b1944167e4318c2f16ced791f60fd59145cf9c7d7f485b4c9e59ca2ec74a6c0121b59952ca614da122347ad06cf4865

C:\Users\Admin\AppData\Local\Temp\CYMy.ico

MD5 68eff758b02205fd81fa05edd176d441
SHA1 f17593c1cdd859301cea25274ebf8e97adf310e2
SHA256 37f472ca606725b24912ab009c20ce5e4d7521fca58c6353a80f4f816ffa17d5
SHA512 d2cbf62540845614cdc2168b9c11637e8ab6eb77e969f8f48735467668af77bc113b8ac08a06d6772081dde342358f7879429f3acc6984554a9b1341f596e03a

C:\Users\Admin\AppData\Local\Temp\gYcw.exe

MD5 889d64b240beded7466cf55a8a2725b9
SHA1 3f57aa224916a05a19df477361c6f0b8c822bd87
SHA256 4d97cdbefcfc0852a3c32c7457c20b59a92f27898b0df2f889d08f70a86df107
SHA512 12fede032bd32a3f33a441f3314dc832ab1eb74b0a67fb12a17e211f1bf338efa356b8c60ebafc8ee2d365be4c03fe425c77133ad9450b280ae2e2e521562940

C:\Users\Admin\AppData\Local\Temp\AUIS.exe

MD5 b89a0cc9e4d1f2ff79e58ad5bf5fb102
SHA1 ca3092dd867ef22eed2fc2bcbdd35fdb10c0ddb9
SHA256 ce6e765737f6134e08d5cd50913415900ef1f2fd1dc442b72286f44a927b1324
SHA512 5063a6fb9909c49715b4b2bde5b199b6d7542b5cd6f6603661b71933bf47d6bc5b16b6a4c5e20c271cdf24c8d83365da8a0d5c720979e31904b5c3e36f8ee511

C:\Users\Admin\AppData\Local\Temp\iEUy.exe

MD5 6667e6045fc30928085480195dad6e93
SHA1 bd9c5c4106faf44d6e9a198720ccf73f4d5c9d56
SHA256 b556a358bffff540310816c173471e8b681504a15e2587321600a34a632e59a2
SHA512 57bf189634717985366a4deffc3a6f395bc3af658af555aed87933411c78fa0873566a6a4241d32845a69897f0a7f47f9209c95e3d1017c94e5b6185b8b33b68

C:\Users\Admin\AppData\Local\Temp\DCkssswY.bat

MD5 c5dc00e770df1d05aca830cbe4cceaa2
SHA1 8fea82c5a60ecd263cbeba107a99aab1fa89b022
SHA256 6a3d016ba0102124814f5636477da866ebb2769971287778ea05ed689f59a129
SHA512 ae4bfd217ced8c247b1dc9b801366cf55751494e76601719fd173795196119957cf3701e98194ced47f97865ee9a58c6ad9ba682d93d8522b1cedd66506400a7

C:\Users\Admin\AppData\Local\Temp\yMUE.exe

MD5 6f33fe0eeccdb22ff5c6abddfe51a3f6
SHA1 594481f623dbcb8294777a41913d8ee718b332f2
SHA256 f5ada90c6e9aa7f3680fc9fd6a828a960497156e9e6ca0501fced5a12b8b27cf
SHA512 9f3fea8182ec0f5f37448a8903b561c17e58c85e9137dbea02d42373ae5e58c533089c6cb427b81417c236407721f977a3d6643d8baa1a6d3390ceb148ec45e4

C:\Users\Admin\AppData\Local\Temp\YoYo.exe

MD5 bb3e7b2b9658e1cc57957dbc6e5da182
SHA1 4ff86248e3d2956c60f42d4977cce2eaf8c7757c
SHA256 3bad715919c28ac44c2dcad687ee2b40aa9fdf8d06f1e8ec7e965a77434d17ae
SHA512 5269f093e8d22aaf29911f817ec943b12452d3cb7249be07920943445ce2ba53a3968797617a22cd23a54409512a4609d2e8ada1c9fbe6395668533bbe8d2a57

C:\Users\Admin\AppData\Local\Temp\OsoC.exe

MD5 43a0af11d8bd5b6971e4933be32c8a0d
SHA1 ff5cc0b127a15a94f0ed65b8f435a1bdb1f61805
SHA256 1cb1226199af1018202df9aaf5a58c040eaa6688ba3914f8c3b933d298c9dd07
SHA512 9cc263d372d2adbd24ac3c8226923a23e825ccd930ffdff1e560ac71d5f12cbce080fa9f0c2a463256211a7d099085a4c6cceb96b679c6d19b62490a2d592625

C:\Users\Admin\AppData\Local\Temp\uoss.exe

MD5 4b09ea1e414499125b39e0f2f3ed74fb
SHA1 fe1c2ccafbb7835d610c577b0e65987fb2f65c3c
SHA256 b0007130c5552744969c09ac87193e943ca2637346ccdc0220f0ffcfa1c89219
SHA512 991686a0a4ca1a00c7ea3e350f9a59ded05b125e18d50566a39d8135f6b048a91979ef66c9d663b1d638ba4dc6877889187ae9aeba473b9b57e0ea4bc3748c75

C:\Users\Admin\AppData\Local\Temp\CskY.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\yEQG.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 323849e9a9babd78e11374e1ef9e84c9
SHA1 9bc127cf865af419511d2ae6153dc23d1b2d01cd
SHA256 a1983bdbdbf18d189a634b54437dabf175f9730e2203067cd95bcc3665157451
SHA512 af770ba952c62581b1081525b156a04ba046b46b74fb0d9d5225e8aef8ecbb81cdbdfd22a0d21b7fa6b1e751f6c9af522e24ede451b6ff48e4a6a3c788e1e7d9

C:\Users\Admin\AppData\Local\Temp\tiAwkcgY.bat

MD5 4c77159fec73877ef5c0cd517372b22b
SHA1 03c9fd9583e821f6fc3d43af9c7822f9a1836360
SHA256 49cad45f6e21e5358a98e9e3dedf2930e970a7cd07e8a95c424dec3b39b41c01
SHA512 bacadcfe8f23204bfbaae4f4ab154c98e217e9ad8238c450b4f056f3393fd9e0cfc6d4f49c75a6c4519b91b357161b465a694ac83174104a1cad4fc14d90cd79

C:\Users\Admin\AppData\Local\Temp\qcsE.exe

MD5 f7d44a50bab56667e7d3c82a1f967c36
SHA1 4d21967d902377b31cc5a0718fcc4532fd617842
SHA256 a50699d0ae49d492a18bdd5af80baa0cd4ba83ec2d47d64111ebdb60a049bbce
SHA512 e9ceb223de503fc86d77f27b45913262d78c7ae28fbdda3583516f484d61274f60825cd0ebfcbaadee36c6559628d103d297c93ece95de334745d6325880e578

C:\Users\Admin\AppData\Local\Temp\KAUA.exe

MD5 dbc4e88481ee871d102b17a6cd8c7949
SHA1 1e1ec969129dfb6ae490db0a4ecf488d241b0b30
SHA256 054b63c6620d44b6ddcb4937a613ae993feabbbe0324dd6d6b7d515c21a99724
SHA512 4fda50a0e9be675fb0fdcd8c0f98553171ce0e84ffdd3cc9fd96b2de103422eede4c3432a94a152a046eaedaf241985b60a01ca74d9061f5f277903540c39e26

C:\Users\Admin\AppData\Local\Temp\AEgy.exe

MD5 f1d118176caf3ee1ca2d895a780cc0ae
SHA1 7be00a0cccaf4731ab776376ee7c216d5edbc8c5
SHA256 ae105cf727dd1f2a83ffad018b445f13124026d46d3bcb9ca24223fd292fc031
SHA512 0dae86a6831a158319f63c0758cfd87a179bb107963d39b97078df092af7b0d7aa8fe90327b2dacf622c9577799759861c3fcd1095435844528bf7de7e21716b

C:\Users\Admin\AppData\Local\Temp\pIIYMIAI.bat

MD5 22a50286d2268be54a224cd5a43af147
SHA1 a0f16229c6c1b3436b0f66668ee940166312ce13
SHA256 f7507c388ed08a6f606517697e8a961fb971cbdce5c11afc075681ff47d2a1ac
SHA512 429f3a0cf8ce38895441d9a7b5ca850b443bdf36ba07caac86c354bc5a8af8749fd48cc38a3c479f98e9ee39554de4202510598f56a7a32b618e87753903bbcd

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 b39b99d97b78ded59348f1b73c8938ab
SHA1 ff5b5c4f5e4251e37e9934292bcc3650e1dc4740
SHA256 47750e8e8a5455486e92aeff173a4cbe2cd760ff8451e08d7440e168d262d5d3
SHA512 9b8d5d30e496467b8922eb0ca375571faa87d5d08392cd28b0d0af1e62ca7f7d159661cb5a6069721f533364c6a724c6342e06cbfd14b0b4fbe08e1e23718d0e

C:\Users\Admin\AppData\Local\Temp\ycEG.exe

MD5 1dc2f3bd7f1d3b3ca818b7d0bdd05b72
SHA1 2435181c2ffe0e79870a4888ca4c3c878a862c9d
SHA256 938e7590f872663f1d8962c8de0cecc140cf505142e1e2010ea9eb170fbe7948
SHA512 8466164f8b2e7cb8e1a96a551b001161bb0256cb1997fa516e2bdad51ba3c0df8bab0de3a9c0194e2365155a35e1453ec10d373af62ae2c3c9c686be7c4e5d40

C:\Users\Admin\AppData\Local\Temp\nCkwQQgM.bat

MD5 967f9b936322894fc5d5cc4f859d36a7
SHA1 34cfe6b3d0a60c53423418f83677d87d81c6fa47
SHA256 d41d79da857d1b5adbaee2c3487dda26102f31e83f186c99232d7c3283b602d4
SHA512 d9edf854863a3c135352e6bc6f0fb83e6502b9488acbf5d5c40e54ace228871afcc7a05b6fdf4da4a11711f3f573e134a3140c64fef2670f5956284d18ddb827

C:\Users\Admin\AppData\Local\Temp\wUQU.exe

MD5 c76f56f018ec7532413b17a9047c0508
SHA1 ad0feaf7a0c4bf4341fe4a605fb6e7c80186e44b
SHA256 272bac9a5970635fcf4a1772e3d77fe64cf49c0268691a1c6a45c49fe5f225cc
SHA512 2a8c5e0c478179248c6dca7122451380f57291015df1ec1a1ba4fc9e10738755763da3e238626f52f3d8140cba18e493a93a1c40ad976158935cae03f5bff851

C:\Users\Admin\AppData\Local\Temp\qYse.exe

MD5 d211b2a3c8535e47c52bc245cfc2daed
SHA1 82c83240cf4a023f492b0ce21ca1ffe17e0bbda4
SHA256 0e2ecd2c82d0cd6597d1e60cc19aa3a9387b57ed575a7b7f29df18f58048e2f9
SHA512 b633266b29d3b4889bb5cd2cba22de3f6d94d918098d939968e8d988f7840f9d999f9f9713360d6d3ea5b3a625113537b3724076e9cacfe241e1562060caac10

C:\Users\Admin\AppData\Local\Temp\SkQs.exe

MD5 20a4b542ca985dce7873ce713aed55c8
SHA1 3fc418e23875bcf1139e0dd789b03f6836456e1f
SHA256 3ace56367831f128c897b0ce896f2ee6dbe5283a8fc04ddd0f1e96001d784f52
SHA512 acf5dbfe3c2bf14485dd901724f6d1a062be0334bcead58b3e4bb31ab3f7bc57d50be9c7fc9933f1a107314efc0bc446a446d666e522b681d8e7b5185146e6b7

C:\Users\Admin\AppData\Local\Temp\iyIMwoIk.bat

MD5 9c34ac9bf346c9ff7c609db2f5b53fe3
SHA1 55ee12b9640443adf5ab977d5c6876a7c9cfe16b
SHA256 4b1adc41433adae8bafa835b87281dae603df2e079bc6ad80fdabab0e12a0717
SHA512 9ca0391b38c52bfbdecb331fd2a91eb8b012c7cbbb40ce1f59c82d46400cfecaed29be57a1a078509851de911185eaeb8d6882eab201df8e0cbe1e0a16bd2729

C:\Users\Admin\AppData\Local\Temp\wUYK.exe

MD5 9bcd5b1ca03c989f2fd8e93afbf4d5de
SHA1 a0a41940e50ffa488875c760ee143a325b7fe4b4
SHA256 c5468db6f4b90c82a9958d57fbc02db5773f25e6cd02294df442122b3cc00765
SHA512 fe8b137f5d91bdb01544165a8cf93da4dcad31195c8b08d27a2e10222974a7c1d422136bc5f26129638a2ba5fe17e59d74d7e125e1a1f76f59b0e1bd25fb8665

C:\Users\Admin\AppData\Local\Temp\gMIu.exe

MD5 0262f9c959d1cebf0ac80127fac1836c
SHA1 614dc0903b6cec942ced0df258ddc019c5d0dd8e
SHA256 2b2c6ea8f12bdea74bad99759104322d634f6c1d4a13e40e51a35a6014b330ea
SHA512 0b0fcc486b881fd4800511c8d1218da3e98d1dd2c1a8d71fa09eb6771ac61846a404cc7786e8b722b448ab50fb5cce2d6e8baec4cdbb3dfb2cf25edd3ca9f3dd

C:\Users\Admin\AppData\Local\Temp\UcAY.exe

MD5 501bb870d371a6e96b1d13709f16c9d3
SHA1 2fed95803543cb0b6e834afe800fed99c29361c9
SHA256 34ffc578adc9435e550c4622f8c6191b1e98e728bb13a82883cad36a062a4827
SHA512 826cfcc6b06a3fc6d0af25a158d8007cf82b6e39d2787a0e6b5faf6ff42df0ea3f9bb2c0101bb9faf78193ea9a36a343f033c7a437593c2b1a0876e83e33e78b

C:\Users\Admin\AppData\Local\Temp\CgEY.exe

MD5 6d811121e423a87d30ca861a11c45b76
SHA1 0bbc42adfa77a06b1fcbc5ff2844da847844bbef
SHA256 850e933a5efa625c33f464c8cb7bf4bc1c2b593db825f2cb18d0b791162d1e77
SHA512 664aa82e7e65cb706ed8566f7f221226c4b44e2c74adc618e3525dd3c519086eabc2622f5b64ce314d6cff6e8f059ebc4c3a6f16ce9e89968fcb3e3f1baf8450

C:\Users\Admin\AppData\Local\Temp\QoUcUAUU.bat

MD5 2020834dbc30134d43f71c6c7f6a1445
SHA1 9a4b4de0c4920ec18b1ae91c5c8173a528a0b7b4
SHA256 47bf900cd77f1c6421fff84161a2accd6c98a7e6b5b8959f71e4e7739021cf26
SHA512 74ccd0d04beca7c726c29dc07c9193f5f4b98bdbbb82e3554729c813f725e18edcbe5f4ca65f5b46cece2b9f998457269c6abbe396123d0d60096427849d1fca

