Malware Analysis Report

2025-01-22 19:57

Sample ID 241016-wlkfaatbrc
Target 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
SHA256 8c2d37665861b2652b06805f38fedfcd44bac6fe889f0ce9997c3f13a43a5543
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c2d37665861b2652b06805f38fedfcd44bac6fe889f0ce9997c3f13a43a5543

Threat Level: Known bad

The file 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (84) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 18:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 18:00

Reported

2024-10-16 18:03

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\ProgramData\OGIcMUgM\hCEoYUkI.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\vWsMYMoY.exe = "C:\\Users\\Admin\\qukgwYcU\\vWsMYMoY.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hCEoYUkI.exe = "C:\\ProgramData\\OGIcMUgM\\hCEoYUkI.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\vWsMYMoY.exe = "C:\\Users\\Admin\\qukgwYcU\\vWsMYMoY.exe" C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hCEoYUkI.exe = "C:\\ProgramData\\OGIcMUgM\\hCEoYUkI.exe" C:\ProgramData\OGIcMUgM\hCEoYUkI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A
N/A N/A C:\Users\Admin\qukgwYcU\vWsMYMoY.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Users\Admin\qukgwYcU\vWsMYMoY.exe
PID 1956 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Users\Admin\qukgwYcU\vWsMYMoY.exe
PID 1956 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Users\Admin\qukgwYcU\vWsMYMoY.exe
PID 1956 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Users\Admin\qukgwYcU\vWsMYMoY.exe
PID 1956 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\ProgramData\OGIcMUgM\hCEoYUkI.exe
PID 1956 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\ProgramData\OGIcMUgM\hCEoYUkI.exe
PID 1956 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\ProgramData\OGIcMUgM\hCEoYUkI.exe
PID 1956 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\ProgramData\OGIcMUgM\hCEoYUkI.exe
PID 1956 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 2164 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 2164 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 2164 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 1956 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2332 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2332 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2332 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2800 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 1552 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 1552 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 1552 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 2800 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3028 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3028 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3028 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe"

C:\Users\Admin\qukgwYcU\vWsMYMoY.exe

"C:\Users\Admin\qukgwYcU\vWsMYMoY.exe"

C:\ProgramData\OGIcMUgM\hCEoYUkI.exe

"C:\ProgramData\OGIcMUgM\hCEoYUkI.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcUcYIUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HAcUsYoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NeEsYkgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VowwEwYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nUMoAMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ESoQMgEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mKAgUksk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\csQAoccc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YwIgEoEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nisEcsoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RmYEUYog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pYgwgIgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XqIgIAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgUIAswY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UKoEUIsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gsskAYYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WQsAEQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OcYAIUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PaosIIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pCMsAIgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DkcAIQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYQsEgIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkQgAQwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ssQogAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cMIEgUEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GGMEUQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmIcsMoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYIUccUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOMIIsUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MaQIooQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aCEIooEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QIcgMQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mycwoIME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kAEsEMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FIoEYYAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rCcAwUoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BOgEAwcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TUwQAYYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eeQEAYIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wakIgAUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQoIEgcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aSEAYAkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wcscQIkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zIIwYYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xksAAQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fAsMsAYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RMEsAgcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gyAEMoYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qyUQgsUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAccYgEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OCkgkEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dqEEUsUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCwEwAcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwgAkUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TcoMsMAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AAooYUow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wMgYYIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OMYAsQwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WcUQkYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XIYAsgcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgQIwwks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tOUUEQsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGEwkYEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZYkkQsQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AagkYcMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCUYoUsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ocsoIUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oKssckkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\csgEkMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCMAggQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tqUccogY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgUgoIUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1956-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Users\Admin\qukgwYcU\vWsMYMoY.exe

MD5 1ca76c5e79be9188ce89207b3545729b
SHA1 ae0ba647ff3486ad7df54398541ae26def99c3a9
SHA256 ec8639127016e15450fcb215e0748712199907dca83aa446c1ca36b9443d29ba
SHA512 1dda78e2926e853faf8f369ac2fbaa17bcd84ef7dbcf47f906f99bb0ad82e7a38efc38de121efeff3413bf9f1ddf1a14492351c10efa5d9dc6729102e8d200d1

memory/1956-12-0x0000000000320000-0x000000000033D000-memory.dmp

memory/1956-11-0x0000000000320000-0x000000000033D000-memory.dmp

\ProgramData\OGIcMUgM\hCEoYUkI.exe

MD5 be9218952cd948af55f76661bb82f61b
SHA1 6a9837df14076c5c9f1d4bd57216b257f992cae4
SHA256 e9705e1dbf6ec27e63a4e181d3f49e82367e5023b103bb0d9064e56048e9d01e
SHA512 4d58f80609f46610479306410c80a59dc424ced77b700511613d314696add72da6545c938749704d58282a267f099014a6e78ab1a46cb58987a1c9f01ae10e49

C:\Users\Admin\AppData\Local\Temp\wuMoUQgs.bat

MD5 5