C:\Users\Admin\AppData\Local\Temp\ookY.exe

MD5 306fbd4aceb01a7f6def268ae272582d
SHA1 762293904585ef4a289dda37c51d8b065dc390a4
SHA256 ee02b10dc0579b65c96754092f1979fbbdd27cf6b823adc3e771b8a69a85b8e9
SHA512 2cf4bc8faa47bc9c205123c56da806ffc58f15fea1548b5d1af058161f4d8a08ace86e42511b3d960bcaf6c307950d8c3862137dae145e84864899c39b811ea1

C:\Users\Admin\AppData\Local\Temp\YcMc.exe

MD5 306ecaa530a7c566c755edface5e666b
SHA1 3df650142b23fbc1e4435b8a83b7fcf024dac16a
SHA256 ce94dd33ca7eca63b7745f2e030134e45b7b2158d867922133dff73f46ef3da0
SHA512 b2d80c60fab4bb11690bc4e9be14aead625e5c285937f4aa8ba3d83a3c0af7a1ac0957b6c9e88a1e2d76d088fc30c01c4058d9881ef150a7ff0ecb5a68d659bd

C:\Users\Admin\AppData\Local\Temp\siwokAgI.bat

MD5 6df58492cebcee023b771e7ace62e4f0
SHA1 0423d2855ca8263ad76e0ea7ac2f0bb9bbc81225
SHA256 b7d937e10dda88dc53e4f46a6e27abfad88e0c428342dbbc903f5e76e38acaf3
SHA512 ebad49766026c5716f93f9762243b4274be3a94bc8aefc5dce38852ec7338f9c3bd72108a01597106caec0c3659dfaeb3c679e42676fcc33cb8a0aa6fd8646c4

C:\Users\Admin\AppData\Local\Temp\csUQ.exe

MD5 f12a004335c41ddc0e4b591f5e098a97
SHA1 e1411611165921b2c84c277bc6c10e2679b4fa8f
SHA256 827f0f73d659bcfb34e7d436a46f955ea0914c502182e5d11b0ae6a6e0d865d7
SHA512 4b86cd5b884f49bc5d8ad738c1ed96946c0212bbe2ce6608478d2e402132c73707bf72bf49d11ce49bccaeae2da5e7c6283bbf5a77ee368d1e3789ca43c2e600

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 2f6fa182aa32051083171a415ceacdff
SHA1 1d1e68b57a5ff0193b846c5fba3cd77c0e510a97
SHA256 1941fa03bce4ac62bbc7bacef18f4b93f1d8bdee4466b1feb1e165f7b8b3e78f
SHA512 c4bf7505c9a16378a1474a2e4c4d658efa80d71b136290dcc1d487d90b595a5353623be7c96b0bd1814004cb076fb62e2a8a7eecaf109855c50c737145c4af32

C:\Users\Admin\AppData\Local\Temp\WQwa.exe

MD5 ca92a86d94e40c05c71eb84080d98d31
SHA1 b89f085bfdd7c938ee7c6ec7bdff012a92237b2a
SHA256 d707260470759b320c6b74a63578c1a5a3ac7246542a8ee2e5f44b890d944198
SHA512 319e3f38c2be2021ffae20580d28548990805b5901a132566b473ebaf4e26489eeceef017440bfb9dc7720d6932e0156bcd2ce6e6b3da47c65ed0fffae3c4c47

C:\Users\Admin\AppData\Local\Temp\CoQEIgcs.bat

MD5 e6c0dc494cd568ddd5d8e0a14dcae6a9
SHA1 8071017c3b4a284428bfd4ffbe461a84723c3a27
SHA256 b28f12e44ddf6b893f414f73b927d694c5ff539caca4cd05acb8b471de473267
SHA512 f356b2eefc23b07d205a01a3d79ac3407399c09ea5194190691af5919d7057e571114a2ec6c219bcbd081559d41d9694e85f156be49cb8f49957ca57c1b92465

C:\Users\Admin\AppData\Local\Temp\OQcM.exe

MD5 e736db6a62e23cb7d411c16fcd19cf00
SHA1 3a823061dce86d6263544a5ba31f4e147d1025f1
SHA256 26cb4d525310c1723fb25d6b0e27367fbd15ac301b3210a5125c22aaff446264
SHA512 ada3e3d8d0c8eabd7fd6443425472862f3d7999c1ac121b3d0e0cafdfda31428ad97de9c85e2da4cfe63c6c5af330a92c9b89f0d178435e77047b5b7380d77ce

C:\Users\Admin\AppData\Local\Temp\AMUq.exe

MD5 105a228c7b00fe12aac633ba79b3d4f0
SHA1 63171edba36298eb7228949239f05d19bd067d68
SHA256 4656672cca1a1f3089c03bab599e89ded1c9e5965357d8889a34755fe73907cc
SHA512 f19c29504b11998dca8ca7200489bcbe1e9bd1695cb7b5f9ac3f953ed6b830001c56ea7bd9a23566e7fe7c66652701ff42d8ad6c1ee96765ba1e27fff720086a

C:\Users\Admin\AppData\Local\Temp\fMYsUcsc.bat

MD5 3093537c724814752492ac883917f3d0
SHA1 193a975f9adc35fdd95bbdd18ac207293df719e1
SHA256 d96606b967d10b69907a4bdc05029e1876a5917e88d26067578750f69e58407e
SHA512 d304156ae4909cbc1703b5b8c7332d8265e62c576184009eb95f23f3108c7169d7281c9a546085fdd40a8c7ec92464a7aa0a292843080817893ea41ca89c2a6f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 e17dc0559accff13ff510d014a89a618
SHA1 552fe6a3befe7d0653a5690dbfa5f9c662499564
SHA256 792df0024efa9de79cd279dd944fecdebe3e20fa27e1592aedab7790f04ab78b
SHA512 17a5ab9d1f5315782ebd9e8d1db9802a4404d2a1a3ac9860ce8c2a2d32c6aabba710c7e9a77b2a48d7508edede0db61a789a133028e0851cb3e4b412c6d42ce1

C:\Users\Admin\AppData\Local\Temp\Ggcw.exe

MD5 e07599ac7cb438774eb3fa81d7d872f0
SHA1 f6311dc7ebdbe763403d6eee4ec2fc6dbb38ae59
SHA256 c0f636c3417e43866cc274c80819a7a277719a2e394784226e06351aa774a323
SHA512 585306041ff63493716bd4723e0727a36b9c323e05773371b48e86e3163c54efe01f00b91aac2fd959673e98c81a4118957dbe3c84cc984c325a7bb5e05f57e5

C:\Users\Admin\AppData\Local\Temp\LoIEQMcY.bat

MD5 3dd74deeaad54484e9052ee3389a54d2
SHA1 c4237afe87c3433bce31391abf6f7225cb1051a0
SHA256 ef419e5a0c1e508ed9bc14f9ae6ce4de6308ff3267d57283a7cccab0ecc09544
SHA512 54b1c281b31b9e54f66e0b58a99a338284451c4c5e011e53e683c8a422a100b1370a44ff241efef967aaf14f0e1507c2b3a3c9f29e7862d9ce288c21cc57306f

C:\Users\Admin\AppData\Local\Temp\mAkE.exe

MD5 ba97c9b11ee3792b3a22ccaec1e9ece0
SHA1 0308259c4e02a76f762f657682b84e0253810b51
SHA256 64c54e3c004a31c0a554c69cdb4e6cd6d06f23a87fba12023b21068560e3f538
SHA512 6d9b81d5a464d6c5f9cd20ef381b8683ae52648ea8ffcb2a517f300b7d2b9492486d5c08d4d7c4f16102197847d0df1a416f253ffc0ff391628cc0c928b12580

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 5b86933e7cd2d63ece994ac4f563c6b6
SHA1 713c622324d895537fa4a0e695e8f8d90569d2e9
SHA256 063a085d852484843c1936aea6a289b992afcd2eb77a11d0cec697ac1ccecd9a
SHA512 766f8d731935a1f4175a3efe5ff9f87e5ee1c8f5a81998b58ee0b5c691acb747773d09095b043bc794b53755cadfba3ddba0b5d93ca4a32dd412c42e59d86982

C:\Users\Admin\AppData\Local\Temp\OIso.exe

MD5 f881c835895b0288ef7faa7ce107e9d8
SHA1 784f6d5d80cd5202b0ff4a41256dc4ccaa0f28b8
SHA256 3aaff99801355d4ab91882015fc1390278e8154e24a3c8cb61b3489aca7d5f85
SHA512 2e0a30d21e1adee60cce6e2aaad8aad7a010ab9ea7d50c3c8f1830cf4b1724299c40305e7d48005165ea73748df620b844b0760985db6d7554ee38506eaef48a

C:\Users\Admin\AppData\Local\Temp\WYUq.exe

MD5 9005393ea2efaba26dfe09bc461caf46
SHA1 9655f034cfe439ef691f3f563d6414dabf46734c
SHA256 f03920dfff9e40bedd7b371aeec0f4fbbadfebcc0cb7fb6f98a3ccd8b7fe1d9a
SHA512 7fe3bca2a2ab3e029e0295f8672931c0ec4da21f58b4fc156e597c2ed2708f09a75ca49de8135263b546b93660db1a50f587ef5219ef915a52bd8706b5c40534

C:\Users\Admin\AppData\Local\Temp\NWsMIoAw.bat

MD5 4ad0a5ba22be1f738894e96c2c38a47e
SHA1 3a90001e380b6eba76c2a8c03dec4141b26b9e9c
SHA256 c51e33c9b79e38b771b25845abcf5743c864775be3c00b3d0aaf5eb4f6e09550
SHA512 9d0a1a3fdc39f1a70beeeaac4335f55d0e250e6816f076bf059d93a65f8d01c9d0d184e43a26dd0645b582e02831e27124f217887f1b70314bb90e712a2c8e89

C:\Users\Admin\AppData\Local\Temp\AEMu.exe

MD5 0bb3ad8997c89e96e901d963dc31516c
SHA1 57a1f056717149c9398b8fed6cb9de76833577b0
SHA256 64581c11a0c22e019870df25024c0235affca0b1694d3ddcaaff41af95c2397b
SHA512 676f2c866441263cdf4415187eadcb6ebba6dfdaa524ab76dfbf71a2490454b57890c07a73f6cac28eb82e06b426c8886cc59d30cf7a018017a54f4225487513

C:\Users\Admin\AppData\Local\Temp\cMgA.exe

MD5 a622936bdba45788bbfc70e8caa70465
SHA1 9dd29dea566efec20575dd733c28701f929f7c92
SHA256 e6504e3ab3f0b9fd4e65d20370f7138604e8e53223ec5249e973e957a42b3975
SHA512 65920a14396be1f46a8b55553e4522f98c3b43e5b22ee12abde9afdbb487eb0cc0c37c684d42cba320fb3a74f69c35b60b31780b671d9f05ae443cdb84c7633d

C:\Users\Admin\AppData\Local\Temp\NywUMkkA.bat

MD5 050d4b91a71526f4ece37bbfdc3fe293
SHA1 3f7956f22502c77b890d7afa7df633d34bd48a4f
SHA256 ae6e72bcb4ccad4a4ce8cf271b48577ded09c48b573bf904f56bc8eb937f19f1
SHA512 1d79f367f7ffdf26af6ecdae113a6c7fd144146eb413fc3f43eaf516e62ef204e7ef2fec2f8633f8cba937882d30e1d0673e2d1e7df15974cf6e9c850e40c558

C:\Users\Admin\AppData\Local\Temp\iIcE.exe

MD5 63e5617db3df310923a7830493cd3ea9
SHA1 54352c150b7a475b969bf7910f76a1f6db6fc1d3
SHA256 bbcf25ec8e099f6516eb7ac722841a141c9c94a47d86a7dbaa4f438c3392a059
SHA512 86e5779d16a834f2acec335e646db7692381ef3e303d8255a5a7dbfc2f3058a49bc734853631a9eb5c1e8447925c2a8d1918b8e5fadd8c62afb8f079cf650817

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 51bb9a5698b849c305b42bc6e239c032
SHA1 9c722a202dce7131108326b4cd8520c2d468279e
SHA256 54e9f084ab94b6b45a837289c3280e8e91ec1b883bbbaa85ba0bb8d1bc341af6
SHA512 5114b9c559098a14698264235645289ce44dd0f799721415de324310593c95600cebdacbb4faed3ea419c3e64f584c874dd370d07a3c72fe754ad47291205b49

C:\Users\Admin\AppData\Local\Temp\YwMq.exe

MD5 43a6726aad09f29450a83ca104b8db0b
SHA1 6996214e41cd2075751c0c9b1d8c8392f7af7884
SHA256 071ec0627fed4abdb9553c326af754a46ed5d3e03703dcef2bb0a0bc3cf1a54c
SHA512 71f6c1043de64e06ce0c8782201b6afbece8ba8b78dc7f7d4a436f6023e82f6b4e1f9145f812b7a9933b41a050a9600c4e49ffd5152ef8af43fc4f390f83c680

C:\Users\Admin\AppData\Local\Temp\Ucwe.exe

MD5 5685068d183c1e7bc71073e202e1b316
SHA1 739911fbb21270a4e51e4e7e786c8e14a201014c
SHA256 a27445d7b6654191c637e5f554d674e93907e04c2de004b2536edb5a7635dc73
SHA512 151074441c7b29f43dc686655d2a88e07ac5317157a17d68b35a9ef107d0e8f2283c9dd7687d33aa662fbd54ef9cd76ddc7c9d5c81fe83bbcb676036c9c60622

C:\Users\Admin\AppData\Local\Temp\jOIcEgUE.bat

MD5 648d052f658980895c3444970b2ad6e8
SHA1 6f3c9990f545a5a904d2d3f367cb92f5a172b4d3
SHA256 edd49a6b2b547d9235badd3c41238ef0de7cb40cdce50de04e5e1dcae5365f56
SHA512 7962521d0a5ff4eb44074e3c84a0b2d3d574a5693fe1c0fd5283e94a7cd4e85e5299e3eb2ed16a1eb89d166b140bbc064fd0cd8d7a0dd0b2f2c0e5a33f0168d0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 ccd771a9660ef0a62f2053d8369f72d6
SHA1 fa160dc1805721266cde581a48c7303d17851648
SHA256 b1c2c3cd11102dcc241cc8b43a8eb2777f8f1ea093bccbec97e6a5b5b2a96d48
SHA512 a5b384131e917b74b959aaa02c25fa486b15342ad79c4e2c520e48fd4db5450f36ee9d62859a54ba31bb1e6d421489ea5c7d54e7782f626eead888184da80a2d

C:\Users\Admin\AppData\Local\Temp\mAUq.exe

MD5 f3329faac25e87fc9a0cfefaa9ecb213
SHA1 d27ad41ebafdea8c553dda16c8cbd534fb98f63a
SHA256 0774fe011be58ac08060fc38552228ce48103b98cfe4f778b9442357013d0e93
SHA512 a8dfa1b3b6d61fabf864320d4fcd601e075dca877d05909d28de9d5dce13d57ecbdaf42e70dede3b3506d6356fc8b9960e82d86885dff35792df86e6f8169cae

C:\Users\Admin\AppData\Local\Temp\kMQu.exe

MD5 0eeced5cec9d8226a7878d7610296b17
SHA1 3468b070a605e96a81031a785bbe713fd2b6f4f7
SHA256 0dea0fe45510963245b9bb0d500644760981d52267a1f3a4656535da5f57ff3a
SHA512 78723c0efc1f9932f57eca4c4de38760edc19edb23900eedf86a14034dd2be82dbd4e7e6a9fbe1245895867bb1cf8f3f65d0b6ee90ba305496081d465e219286

C:\Users\Admin\AppData\Local\Temp\SEMMoUYg.bat

MD5 3fcd5068e6a68803d339ab0b2973b38a
SHA1 6d0273a39beccd87b262fc70a93543b294ebc3b8
SHA256 7d157bdd3d9c056cce13dc8e3b207b93b26bba109a378223cbab971e5c2775a5
SHA512 da8fd21d28343b00bd2df8bb1c7c0c943cb25bba852ec98dcbc95185392a102fdce5dc8a93ac20ce4facecbd51f55c242e02a2ad3ee9438f02d9caeb5a9a7399

C:\Users\Admin\AppData\Local\Temp\owUe.exe

MD5 50fad3465dfad8e2e676e35fbeea65ba
SHA1 602cb806c7fc38763451622aacb4b859b155cf92
SHA256 df160ae92ae231b283c8c240d9cbc334c4e0ec31d67bcd960fb2e743a4f7560a
SHA512 841d7bd3bf3ddf06c9f6ed6aa25513924f7cda7e8b7b934260c50305574e175d83f085fd161ecb695d7675807c5d5ade9da268a41e551284d6e15ab4e358f681

C:\Users\Admin\AppData\Local\Temp\cEIg.exe

MD5 a1276d1a3c060d443a4ff999c99ee72b
SHA1 0adb9b181ed7efc8c5073535b2f3d88f787a9aef
SHA256 48d5cc6fff138b06f26d3810ceeb6b42f364c5bb32c8895da61abbf268c31e8b
SHA512 e62fe258ad2c9c40c2efcf06a9a1fd64304ee6d982c550103fc6b3e7b0660cc20c9e4c66a0ea3923f86c1a375618202f132f56bb7e70e97bed41ec4c1bed3a79

C:\Users\Admin\AppData\Local\Temp\EWAwokUw.bat

MD5 948c0e906b52014acf1d028c2d57267a
SHA1 734d7944081455a76b1647bcd5334475c7b51eaf
SHA256 2e590a986d5e7280461b9a0345324170f29ea111261e0899a2a8468b910cf216
SHA512 c6e11d84abd49c2253ad158e30aae415a9fb1a6a7a7ae8362733c4fe27b4f72a28eaecebf3db1bfcc17f783d1e1101c74d15440f4daafd604beea784d77e8795

C:\Users\Admin\AppData\Local\Temp\UggQ.exe

MD5 720a4bb9d89bde62218c8efb3ae2dac3
SHA1 852b4b7ce3331149c63590516d2c4930743e58cb
SHA256 deed004a3783e2523f9d2744f724795fa3bd739c48e5cfe7825dccbcbcb57c41
SHA512 14f5c095f80ee8e7c8d78aa7cf023a0ed9fe49ab0d1cf5182cf95c7e1cd8347d15b8abe50df89d039562c8cca92168e82e6d7e4b735f261fd15595221a9e4b7e

C:\Users\Admin\AppData\Local\Temp\OwkI.exe

MD5 a0b8d3ec5dc68518051b78471d806bfb
SHA1 2c6e805519e734c3177af7e545ebe99fa187cc86
SHA256 f969543079cb09ce68eb545889ce7bb042caedf1702521645d8ec2b2c24422ac
SHA512 850ac51920c13126c4ea375b0ba9e955bca68bf0ce69e969e80cf9fad1889e9a03059ac7e70a1b290536ced2de204183825b65b7c50d960e82cbacf9152cf4a6

C:\Users\Admin\AppData\Local\Temp\iUEQ.exe

MD5 413d0237be34447a0aa2133bea0b4862
SHA1 e52f8e9775b21911bb2cf6b7c2ff5f96f9ba6589
SHA256 f0fa165bdda5f869168b829c227c26fc4aecbe15d388134a6ac100f1a5e12b0b
SHA512 204d9dd38129aa34d860ab9fe64745e26ed9abfc576d95e8c68ff39ef9c06361eaee2ea78be15d9db6dabbe9d490aaa2081f160836aad24aba6fd01de4730f0e

C:\Users\Admin\AppData\Local\Temp\SmAMAQgU.bat

MD5 f3d1b3cfa2c157f5baa34649c23fa597
SHA1 9d5cbec0490e828769f7989968798fd5585d87c2
SHA256 7e9fac3fdd94d79ade0134cc7f5f9f95b021115695d5bfc1f6f4c46fea802178
SHA512 0b5c142d9519ea1b6c31e38c11f977d9d0b17638218be939b566d98334141ea9a3325d583e25d3256c7e9d2144baf91a353cf09bed5868420b59cd614e29e8eb

C:\Users\Admin\AppData\Local\Temp\sAMQ.exe

MD5 628accf81f8933bbbd73cf9bb27f0ee2
SHA1 f3da10c9dea0378569d5b250fede109035892eaa
SHA256 3a74bbf862d5b1f2c98a65f8013758bd45d32627a1a3b8699faa9325bd671086
SHA512 da7464a4dfa996dd73c82720b1aadcb0f60a87aee8dda926f56bb6bb9694280f4c914d70acacd46c392b93e8fbdb485a08494de1a73dc9d401017f5d1b27681b

C:\Users\Admin\AppData\Local\Temp\sYQK.exe

MD5 bfad13edbc41611677e3cfa9fada239d
SHA1 b0667c1ba96e0dfdbbb88d991185b3513985b13e
SHA256 84c2db8e7e53c29e37c911e4b1da5af5b83fdef31493cb673dfe4a092e485805
SHA512 73e6c4860908a97fef6b0145f0f3cad079372e186aa96df07adee5b57ea99b9f4da0f8e7e034df599b31abfed8b6d6ea6cfc5715216e4f919e00cedeb2d8e3d8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 536275d6a10e19334da2ebc07fae70f5
SHA1 098773b4360a752d11874f1023c8430013edb336
SHA256 47860b3c55b3b8748d7cd102549fee42d665f595549ee1ae0b991c7d46d82674
SHA512 3330c17ddf1a3e113f7839dfc249e9c7f453c20d9bb6678b03a4b9a2355b20ec2dcd33ac160d2ba934cea91fc706a3d64e3c5628641feb6b647a5dc815502bef

C:\Users\Admin\AppData\Local\Temp\UUMEsoMc.bat

MD5 0152b2230d22d384c23ae21cf9e0c56f
SHA1 47da43ed126ac5f0bcbbf59cd301def68b892933
SHA256 5379dc58fdad432d7076e8f2cccacb88bf416e8fdbfa7187e380e37ff37f099d
SHA512 98efb91d42a6116943caa850cdb695e80b514f4555d70ed6761a1bcc8fcb56e2328f9ddac1e6d7f1b45475024f0cbe2d0b970b54c53f4b2bedb60977cbda5e44

C:\Users\Admin\AppData\Local\Temp\zMcEgMIs.bat

MD5 62d33c0a4b8975eee4daf86a70db4eee
SHA1 82534b579cb46dbe65fe4f3fb44e65ab4191761c
SHA256 575670ae6319a8b20fa03f9e2249b1c382b8964ab9d0eeb539a46a91411bbf04
SHA512 0e093a4b42c1e517ed2fa2ecf1181c7f389b36e1fc02cd05d942764cf6ede35ca099cfb3b8f3264e11b4b3ba5ab9f647859661c4ede2ecd89e26a38a43e23fa7

C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

MD5 edbd6dcdbcab90d114e2e69145485d84
SHA1 093d01b316a6a78cd9535da51ee525eaa026fc88
SHA256 134e843e62384beba253f8a9d7a3231535df24dc8b8e1b1dfc96cce963e5cef8
SHA512 7c7af249e8d1211cc7aba38be9401a8e544d5e266fece95228f369b631faf7dc2d188534ff79f0fef154ba8e518e54fb9fa5e9af40bfec37c08d46060ed19a20

C:\Users\Admin\AppData\Local\Temp\ksYg.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\KwoE.exe

MD5 a180091a66338a24aefc9ac5273cda33
SHA1 b593b88b7c32f9140bcd0e47d16e791934e75896
SHA256 19090aca6bebe1d3058c9615a47c27e424e665fe8f90bfcce103767ed4c88ddd
SHA512 307be9a5a8e301e89b6082285ec1697f0c15525f6a3534ee4069dac6cbaaf9b374baa45a8e36c0e6dfd8b764b95834cf731e9afab1a84cdc7748468a07a8bd48

C:\Users\Admin\AppData\Local\Temp\GAoo.exe

MD5 e38bb346671d9f1167b82ddf6bb92282
SHA1 bb6bf9946bcd32701f341052ff9c3436fce3c75a
SHA256 551461be77c6c4f3d05ccd0c470071528b9d786f72f55f674a4fba806a9c7d80
SHA512 6ae2c45f65ee05ab934850e6b9f534b6bff3ff8d09ef86a4b5191a161abc17d789ea287fd00235268e12e0685aa2ba47717ad9c8507c66b140936807a7c09b16

C:\Users\Admin\AppData\Local\Temp\WcIK.exe

MD5 ef76d8dcb90433ad28b2e8cb74647a74
SHA1 18c7854c112d14a99a8f9aab4597eeba1eb09751
SHA256 66fa6ebb96d9be71f919582d5287c639d5352fd24bcd59443f3fd4c334462aac
SHA512 50a0f3797dff7ff836b0105fb90429a077060c9ad2e853ad2ea17ff9b2cec005b7c4aa41cb948e2d8526c62e3821df037745a078d50484365a4f9df4e2ad5e85

C:\Users\Admin\AppData\Local\Temp\kcIk.exe

MD5 7eea4ec94596f462abb1d8eb82dc7272
SHA1 10e5adedf037a1ca3477b14a3cb008e6eac7a34d
SHA256 efa5be7fd07dca7864ec2842f3117426a8f924137c2932a95a3f7989c869ed71
SHA512 1d1505ad4d9b699f457e2449a4784954afe6a38375be4620af80c0a67731efe67854fd6e276e654585e2a479a003c5b37692f3168f6b7104dd9690c6f767abe5

C:\Users\Admin\AppData\Local\Temp\tCgAkwUY.bat

MD5 ec3134adbb863fd4d054562d5fac57d8
SHA1 b89db9252590dbe1f650938a30ab57772f3c1756
SHA256 df05220e074738b6fbfd1194567f82d0601038f478ff2c25158ea312f91ab750
SHA512 da52a5791d354656ea6a9c6862abf44fb1e6d2b9e0163eeb76da3ba5f0f734a8a875eb8c8a680b8d5e738c14746923e573b85d2d8226d325374951de17157452

C:\Users\Admin\AppData\Local\Temp\ekUw.exe

MD5 cd3e560e4455e7ea9576c548b0f46e70
SHA1 ef0bb051b191ec722a068be58e5d77220879f014
SHA256 cebc0b0995cb2b97315656af0278e7901788684089b9876908b38eef0158d5fe
SHA512 befbf8d6ab33a2b89f8c40d7864c74b0ef4e2a5a9485f09801acb4065afa31bdcd5c07ef9e30f840bc5e9bf1feafc84b2d056e905e7facae45eec48f434122d3

C:\Users\Admin\AppData\Local\Temp\uIcM.exe

MD5 192e27bde14295f10b07508a5281d2d4
SHA1 247d20bd943a91b29789fc5e8b1e3042c81822c5
SHA256 3c581f7fdb28e7e80c2592275062f694de887c2454c302eaeb2c02aa809660e2
SHA512 bf6c3f8003ec5881398e9407fd60d30f55e0b656805957110bcc8c24a1a1fb5a38a93bbcbcc1da5876e3144b8283d818a9ffe1793e318a32ebf6d15f4b8b7483

C:\Users\Admin\AppData\Local\Temp\MoIw.exe

MD5 1de898edff043757c8e7b41b0dced224
SHA1 49c932741a33f10076839da1e0ebd87432103ae5
SHA256 6ee7f59999ea2b26355d2323e208bfa4dab707548222c9f338a2110cc9b3c266
SHA512 bdd31211eabfa1dfb052c10b0efca819ab78c2ad76c127e17b10e29c13162328cd4b19276f643b80d9f80a41239b324e51db988ca999055616d7d2aa5a00f9de

C:\Users\Admin\AppData\Local\Temp\YkwQ.exe

MD5 92d383c1873b212545949624863fc99f
SHA1 5408f39a74c39fdecc7ee5ac2e30cf7770c4d3e9
SHA256 ad85c881b0c86c525099ad22b7c0144403c81367b60376bdd28e0fcfe0951e1a
SHA512 1e7080e9c97189ca272f1aa55cf1173f384a8e82b5e03ba074cdf158d0aa6371f6dc13eb71f1bec53c7378bf8b46d049a8583821d89e5ec36ec13b3ca1f14687

C:\Users\Admin\AppData\Local\Temp\CUwS.exe

MD5 cc6b47984cb4e4e14d042e95fbc1ef4e
SHA1 61c13f9d6a34f6170af3340b2f0c9dc5b75dc4d2
SHA256 a40e019341aef6a62c3ff5d2ec1e59cca2958394ee6b0833c0780fdd4517a640
SHA512 9904f3008d62489c1abc28221b6df77448548b409384f6a2a11540f36ccb351f5c35cdf2764b811202cdf8c86ac1a06e0eec111bd58be21466ad6b8c30bbf27b

C:\Users\Admin\AppData\Local\Temp\aUQY.exe

MD5 a39650cbe855e113887c661ff757c334
SHA1 0ad121ab53a6f45f1b8f27cf20ceaa60a3227bed
SHA256 a976726990badf15d6e2525d551ed9df6d53bd6f51f46645c61119f281020b8c
SHA512 76a37e01a9dc6ecea79ca7754405995c1f73d2a3789b7c0cfda840aad0464fec04850919d114aac63ebd80a0e647791f4890b07f3fde4f2501ed6c2b6bffab03

C:\Users\Admin\AppData\Local\Temp\LGccwMMg.bat

MD5 8e5dad5ad7807e6d38541c4571c98ea8
SHA1 8f8149ba138d1debbbae6fa2b79b6a45363f16c0
SHA256 a4a7bdf9127d1219c1248821cba20b62c0299764e7a461ec5dbe5bb514629392
SHA512 5d7dd200cc3e561ba311643e9527772a85785bd1564d84d2e0e98fef3a8cb3f202e94ec71f15c0099fd90f36b8f4d0710e4377307ef349dff29f8b4b96425c87

memory/2192-2896-0x0000000077790000-0x00000000778AF000-memory.dmp

memory/2192-2897-0x00000000778B0000-0x00000000779AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OccEIEMk.bat

MD5 daf9ad8fad0c58b47a31aad1c1354d5f
SHA1 eb3370e7cb13f30f5d7194ffe36f3f3cf35764ec
SHA256 388cdb1cd447255b30f3401156df9533c17cbf2c2cba5a73aa78d277a7057008
SHA512 1f6f8b555c1d6d98bbe4e9adb879e5ad7d45b7e6e81f4b37d5bb7a94ac5a4f4ebe7e307bbed5a25f1ad8fb451372f0141fe8fe4da6fc90ad429d4ee2092f23c2

C:\Users\Admin\AppData\Local\Temp\gKkIwwoM.bat

MD5 ae5d77e4b8c0237a3ac708fa903a0afa
SHA1 8b59afd4acf7e83a047cdc0a52c912abe1a6d0a7
SHA256 c0e8e796026cda00776202b954a4af947afe2119e14479ba71004bc74f93d7f9
SHA512 11736bc14be7a881dd95412c78487b3aab48620f519a0a29e367c531fbfb13e52a7228b24acf5f3479226545980e6486fa7490babafdf2d8dec9cf971c667ea1

C:\Users\Admin\AppData\Local\Temp\aWQkwEYc.bat

MD5 2883ade3860c24a673a08c5826e9e08c
SHA1 8f2a80901219eca1ec83f342f6b4a55eced0692d
SHA256 fb3f713ad7f551ee7b8bfb72235279de3eae5108bb6bae1081eac912e465b200
SHA512 84f3bbb2a7656092464e35702bf822a11d779ec0ab910ff89ecccfdca99d90a458cfa12cf086ae3259b1644fbdd964a2f1217a6cd6bd860e8279e86ee7a6d3a5

C:\Users\Admin\AppData\Local\Temp\KkgEUwgs.bat

MD5 c7e9bf557adce6f953e098922804e701
SHA1 cf9dbbd344e47bd72f411704f496df89f83cbacc
SHA256 466c2bde6dcd157e116b9c789fc13092119dba37df9249ab8c6130143d327825
SHA512 43112c08a58541e5891d87087759ebf33a990d43609a4bb7987c2053b80c3b26d5639b1fc4844984dcca292dacacf42baa3867e2142d3d91b210ea11c02242bd

C:\Users\Admin\AppData\Local\Temp\UCQYgcEM.bat

MD5 80c0b963038a3a75968111a247a1bf80
SHA1 cd500dbfd1810bdebd6822987a847a32dc44f45f
SHA256 f83d58018cd383e860c693f2ea3c8f9cd64a4239bfd6348c0c158701ade2f59a
SHA512 d356f96531f09882afc34b10ee0c6d5b3e94fa22eba785f9bb9390bfa37025df6d18ab10f82d25489924056b3783763cd6e4921a8ac72343c0f53aa219f1bee7

C:\Users\Admin\AppData\Local\Temp\xCwAkMkM.bat

MD5 13b89b88ac36ebe8ca2b2ddcddd16391
SHA1 7a196e13dd480d4994ded28381c7bac013c44cd4
SHA256 fe6a6574d1f97fb1df7be62ac172225f03eeb4b9be90623f4e2ed55ef76d7e38
SHA512 5b8e54ee5a045397174074b2ad6410302278951f1765300e15f669b7a1bf61c2be8fb8362193e9e33bc731d52c3d0120f5a95b7835e56a47693536a05c420ca2

C:\Users\Admin\AppData\Local\Temp\Docwwoos.bat

MD5 0da94228afa1828ea84a8a5820bfc9f0
SHA1 3dcb4ca6ce2c6cd988edb360ec328600a22622f9
SHA256 949ac0186633089c28319cc2c7ba174eaf195b7a3fbf19ca9829bb399e0fddfb
SHA512 f2f45ad484a6382d53965afa98a4c7c1951f3707098d4923087e7d51b48da865060d9d756bf4441ca7aaeeccfd49f3953085d2fdd509c28f02ba071d9ebb9d5e

C:\Users\Admin\AppData\Local\Temp\hkAoUgIE.bat

MD5 249c263e2ea78562273702af65e02a1a
SHA1 d3829135fc192c638c0f503bc7f6b41f9e906911
SHA256 460a5e103005b6e5f34b7cc25400e7a7d26042ab5190d692d49d7fe7551b7d10
SHA512 09b70cd4408fb313acfbcb902d1afe2ea459316ef46fe3759a1b4265936ff3eb5a64075fb436d4c34fe7dc47c466415e80716dcff12117b172f8cd97120ef71d

C:\Users\Admin\AppData\Local\Temp\pgIocYEA.bat

MD5 a0ebc663c42b08c043650db6745fb8e6
SHA1 aeedbced21053404217ed681fac8c6100d740686
SHA256 1ab2d1bf2b320f87fc266c4ed9a7caaeb835be049e191586c85854ac80a690cb
SHA512 3e893af60674c76bfedb89384a348383a76b610bd5fd43b19bfee0a22932430a596d7bb7412b258db553bd2d77d565803a7b2dc62a575a1e85698fd11459aa7b

C:\Users\Admin\AppData\Local\Temp\wGcsEcQU.bat

MD5 eeb9874aa47d4f0be4503c8638f86c1d
SHA1 0a6a640d44da23c198d4a96595e9862bd76a91ae
SHA256 ca7bddb7e2d087f4f31ef68c3d2d37e338360f8d72f695131d9cb6b346f90c1f
SHA512 6003d865f65dfbe1ca5795d12553a705fc86172e1f8b9421116b9d0c85a640d9b8ea0028878bc39d259c8017ffe596cd7d5c87e0b287fb37fa7bcf32fe7e1ef7

C:\Users\Admin\AppData\Local\Temp\GmYcgUkQ.bat

MD5 abddcadd0001a346b1797a05ff86a816
SHA1 45c5a67c197958341b4c9503c49d89319a813d28
SHA256 65a79125fa68648a85cdcd34a0612e3215a568ac225b1d844b90eae649f1abf1
SHA512 43ee2b1a6136ee516790d179d742cc328cfea8365e673d082fb36ffe9c94ced30223060ecf89b0431b6537694828358b6a7e1f183008c219391ee6528c721022

C:\Users\Admin\AppData\Local\Temp\uOAYYsMs.bat

MD5 2a0f5ba1a2eabbbf1d09a0296f42b38d
SHA1 f8e7525a818a5c8c42b829d4a927a42ac3729887
SHA256 4c4bb39ed725b67672e7d83829860dc37b7e4cb4c5ab458d5eeeead8dd847a65
SHA512 3d6c1b4d423c69ef55d9009121a210c4b68a3e64088e275623f5cb4697966508c8f07f83f1d3f89778243a0c1d47350e6d6375352ae585e651b393e6a4a7c493

C:\Users\Admin\AppData\Local\Temp\meUkIcMQ.bat

MD5 fdfbe3c6f906df0d63007c76d216259d
SHA1 9eddc4ba9c128ea63c6b19d3df3096b81843cfbe
SHA256 e6a545b6da825391765edd56fafef905b305f60c4d4a20806fb01fbd7eaeea89
SHA512 1b7d83db12197e328e99db81ada73dab0bf09faa0083cb0ccd7f663dc942a5fe3f9b8428c15d2e59c9dc5a77ee56d49dd859cf6454d31d5bd4d4e449c37aba69

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 16:42

Reported

2024-10-20 16:44

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (89) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\ProgramData\OqQoMYIE\ZIQEgwsg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZIQEgwsg.exe = "C:\\ProgramData\\OqQoMYIE\\ZIQEgwsg.exe" C:\ProgramData\OqQoMYIE\ZIQEgwsg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RMwAUEgU.exe = "C:\\Users\\Admin\\iYsIoIMM\\RMwAUEgU.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AaAAcwYY.exe = "C:\\ProgramData\\BMgMUkcQ\\AaAAcwYY.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OYogwQAQ.exe = "C:\\Users\\Admin\\MYsosMME\\OYogwQAQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZIQEgwsg.exe = "C:\\ProgramData\\OqQoMYIE\\ZIQEgwsg.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OYogwQAQ.exe = "C:\\Users\\Admin\\MYsosMME\\OYogwQAQ.exe" C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A
N/A N/A C:\Users\Admin\MYsosMME\OYogwQAQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Users\Admin\MYsosMME\OYogwQAQ.exe
PID 1932 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Users\Admin\MYsosMME\OYogwQAQ.exe
PID 1932 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Users\Admin\MYsosMME\OYogwQAQ.exe
PID 1932 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\ProgramData\OqQoMYIE\ZIQEgwsg.exe
PID 1932 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\ProgramData\OqQoMYIE\ZIQEgwsg.exe
PID 1932 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\ProgramData\OqQoMYIE\ZIQEgwsg.exe
PID 1932 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4360 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 4360 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 4360 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 1932 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3460 wrote to memory of 4804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3460 wrote to memory of 4804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3460 wrote to memory of 4804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2452 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4264 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 4264 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 4264 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 2452 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2452 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2452 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2452 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2452 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2452 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2452 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2452 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2452 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2452 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2676 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2676 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4872 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 1536 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 1536 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 4872 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4872 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4872 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4872 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4872 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4872 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4872 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4872 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4872 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4872 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe"

C:\Users\Admin\MYsosMME\OYogwQAQ.exe

"C:\Users\Admin\MYsosMME\OYogwQAQ.exe"

C:\ProgramData\OqQoMYIE\ZIQEgwsg.exe

"C:\ProgramData\OqQoMYIE\ZIQEgwsg.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OisgsgUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWoIkUIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoEQkUEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOwAcsAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWEQssYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEkQYUck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iigMgQMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEEooQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYUcsIQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCEUooMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcUUMwMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGkEUEYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGAEcMIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmskUkkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaQAQgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSQYUMEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkwIEMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCQgcooc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAMYgUgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imwoIEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASYgAsAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\waYswgsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcckgkQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyIIkkko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYckscwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEYcIEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYUoEkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYkYsMws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\coUwokUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKkogock.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWYsMQYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQkMcQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuwoYIIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LecgkMQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOEAAwMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUkMowIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWkkIMQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgwooEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqsMAsoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiQgssUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nesQgYUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twIIgccw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIEwkIAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuosswUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaIkwAow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeEkkYsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkQUsAQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsgEkogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqAMIcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qeIIscck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeAkoUYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iugcwsQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYMkIMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIssksgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\negAgkcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAQAwMso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCwckkkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCgoYkME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGsccwwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuEUIkAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMooYkwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsEwkMcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCcAswEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwMAUsEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSoUkwkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SggsQAkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsUIowsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWsIQckQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqcIUgAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByAEUEQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCcAkAcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKsYksoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoEkYMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUoAkoQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIcEQwko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiYgIQwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAUUMgoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KskYkYws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcgcIUAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psoMskUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\iYsIoIMM\RMwAUEgU.exe

"C:\Users\Admin\iYsIoIMM\RMwAUEgU.exe"

C:\ProgramData\BMgMUkcQ\AaAAcwYY.exe

"C:\ProgramData\BMgMUkcQ\AaAAcwYY.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 8 -ip 8

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCcogEwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 224

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoYAMUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAQUgYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCEMkYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIswooAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOgwIgAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgYooYMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uycwMkkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKkYIYYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWIwAcgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsEYIMYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAAskcoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roooUQAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqUAooos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byUoEEUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEQQMUwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoYIkUsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkUUMUwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EaAIYUck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nykssAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwkYksMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUsYcQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1932-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\MYsosMME\OYogwQAQ.exe

MD5 3c6495366911cc71fd8825b9a769de19
SHA1 cd995f585e128d28558117102c7025be28d2b721
SHA256 d883cf9e98de3ac51e915cd963016a643e3ed48d428c77fee2742bad7a6876fb
SHA512 ed5a469bb2b09e0a2accfc437853dff3dd0bd304a8577fa3dd8fea25504bd74050a3582b4ec6f2bf68a57603471253a23e8d8da4b07931df68df3bd894b71135

memory/4004-5-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\OqQoMYIE\ZIQEgwsg.exe

MD5 454a137aaa73393b783bac3ee5ae5779
SHA1 77c646aa71edf9071a1b18b0bc83bafc382470d0
SHA256 9bb19bdc8e96e05a5645067ec4f88c7f998f3127a757dd9cd44f28fcd4bcfc6a
SHA512 a23bef4912247c0b19feb11eca214663793065fe81d42c92e86fd735e990dd6008bc6b69b95d037d165fa79a40db8fb39ef88f9088f9e34dabd033ff1a1ad1aa

memory/2844-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2452-16-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1932-20-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OisgsgUA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

MD5 5861d4e6983be2b92122bcfb7d239eb5
SHA1 892a1af54e23a9960f63eae6369c526ef325b77c
SHA256 b3de971f88cdd8219cd9bf4a1212107b4052f468caac1f196d756ddf095acb48
SHA512 af3ce9a9c4a7be34e1d75bd9e25b483cfadc18e50cdb3229c5bc70bf965f6c478a707711154066c446f84ae5b6216917dd34935ee69772c305a00bc6d5040178

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/2452-31-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4872-42-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2180-53-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5084-64-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1916-75-0x0000000000400000-0x000000000042B000-memory.dmp

memory/772-83-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4972-87-0x0000000000400000-0x000000000042B000-memory.dmp

memory/772-98-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4088-109-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2084-120-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4788-131-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4668-142-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2336-153-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3828-164-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2312-175-0x0000000000400000-0x000000000042B000-memory.dmp

memory/696-186-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3040-189-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4260-195-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3040-199-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4260-210-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3076-221-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3964-232-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3864-243-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3868-251-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1816-259-0x0000000000400000-0x000000000042B000-memory.dmp

memory/464-268-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3600-267-0x0000000000400000-0x000000000042B000-memory.dmp

memory/464-276-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4324-284-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2508-292-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4360-293-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4360-301-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3776-309-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2388-317-0x0000000000400000-0x000000000042B000-memory.dmp

memory/8-325-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4528-333-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2364-341-0x0000000000400000-0x000000000042B000-memory.dmp

memory/632-349-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2228-357-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4348-365-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3024-366-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3024-374-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1896-382-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1632-390-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5024-398-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3472-406-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2900-414-0x0000000000400000-0x000000000042B000-memory.dmp

memory/220-422-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3688-430-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5084-438-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4776-446-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3024-454-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4764-462-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3644-470-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4804-478-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4776-486-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3748-494-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qIkA.exe

MD5 2c107889664bdc5de1ee4dd523a44a9b
SHA1 c27f58bbe6100d8f2a300cca1dc1cff29bfa91f5
SHA256 84835455c1f9a3af5b8be0341b786eeac9f0c8356b72035112f2cd962ed0dad9
SHA512 e4a13efda2a19bf147510e2cc0177ef9dec327708bdb3cc77fc220fb42f27181fd1f11eba25e83ac7ec787562698f24da74e54f83e6de40585d7f0a7d8254c76

memory/3460-510-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3460-523-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EkQM.exe

MD5 c7ac9e50b6643eb9428ec8425d70fe8e
SHA1 778b9757d41a4de2759b7c51ec492f6f704696d1
SHA256 ec4c844291e0e1b777d41d2a15cc08d7121f9fcad0321b2d5b55263550a516b0
SHA512 b2f408e74bc8d1fd1611e6430601a250f86cb7e33552d97b1c20b2bce55aae95ce0762ed13a93f20822fd08719028bc4bb257507d29302c2d685e34ac3c211cc

C:\Users\Admin\AppData\Local\Temp\qIgM.exe

MD5 cafb5cb4adee98d4ca0b69d68f5bf8bf
SHA1 6057ff9f0d64d3a422f5dbe013dec327834c104b
SHA256 66281cc8fc2afae1cbe141b5c034f7ca5b66c415c0c58d9cccb5002f66d6f8a4
SHA512 5e4a7f51615412cd7d3b006c2305b3139ed3ef2d0fe3952364d68552b7da6b5238a46d1a58e12db4ec6067ad83ad2a730360b7e01ef7023159c60b8141123ba9

C:\Users\Admin\AppData\Local\Temp\yAwq.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\qkIM.exe

MD5 a5d295f1de3752cac3b1dba1b93c752d
SHA1 b464f4f2f1ed8b0cb4ec2f3073d3a7d62f693c4d
SHA256 f4e235a233fc75fad6b05a4de88729a3b12bc3fb5fcb7a357ccd317c2a661029
SHA512 588cc4c678abbe12ec356fdc382cec7d0e7df694fd159cf58b508297b5d8e6a1cc8b21cff3e4869fb0140b8320a2a661fab48cf1fd39061bd372d7146d8331b5

C:\Users\Admin\AppData\Local\Temp\oUky.exe

MD5 9b47c911d39cfa0c6002a60fdcd34cb9
SHA1 4650b7500dc058fccf1f8378b6a2553348328449
SHA256 37e3ddce00055419f6de092793bf9ae7fe10cbe2c514286bad1b56227e1609cb
SHA512 3005b370c4e7e272ff56e2d1cfcd91cfa1daece0ba6d60e47e8ace1841fca204d9bf1aa40f06d5180bc8e773ea94c17e0f1d02d694762ce0d29b27598ef2bbc7

memory/1172-582-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iMcY.exe

MD5 c6d7015b22fce616d7b40898df9fd81e
SHA1 ddee7ef4cd8ef150b5bdc74704ad63551b4e6866
SHA256 2c5da65834bfc8ebe3c548468f645bb74305f85dcea19cb4fe4d9b9efb663bbf
SHA512 244b72d6378fc2f72b34a4abce4ad2b3e1bebf04009953f36ac128eee7d6982f0c2c1f8ba7367c34d362ead711d18be3a368b532566d477a7dfdbeefdc8f291b

C:\Users\Admin\AppData\Local\Temp\OYQE.exe

MD5 5c047bcd5081a329144137bd42e36a2a
SHA1 10ab047095a3e9a4ea4bef40dd9a9d06d365cb34
SHA256 bbdbb8ef3243b0f140f01c6f513b88fccca79b0cc4d3d87665d47802caf7d7d1
SHA512 3a62989ad1448667010dbbb6c58929c7980b3c5401140877ae02d0f1a4894ce0f934330dbd246f9b2641919f8e65faaf532d1515485788276db4f5178d4a304c

C:\Users\Admin\AppData\Local\Temp\UQEu.exe

MD5 683141d83c9642206c18491ab00b8641
SHA1 1f64be2529292adb7dde8437dca9a3cc0058903b
SHA256 b65be318159216dfaf3368a5a1f6aded84aac0d7c69fc79568ab60a913f0ad55
SHA512 769b1531e6786a25f89eee46e7191d7b4005fadc0fd7ce61671934dba137d2bece2df9e92244b2dd9e955b05db8be0c023a7b8d3a48988f31074d32b302f2c36

C:\Users\Admin\AppData\Local\Temp\qoUk.exe

MD5 de02fc75b1402f8ccd217a702f6ce5b9
SHA1 a83bf2965a86bfdb5ac865ae1ef5f625d075808a
SHA256 2be44da02b0b89e419c82b2f37abc5137534ee0971f5ae49383c155aecfc535f
SHA512 52558789eb9ac304b8f7867e17f14d2575ad250a8f79e86a98bcc823a22ff410807caf7302716da704f338859e7755987ef5065ad0aaf221d9dacfd68a8a0935

C:\Users\Admin\AppData\Local\Temp\eQMi.exe

MD5 6dc9527df88e12e83171a18146595575
SHA1 df0bb8ed10d957507b5fb5379e2f12b493404f27
SHA256 908eaa2901297a0bd79274fe0b826ff8c78066a731488b1f484e29f726346820
SHA512 7a0d4ee3e9b7deb81a2610ca7fc0677cbf7126f61386935ab17349558ed7fc7d2302a08d9577944f3390d6f4feab0167a8a5ba48aa64f4e848d76cd3d1257293

memory/1976-659-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IkoA.exe

MD5 e0df38d070ebcb73e01209656719b050
SHA1 42130b9c6fe38ae722ce2641c4c46575db90767d
SHA256 980efb0738c15256e703468660e3d0771fe0281f770cef0956af0ce505f46867
SHA512 ed15138c187ad5339589a4e42a99cfa05cfe51e1ee371009c52320471964484d4b31e7e900f52cd326007508dbaf352c702056216bec5c58a6ea1853808d99de

C:\Users\Admin\AppData\Local\Temp\cUgY.exe

MD5 0acaf1660d7026cd0f7b36108695faaf
SHA1 435ee6e401fe90135c555d047a3121580fc04cb8
SHA256 30baa43067a211b9f92c3aa3c4aa929de28399ecbf40d74df68e2f1ebbb0b6f9
SHA512 49469350cdfebeb2b7a7a1efe2481abe91cb8af74a7538a6dda2e516f6244798497fc07cd5ef51ad48df1c2365be28e413639fe66bc753007cf7289cbae376f8

C:\Users\Admin\AppData\Local\Temp\gcYI.exe

MD5 5d9aa81913d052e246a16defe28ec8bb
SHA1 0dc4b4b531cce8c784b40ca04ed890f505e3cc86
SHA256 3c2d6575e718bcf944848af021bfbbd0aacdb3237a11059663e0ed6921c5d9e7
SHA512 aef387ef43d09a5fd9bf835202438a70839df5d98cbde16d5f3e08f26db7f3f9db1bb69ac0420cd1055f3346a6ac153a09ff2403ad34a76295e57f97a13c8e7f

C:\Users\Admin\AppData\Local\Temp\SAkW.exe

MD5 4551430535c7ee1a2cc91608f0d841b0
SHA1 d4d1522234dc672682dce5b6c4f04568364a7d99
SHA256 c174d6ba262118b48bcd361f7d77f3e283ba36c3375be967d72ea48465b667dd
SHA512 1a5d96d51fc6029b5f1bcfa6d8f36727748bf2ae90e881f47fa2b7757a031b5f340846c15552b53a8171c766f6388b6b855646c03d13b0cc8563f7312b092c8c

memory/3644-723-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ggQM.exe

MD5 99ddbaf0483cbc879ecc2d6bc18f385c
SHA1 955a5af11c00dbb41a4367c71dd01f8772025bec
SHA256 dac9d08fdd7f7f7b7eb766b38bb36fe59d4025d5ff8a6880b4780dbcfde94e83
SHA512 e47f048c1f6d8598b3127e9e660cee7a564b066f7abee60fa62d79654408ca0962acf82d4a45881d3e25b5299d788d6e0797f73ca4ca9a1aea8d954705c91625

C:\Users\Admin\AppData\Local\Temp\gUMQ.exe

MD5 2e478ba9da828d2365cab8b3c41ee903
SHA1 f9176d8487001c3492cabdd4f2435fefdc537fc7
SHA256 9b55a05f84c11aef6bd007d9f7bc8dcdafc14307dd21df9d7f6f224c971ed8d3
SHA512 4a9e8380616dbbeaaa74d387c6d969d48c439c9ab50803512e4564a074f23f104cd0dacac93f08ff7080b1eaec04feb3123ff072b6e9baa93b17e2b4f4ed8600

memory/2428-760-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oMcM.exe

MD5 b24df0b5fd3484f1a41bf296214ba35d
SHA1 b20bdf0a7bcffdf24bbc2941658e35fbadefaf0c
SHA256 7990e7d4a2441eb157926780ee97fc8abd72609245769404d0f8d9f755cb32cf
SHA512 27183de045f5d849e59ebf7f299758e874184741cd33ea824a89edb32124d536a0c99e2bf8f8902716bfe0f904131de0f0a6c3e77c73079a71f5d2c85c93cc45

C:\Users\Admin\AppData\Local\Temp\SMsC.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3ab1ec1a25bc3335195374a539faa722
SHA1 cc709f35d97841d72f6c9df2083c250254547bdc
SHA256 2ee12d6ec95fd0fdd8754ea4bfbf0252febbaa2624336855efef20934783f5f0
SHA512 b3d45c187af51c5517e4294ff085576abcca9f24a5013166aa3835f14678e706039c72f116b482e5b66a5d71e3a72ec3ada6c4e06bbd12245fb273032a441286

memory/4152-788-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yUoc.exe

MD5 7c35844fd66bc877cb58667b805aea96
SHA1 148b3766e062b144d73f1bed247e8b335dd6a8ba
SHA256 622b60f4a2a53a35594a6b8e6fd89070f887c52cecf5142eb7bf8247dc72b9c1
SHA512 eca988aab34a6825afb809877688b5cfe607368ee4c6e4711e2ddba6ed0652d59bc0dcf794a49f1814978531bc2ba6205b03d4bfe4b802ab4bb7b57a764e1a79

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 8254b865065afaae9e1834cc7b5c2fd8
SHA1 97c42d86a886d51b3662e8e895829d0baee1c1da
SHA256 df61c125f63ee05e44b1a67dc8e8bd44206be0f9963689bdf03c9c74b9020589
SHA512 8a3cbba15db0b369d0d6157ea80af96df4eb96a2555cce4e86f5736ebce2358ae51b3737c2e780879c8d843c1f6474dcadd1f26718bd5a19e7632727618e8d6a

C:\Users\Admin\AppData\Local\Temp\eIQK.exe

MD5 85a23df48259b8d150bafd95766bdbaa
SHA1 4f65cae6b3e83f0bee7af8f9be2dbeb0bf826917
SHA256 c863a0a69ed75779788056a1e0d34dcee47cb6a20e7bb86b43a84db14c07f4e1
SHA512 a4692c5b08b680ed72ec0fa231a6c97800444c8ea64b0cc973ed167512d9ab5d76e1ee8050e8d9b526ac26f61a571f8a9afda275d5d0878153980008ef805ed1

C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe

MD5 0f434b01599072a4126d78de495df669
SHA1 6049fe2da3ae00be58b0200dbd4564a1ae5be30d
SHA256 9bb79fd9e8aaad5ed039e5e30faaced43ea1539e2a00012dac6abbeddd639b49
SHA512 30213a569bace8ced739b5ea9e05fe0deb53773158c22d46160a4e4c49af63e37e9aa96e4e84ada7049e0a2a31f68f2121fb5b519003c8b1018e9bd2cf96e5ea

C:\Users\Admin\AppData\Local\Temp\ascm.exe

MD5 44d285d6958f975ec50af879fc3efb45
SHA1 975f91b03b1347469d97686ce836e9312cdc4bbc
SHA256 0b15942a5d589d861149be51056a40c3bdd7e7599078e04ee6beb9399b0ef945
SHA512 7070830f030509c377fff0408372ef744c329e0c93d663859ce7ad92575a119dfd506b66340005587a17fc74eb11f8e7c7a50e230125f158dc9e7aa9bf101ba8

memory/1496-863-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4152-868-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kwMI.exe

MD5 02a8f1173e72042c56da190d4c8f9369
SHA1 24e559dc2be338013511109ead7c481e71b53393
SHA256 dbafb024438ec3f58dc08ed2325733b050b3bd2481ba4390cc28f45a560b0991
SHA512 bb07180edb98a0c0e0967c5e52f536744f335d52d36f2b538c362ad17b8d73e5d3ac7e363a4fb37508693c8377101449a8aaaac8ab5d2fe08083de06839deaee

C:\Users\Admin\AppData\Local\Temp\UYUy.exe

MD5 1c70a6c288c5423302709917bd5a1187
SHA1 1540a41ae8d2a53fd5378e25061ad7b191c7851c
SHA256 eca7bb0a591fd2f81c8f4c3086ceedb82a6eb80dafd3dc972d23a97a2617327a
SHA512 882c8edf49381e773e377e779d16a56f172124e17ec91a442aaad11d1e80bae08f743773c343622cfc49456a30d577445acf25e2d20f9f1faac7b7d45a9c1a06

C:\Users\Admin\AppData\Local\Temp\KsAG.exe

MD5 c633d2dfd4385cddb17216710ea925dc
SHA1 28c4ea04c69f5f6d6ee52ff1cb8f60df04623e3c
SHA256 680c8e4cacada445ec73b68bb0e89afd207a47a70464521212dcbca30abc5928
SHA512 a51ba44075836b885db66be4f627f3daa5c12072c7059a6c9780cd7c6096dc7312228a67a1f3d7edfaadd35aa2468ef23199896086dfa4f8b458892019480a67

C:\Users\Admin\AppData\Local\Temp\aIEY.exe

MD5 af09fea88c162b303379918cdf6b7aed
SHA1 bafa9044a25831d55f7115617b5a44b316b51008
SHA256 32468f2d83933f4f8624364d2e2bc837ba4d7812687b7965e6cdc0ca8a9a7136
SHA512 24b3cbf16d1e5165567f367e17a838032a8f41fa6d3eed79062f89da9ab71497661964d331875fc6bc6d523392330031c6ff9667e34ede58bbc941a77f7ef883

memory/1496-930-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oQkG.exe

MD5 f1da1d2d8647043605d0cd62ddd4ef88
SHA1 2091d6a2e2b1b35ce2e126c91ffb0cbd66fc9690
SHA256 5961b07eeef6f34e13caba4eeccbde78bca1c5ea282571e433485bb80dd50fab
SHA512 99d6809b55b471e86d40a59e22b26aab21335af6c6afa81f55d98f2b41b06a4edb2a123f498cc117d64f06ea77745d671c7a28e9a8c74c9d77f4ced015263c92

C:\Users\Admin\AppData\Local\Temp\GAAI.exe

MD5 3e4398fff3d85b0b049ce4d4c0f6062a
SHA1 f2dbc0ea3339e8655fcc2e346fda5bc277346dd9
SHA256 60dbb32b95b267c18075b04b30424c0195e65368666a1266232ac3582cbf77bc
SHA512 9274ea8871f656172624f346ed56c4a1d39652f4007d1d8fa8ae22cceafcd638d7bfd96aa026388aed06687d4a6503072ade0780c7147c0ab009346c711f70e7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 722200739143a4ff2ff0c764b60c3f1c
SHA1 9c84c1e6d2089cdea4fb063e1bcbc30dc5d43d2b
SHA256 3960d739decef8c5335fb01ad1a84094fff888813e4af7f16367a74654353843
SHA512 9faecbfaa148af4e3bf896a532d0d73ebf08c19eb26ae03e2925dc6c39fbf66f563a83e76dee180e2712e414a2ec057fa18d9e949bf8d360d994540def593ed7

memory/3176-977-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4388-986-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Iska.exe

MD5 cebb43077aabd56681de2b75a5c7e01a
SHA1 0bf23dfa962dcd59aba8ec5b4278d837b7c1bff2
SHA256 38d0a599fca9580a3deb89cfbf00dff117beaee85167943408ecf0d3d9212814
SHA512 d7aa1638f171c6de45c22fad8fc57df50e040d60c82f4a746836d508f6276789ebc564dc3567fc68046e13de3afe88a48c5820385f22a743c326e798c6e908ae

C:\Users\Admin\AppData\Local\Temp\Ckke.exe

MD5 b7fe86e2b9f2fbade331d3c744ad357e
SHA1 cda940cbd6f5371247e1923ea037fb878d983a4f
SHA256 2dda3e328a716ebc1066ccbf22d055ed0a51ad6f8f693f1d539620c0aa48a8eb
SHA512 52b7e16d3c5c8fe4fd6e1c3f0b0037d7b9bc2aab747ab6f7984015c5ff3e7fecead99781285458b7e9c5d39ad0c55a409f1c1174402944c83825c0a5208137a1

C:\Users\Admin\AppData\Local\Temp\Wccg.exe

MD5 5945a033e0de2da6b070dd7fd36ff9a8
SHA1 c059a8e151dda1ff2b11ed81fd3e5e8c7a2c89eb
SHA256 121bdb01dbef03054f4524898c2beb132c8a00e56caa549b0031efba71a5f48d
SHA512 2b510a17ea403a4ff01e3282a5ef04c17437fc0db91f514ba83a1172ce41decfaf6d95baa4d437f6f469ee0f315cace36cea8f4dc028c1347fa098c907baa769

C:\Users\Admin\AppData\Local\Temp\iYIk.exe

MD5 e14ac119dc7421a6a20e16723614699d
SHA1 7f42a1406112222309307148cde79916e573c9df
SHA256 ea8417240dbc0e90f4c7ac9b2f4efc89b9c11009220921ffa57b8c09cdff9816
SHA512 f6a3c8f3df5a01c113bb0adde1ba832461b2fd2f2d0d908eaaeb5942c1e48e74bf5096e79fb3b91fa8d1dfbfb1b23f890317b09d12a7db886035d1cecff94900

C:\Users\Admin\AppData\Local\Temp\UMkU.exe

MD5 dbb085648ca84950a2eb71d3e17dac3d
SHA1 75ead5dd24de14915728569239090adb698b435d
SHA256 e788efe5342c032a17b46d57f0c3f4ba0832734aa7fcd3c65a069c6238493c56
SHA512 18b0fa3c7bc5369e829e92a5309f4002d2a04b01b38403151f2c4cc8b519d819f111e60dda094e9b8eab8784a5a1a40c3ad729070888a182edabbde1fd7a6bb1

memory/3176-1059-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4936-1067-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ccom.exe

MD5 c724776924da666821ad6fbd05910614
SHA1 7c6854772d80bba5695109b298ff9617edca9fb3
SHA256 0d47254f5c9919f5b31e5d2a5a25fc845adf7063f4d40a73d8f1ad8213dc0af1
SHA512 847691d271c813231ea7105a79991feeb09d449584a0de52288930fab939a857d318fef34af2c76a055e51466e37eaa1aeac717a5e4dc58bc692afc647fc5f49

C:\Users\Admin\AppData\Local\Temp\agAe.exe

MD5 12d507f11ba978c1a677553c00d45c9b
SHA1 badbce33c675ea531aca2f012688f70feb2c252e
SHA256 f1424e03fe0856b4639bdbaeadbebaa7db995256ab2e776c9bee77a696999eab
SHA512 410ac1e191bb60ae3931f91676e1568843d2a406ad41e3a4a53c8b59d6b7be617d239157815b7a0ec9311dfb65abeea8c189e8f9b01c59047e966adb50288de4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 c389259e7d4b7f2283b437c3a6dbcaa4
SHA1 528a44c31a428ad00559ab527b390912c0ad1c2f
SHA256 0d1ce0f341abedc3f3882aaf044bf3b788ba5db50d6b6db8bf9d156ac3408cf2
SHA512 bae92b93cf3105fa4dba2e0ca919f2300db83315d3257bdf3a974061532e55471c759d1c09c0ea49ba3303d10d1d8b2b4862d169343be0a66f0c6e569e0f4b65

C:\Users\Admin\AppData\Local\Temp\mMgU.exe

MD5 42ed76943a77e972e91a893b30fc8ac1
SHA1 9559f94d1819401c622625dd8545a720afa759c7
SHA256 5557139c4520131d516a902b268f63133a84e2af1b3c0821a89c44dc6cc59415
SHA512 9e3cef5b196c5c9fd46cd8715fe5c8d734c9d43ff70abf603d9e63fe9bfd0c331e7bd2a62b7b43223b2a5765e04b9744eb6a14239b68be0a06fb017734a2213c

memory/3920-1131-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CIQg.exe

MD5 2f14339e56a94ba439e5a11b513ae787
SHA1 6d36a6b5fa812107b0d4b5f3d6c52db7cf07bb2a
SHA256 2c077a2abcab4535bccf3c77a0f988c26ecb97aee67c6154b38a0aea75d07672
SHA512 dec635e74d9990a6af70e532b1c0603a15f7ccaa840cf57a77e3e7c3528502c45e71cf35bf525ed14e011c587d01268ff29fb09ebd54d3b8f4e64cd9446c8e87

C:\Users\Admin\AppData\Local\Temp\kAsw.exe

MD5 ab5a8e594bde6c22d2e8532ca63a79e3
SHA1 4490262b6f2972d3010284179db054c73d9faf41
SHA256 69eeec167e4f62cf1ace1b62a6f3532aa3ebc3c8cefc5035d8f4a2c1c8f981c1
SHA512 0e2bb0d6caaa815e73d7174e0f4cf85f2f97ffcd97057fd6b5420d702450be58bd2fd284c3763c7061e8a4742ab493d84d84c93f0005e7681561e51627ef751b

C:\Users\Admin\AppData\Local\Temp\gIgq.exe

MD5 61ae0287a6e56c235b7a479a63d4f9a0
SHA1 ebfd7c3317d26a1cd5c058489d7d774fb42f9bea
SHA256 b4746cb872bef3b061bb8c5de779540533cfb33e78d13ceac991f9c6f13ccc2a
SHA512 65d3b2a102610b0043fcb58ffe2eda57b1f02ed2cd08ce76b2652d8ce44f3d351ac2a0161ebe08d0c94f70caa4d6df1a58fcba2c623072135026628886fd7ff7

C:\Users\Admin\AppData\Local\Temp\cUIY.exe

MD5 aa240499ff20847d1ce189e41b36c89e
SHA1 736d922e372a83ec8301a2a3f16f01a7f2954ac2
SHA256 4a9d16cd3200bd544534fdec1357677345f0379e248c94f737621b7d2d9ed719
SHA512 077754af938d93fe9f4d7df726a5764f4bda14f60e9db46f460f551d2c9d857b1790fd6c264cd59f9f35b97b7f1ef86c4d7d14d33c77ad10a874d41ff0c396e6

memory/2612-1195-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GocS.exe

MD5 e37f9172bbe870a281f700abf540e1e6
SHA1 b007d1733b8ef46ad9aa4e161cabdf9cdd19e544
SHA256 d00e3839d1b9d6cb689fd9eeeecbe528c6e784b53669991981b21a68f2131419
SHA512 6cb26671214897adba2363d05495c7f91b10d3a06adfcdb06668b641dcdb2d9a7db69d45a6afed03e0abf0c4818c558324945af60288ba0c7564e6cbcec76fe9

C:\Users\Admin\AppData\Local\Temp\AwQc.exe

MD5 fe28487410ae6f7a8bb1e9a4dca8559a
SHA1 eb8986f839720e017fddbabea00b35797437072c
SHA256 06f0205b85f5841b9845f07b16b4eb29b52f75ed6e76299d6ae57394ebf9d4ac
SHA512 2a31b07c2e41e32301d9d4cc6d18be501d503a092879b61fb766713c75510b900097d30e5103c35df026d16d6b1a7d275c99cfca71208913c05376c42201e184

C:\Users\Admin\AppData\Local\Temp\YMke.exe

MD5 6cfbe1cb24e0a8baad143fd59a72d160
SHA1 fbb256ee65c9d9a919cd318d4876a1c3a1f6ed96
SHA256 effe7c436c593bfe6fd744cf333b03c3bbb63b8bb8595eab46055a12f29515ee
SHA512 87c25dc8b9c48d3847c7ff6757900ebda5228230671f81231d5ab3fc16c631ebe0c490194fefff4e1e35fe896b2daa2b6f93a881d061a2c9a768923f2e6382ed

C:\Users\Admin\AppData\Local\Temp\AwAo.exe

MD5 8bb3960ce534c73d242d5447953e40c8
SHA1 e7136b76e5991b078714df15cb1550d989ae89aa
SHA256 f9cff17ddc2fc8b79b95ef2f1e1eae294197b0feaa4d86234ef10b219811335b
SHA512 42988b026bcdc081d4b0f77c54ac6d08ab0074ca6018714c017a0c359f92978f76111cef766b8eb84e86613768c87c570c1c7ca5f5a04bf72060cd6c92a995c4

C:\Users\Admin\AppData\Local\Temp\cQIC.exe

MD5 ddaf43d8f2f25874e1a8b8f69311282b
SHA1 e4afcabd84ba61611395992fc9cd952855b8852f
SHA256 a362836cc618bb0960a8d8378530a25af3bbe985f5e12b0a1adb321eae555bd2
SHA512 6e3e7dba00bd998fd3084553770282d4e58268d5ad1850dc059fceaf55081e3f29e9849cde425894ec7b82bb4eae671f2753320d90906c9dba313d9870a27962

C:\Users\Admin\AppData\Local\Temp\sUcO.exe

MD5 4a2d4d86a580b6663a4652f22d9c709d
SHA1 ab72c606dceee7b139e4d91c27d52712d8a8c194
SHA256 5904bb79caf5c0d19a8107f4e29720701fdab93591661fe44c34ab8121f7a7b5
SHA512 f976024e5ac042b7e0a8d0276b5f87241ae60ec2e029012b1feec2cac9913a486871892ee16c7b851a252b0170223b935c1456a9700c911df6446c4e6dd48206

memory/4480-1287-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 d88bd3271b5e9e6ab830daaa236ca930
SHA1 9914fc575b9b4731e735109d61047e4910806843
SHA256 380676c66b42d1e7fb0430ec32044a264c1da6a656f1c102af7fd7e2ee71d144
SHA512 2fc620b47943daf959f49af5b33f078eec4335b2290fd23bc8fda3dcb9af1223b116e7de9cf8dbcd699cb0fac62122efb8ba7839aa087d1e398ec27d21b7b461

C:\Users\Admin\AppData\Local\Temp\OsoW.exe

MD5 9d08ecea003c642398ee31e4297a6e6f
SHA1 03f6825e7ce786020e083662b79f1e9de27af04b
SHA256 a90ba1ceee3f2d90cce09965c275b8ff8a9ed0659292ef23dd957132ba05c25d
SHA512 01bbc06570f31791331963d66e976306d3abb2e71450cf994fbd84971e90f24eee24f2750275e04ffdca8091014b09e5892522e03ff0efea4a3492d880da5d85

C:\Users\Admin\AppData\Local\Temp\iMkQ.exe

MD5 0eb9199b4bbdf2f30384210d80b5e786
SHA1 f1025a398af9fa35ca0217d0e3eecf40d04dd54c
SHA256 ff6d19eb6e3951da8284bd0db5e7601d488dd574181b149bb3a12b96916622ec
SHA512 453714f6a6f1a39a7d1b56ab84817af3b835695d55f653d5c1576214180bd3acd747e19b22df54db0c589396aebdeb3029665b7eb465902ba9ce9f75600393ea

memory/1204-1337-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WwAC.exe

MD5 91bd470e3f8d128100dd669c146e0eba
SHA1 251fe85b7849aed33e2342217ec16f896cacfec3
SHA256 dcb35f06e2ecd5b4bda1e5e3c7129040636a3df7f087519f91dca331fae94ba0
SHA512 bf2ae0ddc56014b44b76c411c2ef30f95be8dedcb3fb40fa862f64aa0143f1cc9c5fe01d30d8a7c81bb1d9961af7c36a77c1275826e7309521607abe06eca2e7

C:\Users\Admin\AppData\Local\Temp\kYYI.exe

MD5 e43a067f37adb228e60fbb739af340a2
SHA1 6f2d619a5019e7cfb0be0ebee1b51d0a485e01a2
SHA256 96e4a4a9f2ba2938390bb71d46f035c57edbd52f79bbf62e286b240b089e0087
SHA512 7559be9b2482051e8ec12ca3b2ca7b72ca125c0a359de1214a873df34d929976142eb749262f7976ec05910eba6cac1fa9fc6236e9bd94495a7235cb5c8b7882

C:\Users\Admin\AppData\Local\Temp\sEQU.exe

MD5 21c673545d9bbb3ca77b66f879f768f5
SHA1 9f4d9f6ccf303bf101c1ae336555d929ab0ba70a
SHA256 f4984bbd6cae12d903a2d65e6a0ac06f362f8f511b8f430ca0a8fb0522953e69
SHA512 3ff4a0b573a11c5b4e6f12ec9336cd51646ca8f7a6e80f52d0e8aa436c225bb159d38fff86e8c43b5d1fa092348e88277aead8031972168f18638ce7c5cbb465

C:\Users\Admin\AppData\Local\Temp\YYwS.exe

MD5 ec4e479cfcc79b638052fcb086250817
SHA1 2e705304642b0d1d58802039febd2caec01966fd
SHA256 6a0a8f9a7c17b1d74960a664925b11dd1bac35ae8f9971d6126a85bc285e0ec2
SHA512 61ddef57e83f539a1f1e31483f7f4c1c44f128580c04057576dcfbb479b07b04a317c7f1e67be582a009f5dc800f297ac9473d4ec370ede28c9ffe8b7eaa9da7

memory/2620-1401-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IQMs.exe

MD5 c9cf98395f244f7ee32b252019ac95dc
SHA1 15dc780ac054a158fbba7a4ea317016896b9f206
SHA256 0b6d571eab604e741d3187b0d5c469212aea8c7749339298c0ceffffc364ffb8
SHA512 28d45a45193901945d125a769d7376972ce7825efc07846bb3219f03ad81b97f370abbc477eb4e1d02e451721e4265ede5b478cfbabf393fcb9c48c6fb05b7cb

C:\Users\Admin\AppData\Local\Temp\KUwa.exe

MD5 aaf0eea3acb2e477b2628a286b590c09
SHA1 6c2f3745b8a47f4efc4b24e35f50e184230c1db4
SHA256 6e8a63a372b9d450f7080a59742cb5ac145057317849c77f5269646abb39b089
SHA512 a0494a66ae24f94fb80c2b3e2ff9f879c475cb218dba85488373a62757951f96363f5ea070368979b815024ce8138cd6dd972bf03b694ca36cb5ecef1dbad305

C:\Users\Admin\AppData\Local\Temp\IIkc.exe

MD5 303e0c9915f967e0f9342a20d69eb6c7
SHA1 153c2145b4b11d250e8a41fffc7018d9d595f832
SHA256 6d526321e1c7234acc4294e621b3c91fd6486d94077dd419a206568165e6407d
SHA512 04778dc1715c566fcd2d15d7d67510bf3cd268ebb1d31b05e25bc0c8f156b23dbb6b81cc055deb0ba6c810069d3fc5fd5e21f396722d2a92ec5cc5a931ac7ce4

memory/920-1465-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4420-1466-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\egMY.exe

MD5 40d7f1fa398a01b94a4eba2dd1d1df31
SHA1 6df3242c0b0751b14ed81e9b7d642021fb0b1546
SHA256 49d0df6a068be79630b95a9ca9147546609a74c244c2ed75e90d96e7a080bbba
SHA512 4e8e3647b755a7e34f0263f2e7c0040a6d26940531b46ee73cde44184162ce92a84971187267132460e252618bd966788a24d4827268da2b83429464131a2ca7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

MD5 fc28fe43dbeb77c7f7fa63ebf0ca1e92
SHA1 62e4b3ab04db7365fdca709d2596a613e568ace6
SHA256 11f0e43fa1ccade2ead10364551fb48e1602f6d722945f7a21b27212fdca83c1
SHA512 9c052f3dfec6009c79f7a4350afabae050c23a684824702dedc633680824a63cb7ecb73e9c1699f2419f6a6f756c91e9fc2560d1e6a0295a940bf741888b8b67

C:\Users\Admin\AppData\Local\Temp\eAUY.exe

MD5 0bb4bed0633c32ab187b963ba534faf7
SHA1 c1848902c24738434fdcdc5163bdd70aaafc76b6
SHA256 48f119b5620c69ce0e0eb87874991e19a0a8e5579567d985c18056dfb8ed33c0
SHA512 a0e3bea63465fc39d3a9696cb67ecdaa842470e51648c15b69ff0a9f3c97e366adb4fb6b92ad5a8f66176ff3909894fa2221c9a79cbfafa55d13bb00c6e590d7

C:\Users\Admin\AppData\Local\Temp\ekYQ.exe

MD5 6991355f2973c8d9ca68e5e8157c6465
SHA1 4ca688fc2921c8aecbd63c7dae7470afccdc87cd
SHA256 5cda25315dc5052c3d50c52d5f34c8310228c5fdf8f800f1cf2110e9d2a62430
SHA512 9a36918fead4bf733ff78c5f04eb4b198619cf3daa03f2207a9d3b6801b1c480e977c4d7d0b7facd018c4f0f8d3978118f2cf3683817eca158db94ad2ffb1c86

memory/4420-1530-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QEkA.exe

MD5 d781d60ba530ded83964b26772e6e99c
SHA1 91cd07a81788d88408c014659e411f2317546b84
SHA256 a2b0ae29d12fe52a507edb0b21a81e8e6ba7861f64bbdb055dbc1a1c9296a745
SHA512 de794cd25bad2d180d2bd1f00321a1404c5def04f2ac0f286da2bc800524f227e1e6a56db0eecbdf8e5a78f0f8559267ad6e62bcdcc139323b5f63ddc996ad45

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 81c18de3da270af4f7bafbcec8976ac7
SHA1 475d1a14449d0991a91fa893c9c29b6d9210a7d0
SHA256 b6971d73e0a1fd98c229f1a32beade920166dd8e264a97fa0084b192c4cf88ca
SHA512 9178565e38a4f8275e00a304570972f7ca8d1dd23415a32214041f3a4dbeb13b7440a80e0cf8926ef1e78693d38a2d3d43ef0d9f5db1f4fbe59ad0875e64cf26

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png.exe

MD5 4280aa1390436948181db1407f0cab91
SHA1 8a459f861e7f014f509665ac742b48a03f4c873c
SHA256 2aee16484fab104025fc6598bb6841fc04b872c3bedc97d1269b16b0200db688
SHA512 7c7bc2a4c86dcf36d32a9da64838c41cd532cf8222f69b7c10cf7df4948dbf2901da3a0bd21bbfa843972d2c610e6e9c90efcb5871d936ac70d664452e47e2c4

C:\Users\Admin\AppData\Local\Temp\QUIQ.exe

MD5 c6d3ad1719ee04e0e6c76fe3a6fbf7aa
SHA1 1b6316f16712739e944a7593e8e2f2fb194895b1
SHA256 26dc0f55af5a9a1dbbedcab7edd1bb453e2373c13882fea0539290114ae9afd6
SHA512 8a025e3b1ec8974b5e1c52143d9ea36dbfebb0bbe1e41ccd3a96f90e01a7e2586f201e3a7b4a36133201c1203c0511e53a578d571b07793d39778c936fdbb399

memory/2372-1580-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IwIC.exe

MD5 b8f30a4d155bcd110b47f83f64a0304b
SHA1 2f03bf4de3c02bd5fe077eb764885f8fba6b2c9d
SHA256 6b5a685e31ec5f86070738f2ed0cb0ad5df44591ddce81f55dcfdd1368b12c72
SHA512 a25455b08a893f2d9fecc06d522383dbc171cc1ea08c7a485cc30802213e1e1abb44e1851434b3a1acdebebf4604eb630ad6586a70e787917b31f10a0e4bdfa9

C:\Users\Admin\AppData\Local\Temp\UwAE.exe

MD5 bb52cb616d160e72e12bbb5b28177c64
SHA1 9452aa6f38922317655e3df7bc4aa0c9a13ee27d
SHA256 46fa28151da309520758032a02d847a939d2114c55012a3bd5b8b90dcf405f98
SHA512 8063dfec70a90b8a760936d569051a5275a003ffbdae45199851bfc5f2d49abf38320526d99c9af247bf43e65a383efbfb61db08a898cc1726146c546c2040c0

C:\Users\Admin\AppData\Local\Temp\OIYY.exe

MD5 8cdef3b1bdc6da8dead7621bc65dac81
SHA1 4c69c1fb8a222c5ab21647ca08ce2993ce1a4ea7
SHA256 baa9a31ec93f41f00c5e0c629412d90857be331c8fbb017201dd2c482083eadf
SHA512 fca538ba4a3ea4d7ce8af956df1fd797d340c79e6fae85bb3c57812b898b1776090664fe3e8de418ee34fb134eb0744ad349ee0dbc993ccd60b113ce8c7c61db

C:\Users\Admin\AppData\Local\Temp\CEkO.exe

MD5 8029e544ac7a0dd6d6285a7964e4a3d5
SHA1 2a3f98cc3a880755318e8c452afe9ad7b2e56880
SHA256 751188daba454ecd50e01fdc693dd510aac21f6fdfb5900b661c0e6c7584dc9c
SHA512 3fb66c0bfb0b504b5c9cd08ec957d370614e68584c4637f69b2929ad95216d2cc5f9da6738bc25aa5a23402eb7ff1a3d5e189448e9d87f8d8740de160ea5bf09

C:\Users\Admin\AppData\Local\Temp\WMQW.exe

MD5 ece78c75abcdced986295ec1ee87b8dd
SHA1 a89c4ea0512661c029492a35a2db66ae7040b9ac
SHA256 e02c2668322f7aca46505625143ef4b9feb78c02b599e892cc6c67489e7c1f1c
SHA512 e717b3004342aa02b63ab812f9113a729761419e9af7d2261311501a345cd8d215387c235822ee2661b89fa4072d70c54cfc0105d3c3ef55b307290d6abd7fa7

memory/1276-1659-0x0000000000400000-0x000000000042B000-memory.dmp

memory/860-1658-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CkUy.exe

MD5 7cf4e9b89344f482d11b718836548593
SHA1 0acb04ed1051763e6998dee2f0fc0279265debcc
SHA256 e823bf19d0ce66b382e40cb876e83773af210865011440f6e1953f39850d5d1f
SHA512 c00394168c674bb155e57e818660d869026a75e323123fec48dcf2f195857ffb2ebf5088f3676775a10f6d7016fc7cf766a16a768074b234d30136b6243c930f

C:\Users\Admin\AppData\Local\Temp\iogU.exe

MD5 8ac9c59531c271405b00319a4dcd53af
SHA1 a3f8ffe1958dfdb23259b40e705456aa1aa3b7a2
SHA256 9ff6415bca86a4c131ab962c20cd9252ef70124ebf54b1c46013dfdd218b16fd
SHA512 b649db34e52041d7b1858ce27ec8e026260d8c284ea65fafd79b982d0bbec9df7aa14cf23d1679c0ad2b41881daac98f57159953556d63395b7e8ccfebcdab3c

C:\Users\Admin\AppData\Local\Temp\kMsM.exe

MD5 e857d10b44fe1e89d1f4fd5b4dd89046
SHA1 3b38671dfb72e90e31afc2da8b283e260aba2397
SHA256 da38ede156e155bfbbad7436409584441ddfffca522d9f2c62cfefb1bb214f29
SHA512 670e0effe496f9ca8590e794fec2ac51a8df4a7ba09971523949207a7d16440df921f01362dbce63415faa8097a83dcd290aaa5e2d75929d6aeb567451bb510e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 fbd63cce774efa8ff19674feb3711159
SHA1 1d5ae4102bad6c9604b07b0b39707ef6ce92b553
SHA256 38ae76adafa2e697e7b7454832572d5aa80bcd009d5afaabd2b21129fe7fb73b
SHA512 d9c2aee201ff2d35e6e051fe83771ec23a35003d0eba559db3f7945d1957460894ab724a6c8793105bdbce799813c3e94b8dacedeb4fa1d652317d50aa9fcb7e

memory/1276-1723-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IYcE.exe

MD5 e3516d0dddcc0d5fe74620a31689f3a5
SHA1 98ff44761dce544773317f2d6ba52c5aac51aa63
SHA256 5b0272865c115d64e22e8021fad7bea25a491664ba24c52a634922d6e9b5b839
SHA512 64d4a974656db9f2029553a9bb3c08bc2227a09049b3d290463ba7d3aea3448aaee69788d0546537abb1ce7a5e219b804be7d23bd03489105c8f1e37240397c6

C:\Users\Admin\AppData\Local\Temp\Socy.exe

MD5 7b310ab59f4ed97a38d8e5e2c33062e1
SHA1 3a45749893afb4a23dd1750a227516a269e1152b
SHA256 9b99cfd60a38dec9563090452f9a4dd8390f6104160c0a8d73d39076ba91b046
SHA512 72ed25916783d4586f2c07ed9f95d382d42d76285965e87f2410963c244aae52b108c626ea6283739bfab9dedfd1bc2fccafc7b9d33eb142eaf47040dc165740

C:\Users\Admin\AppData\Local\Temp\CkQy.exe

MD5 420a65f21351dca3a1701c305195a072
SHA1 e98c7f8045b0a1894e5bd3c02989dbb4f7e55552
SHA256 8a76366ae749ce002080f6b449fb41582ac3d6eb0748f681e6c821e0c989d96a
SHA512 5fb393926f3c9610cef3a7e52cf9e1549e439daa30ffb909389de845bf567e8c77419144bd543144848cac16efd762679fd19f7edbe30cc3fc433b09fc0580e3

memory/2372-1773-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2460-1788-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qcou.exe

MD5 5c18d4d5bda1ccec78c1963be2b76ddb
SHA1 9874fded69c76bc2aefeca83b91b6f9b86c5862b
SHA256 9f57e57bbf057799a446e56da3730239e858395b9bf45af5b635476d5cae9b7a
SHA512 b4ebd55073fb71a8fb14ff9c94f7fa84a32c21922e65aed9892ebdce13bebedd073ac5478395ab6a1f6948b2e4b3e9fe926e18ddc38e989a03f80f24582f1694

C:\Users\Admin\AppData\Local\Temp\wEMu.exe

MD5 2c0847eda164823c2aee07d7829b9e11
SHA1 0f2c2522b6c49374145762ba406d4706cb6c5dd7
SHA256 f39f974ef663a571c509cb29a53751eea995584227e8a080171e571e4f00346b
SHA512 c9d0a24fdf95d7c93fe9b8ef0b3e0180ed2de936c2fc1f91b8cb2ce89b2de5e77f375d99141c1873b842398619eb4e3afea8350f8ba5881dbf71d5da93176481

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe

MD5 911085ed8bd2041d2d9479c97d6a6d91
SHA1 4bad6995e315750ba498510a7eda29812543e6e5
SHA256 5756534a0da53b9f5daa4740eeae136b87e7b58824e355987039ae8a2edb8046
SHA512 c8ca20c67944b48ba512141de192ffc3c6c858db9739738f1250f32f6b85f6fd377d3b052e2d3dbdd53a0d30f80d91d4f3092b800403c3eb654ffc453ff738cd

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe

MD5 963de68ab93ddf934647431befe3e248
SHA1 e2b3faf3359eca42a78e2ac22c4c4716eb8bec68
SHA256 ea5c3dc653217375d28ca79c76fb17ca0ca0299e9b427d80200904e4c8eeaf7b
SHA512 b76c33962934de1aa735b5ebfa2713358721a858cdfcba6268f5770009ed7e651f164b0a825b30e839d22143aefcffbe60a7592d815fed78f0fa88c9f8928b0e

C:\Users\Admin\AppData\Local\Temp\KcMY.exe

MD5 4e77a415b71bfe516815bb496fc8088e
SHA1 3b7fc6c61af0691557e75ae3d394977f27e05592
SHA256 f59e145ceb4ee361866a0aa644d00176a8688aad9ee6208f9641a6388f0c6ae2
SHA512 ebd6ce71ac443479156c6208ecd73bd0c8deaab9024718336d4f940bbc47b26a1be1a8694cd3d1c7e83d105ed915dfca6e103109ecc61a81c35d9323e3f63469

memory/2460-1852-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SscQ.exe

MD5 29da32f595b3774f0910fd164eb6a092
SHA1 171bb68736221488c43407f674fec9151524f296
SHA256 36340502f857b9bc03682377b8965d95459798494177e3f4db6dab2ba181bf0e
SHA512 0845427e5960304da1cc3c9ba68d39882501766aa959f7b3c51dd910c9f486c57d068f5b2e3e10a7b6707dc6ab7143e44879310414709b5c27de382c24bc133e

C:\Users\Admin\AppData\Local\Temp\wMsm.exe

MD5 e8f38ca8345bef86cfee76ff2841e00a
SHA1 a5bdaeecf0dd6aef7b6a046870c489e7ee849f47
SHA256 8efd5242fdf8f5c7dc70c23a6e27131dd74ce2cab7bc2f9ef261748909c1ba1e
SHA512 b148158fe34e73ae4060ac5338befc95209fea6377edd633cce3a602c882579f531ba49dece370d42f51cb9ded267faf7748ce06bce95d8a955aa01042552fab

memory/5008-1897-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KAog.exe

MD5 872eff0dfc184e871b448c4c5f6ef83e
SHA1 45cd941db5df1dce662f5c93276d95ccae35a636
SHA256 a97f60826e1314d3e39dff885c5818e066bdd793f10dea6f9c0b63ea55c8b443
SHA512 d7d11748b3c78b824b88c7cad743c9c7cc03806c8ecc99963ebeb84adf01da2a633c856bf67becf7c61b660f49660d8102c33c429f415f1b63d630e1847a2cc9

memory/3644-1903-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QkUk.exe

MD5 cec5e7c8a99c43b65e9ca0989f0ebd7a
SHA1 8163ac8545e1922df335b8aaa1a86974fcff4855
SHA256 813c3a69a9edd814a3484f7140b9c9c71fd057d8b68c8b42856b32285c5da775
SHA512 e488eaa99ed3d1afbacfeeeb8550648a58b5e5aa1f50aff38faed42e7cedbcb66f80e4d7d2173f53771f18765d889335764fdaa8d98b8703022cb9653fdcfaf9

C:\Users\Admin\AppData\Local\Temp\WgoO.exe

MD5 107aea234504e17a099fc4792588af61
SHA1 035bb933d4c63c69c151404f635df3ede6c28abc
SHA256 282c9788dda97ef131626a71c216e79c7e579abb2b8dccdde76a5dbd6d89d54e
SHA512 36084e0f0b821969687ca721ed4fea16c9d2026520a8e09c50d6d8aa3e046b4d7ed0a28d223eae4a548eb8d5d73587d2541db9e72c16054a22a281d82c9285df

memory/3644-1953-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUIm.exe

MD5 34a6b8ce582ad96dafd7019792496050
SHA1 58a075e4b10655f8338728aa9068de4e94a0ef34
SHA256 f24049293549cc24adf53f267ace1b381e6aaf17a839ee48e02fa2512f9072e1
SHA512 3a34e79c9fb3abd5238cbc06315df93780ab1fdc77fea4b92b9ad11573ce26f2086a5a10bfd422fa14e839d5ffff9c9f3ed5e2b2c5e7a549296ed9f1a4ed0ca2

C:\Users\Admin\AppData\Local\Temp\OQQY.exe

MD5 e92c4f9d8d21f46de6741aa5a6d29104
SHA1 7b3192792cae09a3c7c47c687e0e62b4f28a2ab9
SHA256 c4f594519530aefd47ed005d7e07e52fd554afd81435902d049ed5e53c9409a5
SHA512 a4a02c38afd6fd2d563eaa4fded4421f216d2867d3dc7b321f7349143a785c9e5c578e22f6d99d4bf689f2f208e1c0ee0f9e3a7303e8a59cab5317636ab2ac4f

C:\Users\Admin\AppData\Local\Temp\KIoC.exe

MD5 bc83166e1d2ff0e018b57dfcd2bbc083
SHA1 1803d53a602a5be8c6732c13ee2e37c65e85dd00
SHA256 586f8e425331b3964aeb7f685304e8f8ac9091d46ca4f0b6c5024eb55a583d2b
SHA512 78621d016dec1d672596df9cd7ec6fcd3ac2befd3e84f924706cbcb2a579743fe8ef04bb63b6f5d8b2369d3b0b180d745251d18b5c73194d77ad648980ccc62a

memory/1204-1989-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mkYY.ico

MD5 7c132d99dba688b1140f4fc32383b6f4
SHA1 10e032edd1fdaf75133584bd874ab94f9e3708f4
SHA256 991cf545088a00dd8a9710a6825444a4b045f3c1bf75822aeff058f2f37d9191
SHA512 4d00fa636f0e8218a3b590180d33d71587b4683b0b26cd98600dcb39261e87946e2d7bdcfbcd5d2a5f4c50a4c05cd8cf8ac90071ecd80e5e0f3230674320d71c

C:\Users\Admin\AppData\Local\Temp\MQUI.exe

MD5 7ff5ca8a866786f2c4f2bda8d88eb8c2
SHA1 f1e04f40311208e8860e4f681643e9b06d3284d6
SHA256 90f6d15e42972b55597b7671543b4262a4dffba2c0790119f7c1bee3cb17ecc2
SHA512 d02bf34db72ceb7fffb0ab5fab813526c42e7a089b7a3950ead6ea81b62603287c66b33390925eb014b54871dc143b409f21f4c3dd06155031d9963c9ff786ea

memory/4608-2004-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kMAM.exe

MD5 8386aa3b7b5beccd4e6e7eaa407bee23
SHA1 f12d5691c398de6a8906400aeb33b0ac953c2032
SHA256 a6b9708e574ed5952fa8480ed680bba1eb9d2d8f490339f399d4914317b22cbe
SHA512 934607267bcf560fc6b8d3f81670b78be3da254949d7f85eb3915ec15217688e7d8f8df8541696f78286801f488c620e1556bdcb5d56732e7d44deb5ab78ad5e

C:\Users\Admin\AppData\Local\Temp\iUgy.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\asYQ.exe

MD5 34d5ef1eecedb9fa689f140789a9c8c6
SHA1 f8fba23d9402d5cb77d25e49c06d3f4b3403da06
SHA256 afd1b23c8bb41c4134711df31448ce7a2c1ab01f0c47914b9b68206af97ca26a
SHA512 36ba74ca7e1539feb241c6c2a372b93e26c6308713d4ac2d5eb0e9d4b59eddcf99ff1eaea98b4b15b5f4c9691f9eeaf9bbeb2c4630232c291138870e16f8fcab

C:\Users\Admin\AppData\Local\Temp\OIcW.exe

MD5 906c553a253172e7798b8bd18c5cd02f
SHA1 e7fdbbf626196ed3227d90f6f4eb4befddd95336
SHA256 3d79683504485c0df852556ae09a4e5277974ada57b9b2fcf5f46af6a779deab
SHA512 dfcf336da0036589dbd6c6a698d29a1af855ffd89d803340c346d2deff9e1a49cc4983f367a5694a88a75db7cc55febf1159eefb6520ee89806930f6a4b481f6

C:\Users\Admin\AppData\Local\Temp\WwIW.exe

MD5 582c6c8a5efce334ff05cd684d2e96ad
SHA1 2291502ae70b6be5a23125b71bbbee5f95c5414b
SHA256 32484fb3584ca78b75c4ec5d17884bd334794f0fc9fd6c4149b82a1ca55cff6a
SHA512 46b31586d2b192096824193cfd9067b6b21e4c28aecc5ea3d0d9b59a9b26f4d593983578a82ede4da36e1ce4c34565ed9419e28898530e1893206a9b3c2c21e1

C:\Users\Admin\Music\OptimizeUnprotect.bmp.exe

MD5 3c3ffe2ca6ffb713f8ae1e108fac7b1e
SHA1 e4e7b62924f6cd52ba61e15e7e2de78de5dc54c7
SHA256 57f45b8467da775258f8beae34470703c47fcf7322f9ddc4ac43e4d09bdf4826
SHA512 ab1e76ff29a5473c08ea9ac2f71749af0d5a9977fd87f979e4a5d71f178e91fc69f03966a527487d89af7a24245f350e3c233731e19d3bcd4ff4dc75e6bcf963

C:\Users\Admin\AppData\Local\Temp\UosW.exe

MD5 e58104ad0035fb11214f21ba11b6578b
SHA1 1198ea30f01a4866f1eb579f71ca6f3b0f121d5b
SHA256 cf24a049c550807c8abfc652b46473316e055749c83cc349c0a543140a1becdb
SHA512 50b262fc58a34118865bb35c87d9bb157154b9243f4369fed7e63fa97a271d9672d0ba7520d1d77015d520a38006217d13c1cf1ae4af1a8216d2c40778f6d4f4

C:\Users\Admin\AppData\Local\Temp\EcMC.exe

MD5 8ca6c4696d30144741837532ba46eb82
SHA1 6b7b720393f5b7dad0c2ac732f4cc5b0d4f8e6af
SHA256 0216a92843edb1970193f8966fc852aab14e4da72a63c4008280bec9a6b004bc
SHA512 e1a2f6e2f6b773ea55b90274da92f3ef3dba46c31528fda07d3c13b3642dfca77e9531f558a089b422226f89cdb392e653687b3260b14689d8c1691ff10654d7

C:\Users\Admin\AppData\Local\Temp\GMII.exe

MD5 d7f27e038d85150828168dcddf0de3d4
SHA1 ad2e7078aa1ae69980ea1fbdb5e5333b7a8595c5
SHA256 9503d08730d8cbed663b1be2e9a048369b9fde9bcdac1342836e2a4c75bc8de8
SHA512 2145da2cf9e59c51d0c3ffa0ec927e12a12d78f1499d9e48b0120e48de0f0ce551478aa37c810f305b8960d6d8e8ba79adaca50393760d7dab4a01e06d445b84

C:\Users\Admin\AppData\Local\Temp\yYMI.exe

MD5 120633f4e11c3456b4f7b297984640c4
SHA1 4cd3302a25b42674beea5051fad8a7d244594956
SHA256 d326e3d69ff1afd385d127bfc26b7565c89de304e984d97ebefa7e012a417e12
SHA512 beb5fde7acab8bf6d9452dd299923652fe4bc3e47501709af58bb3d2ace93f9e00d25b8b38a5c073f03f71a82d32e4022c5628c52669bc0f9eac0222c4c507b9

C:\Users\Admin\AppData\Local\Temp\cAIu.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\QUom.exe

MD5 c6e3cd1f01809c3bc7415291a3e3fb99
SHA1 46b16a706e74753f58cfe4adfafb32eed7746484
SHA256 d22efd60bfe7f2d4192fc14609ee5eab0a2a70e8e38dd577ef9101c246240629
SHA512 2467a3d6c70d6f297923f49782820b2d6480483402e74ffdf06f68b2ffb71324607b60f04f83c5776694ae4d883ee58e34b2001ea29189d9e76a1b877ce2aee5

C:\Users\Admin\AppData\Local\Temp\AYsG.exe

MD5 095bb1bd5563443e5838c149ba74e632
SHA1 48dade04e89da4161989519166fda3c44d112a31
SHA256 807453a4c1443a38a8189461a23e532fa519e3ea82d9eb2692939fc5117cd872
SHA512 2421b0a6fd8f6c7b1d6bbfde40dd2474dc316f5d43a3aa4f98c59cff50e8b7a674f95df0b9dad0aa37f17eef9249a96506521cff406308f5fee81b01870a3d0b

C:\Users\Admin\AppData\Local\Temp\GgQm.exe

MD5 b0d9523fa9947fb3eccf3c30a49f67d0
SHA1 6a33c55c8324e113a08d67ef049efe04893f3102
SHA256 df46051fb64655d2ecae296d28bec587d5cfc7d9761a04e525e8685f745a26f6
SHA512 6d9a9a34c7a164943da123c719640538dee009726d2a1f4c1a5c318e8af21312276958924bf2c4ab375afa58d66f59aafdb9203dd501c242042386fa063c35f9

C:\Users\Admin\AppData\Local\Temp\EsEI.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\oIkC.exe

MD5 362db0b9e7c97dcc6c0ec00f05a59e17
SHA1 bdb6806bb1d87adb336466f29573ea90c54a37a6
SHA256 f0696477dac2c9ef2cc877db14cd26c98b27cbf06e7feb07d7528dc07ced8a19
SHA512 699cb6ff3f434d490ea33f32a972ee4a01522d1413bdf1f9f3bfe7d10374f95d2144daf3ee31d91df629580d901cfa8c7250e4be19ea5a4f3ac14fa8655e470a

C:\Users\Admin\AppData\Local\Temp\GgMQ.exe

MD5 619021ea937e0b5a3f2d4456a612272f
SHA1 7d1c2a93c3a76fb18b8245460f89d1e914cffbe0
SHA256 a9523a2a6d0220e81f920cdf9e91e650d4b3f26ddb99737437b0e6cceb08192d
SHA512 cf3ba438e146e0148fbdb8c12262547ecd284fe1785b99508bb0b33a7d14373722f7be4d595f792713d75f6a36ad18981efd903a60ac99099718a02197242c7b

C:\Users\Admin\AppData\Local\Temp\MMkc.exe

MD5 17a61214fa47c4cbcfea4599b2d5c01f
SHA1 16a1e92baaf02a53799728971e55615cfb3b7fa2
SHA256 0f6205c8f76b0a3c7471dc73bbf4116c14276d6d9e9635d1b2391903a0ca7588
SHA512 3aabc8bb7048e2e0f1f48d51b0cb937c00c668f17a24d5baeffeb52e244d88291fa67f70a901dbf62ff39307809047e68acf330f1ffd009b74ac3cdd11f13ea2

C:\Users\Admin\AppData\Local\Temp\YcQe.exe

MD5 7b0c1668efbf74d535d7cc8ff6a79ef1
SHA1 2aba4adf2d0e6e18860d493584a82769238818cf
SHA256 5c832ee6755c46af48a0fb68281ee4c33fa072b9a01c8e5d0aabf1fef1c39c6b
SHA512 a47a29afe68d85d817919045e479a9ea52cb54001a6af658f1d3c1b7eedb75430919dc2eaefc17698c34194fb7c311adf79a2d3726c9b51b8c25210ac1f92043

C:\Users\Admin\AppData\Local\Temp\aQcY.exe

MD5 d6125337a0299fa138f0dfe856e38245
SHA1 b8f8d7b538b9123dee7d30affdddc4bc53913c03
SHA256 06f7d0a50ae183e3d12b680652969ea95b3c4a8123e45caa03ed471ea14cc245
SHA512 8159cad86b0933399dc622b59ead9aa4cd266b933211f77c60c925d552ddb1ee74a8b516582b6b4b89ea8f90bcd66c8bf683c34d55cd14e1d1858cf396c19e54

C:\Users\Admin\AppData\Local\Temp\qQcS.exe

MD5 d811c32d21ddb0f48b0804138c8f94f4
SHA1 be512bda4ee88e3198f647618d1269c56a298010
SHA256 06313bc54559bcfbc9a6011aa85269373b602901b660516f404a24a4046f4c6c
SHA512 cd1a55c616c620920909b92a8d900d3c3bde2d2ba45b2d3c326eca2b9d47deafba40b5969c9ce563af7b3169dc69f015834d973fbf6555c340076dfefb2486a0

C:\Users\Admin\AppData\Local\Temp\YcIC.exe

MD5 f4ed3be2b46cadf862e6493c93242a70
SHA1 4ba29fd0e1737b2d8d11eddcc50024b7d06f082c
SHA256 798f84ad201b33a720011971ab525806c8945fde2ed6e1564034109e199b70be
SHA512 bbd6f8ab2701a826ca00a851d22bf704454a089f8b9669926844415f25303aca0d8109c2e5c37a42da425ff513a1dba856dacbe6195eb9c74ff2bd32d8098245

C:\Users\Admin\AppData\Local\Temp\Acgk.exe

MD5 b107661787d8d52837444f948dee1ff9
SHA1 a3f38a412b9fd7067927dc19d30f7c7e898742d5
SHA256 5af8f51b4356c78639a78d15d1ef9b3fb83daee78d5e4a61ffed0a20b5a0d663
SHA512 9bba88aecc46851f79e5543d583327964316f4c46f60a698a6415715b72cf7d3ff3e31851a9e1193e7bba3b3e09ef870decc196dd4d7e03d0e10fb295c0cb36c

C:\Users\Admin\AppData\Local\Temp\YIUs.exe

MD5 eca4ef64d179f20db0be4f8a917a6df6
SHA1 fba4c06e0e93e6a6e388d62632f37f920303e758
SHA256 315865cb0a3ef55658472ba3d5ac823779dbf957d8885565bd20fbd18132355b
SHA512 06644cef58e167be921307f85f9b49fded08ac7d4b6d9f076f37fe8dd000da086661a5f888598914c66d1e7c722ed227dce842ca5cff99d8b609e26ad18688de

C:\Users\Admin\AppData\Local\Temp\GgwE.exe

MD5 9fa19d159f328af07fe4ecd92b8b8c2e
SHA1 2926c6ff454918e61922ace61177b75611c3ac5b
SHA256 0a0081575e97eed5314577772e28d9c648f61ddd6aea7f0dcbee9446d74dd912
SHA512 eb6b57ed580501294ea6598f3cf3db03de17e2c253263be8a13317a53cc31ff14a7e8ad6bbda326fd05425ae7b77a95dac7c16ee772593e90162fbdb171c83cb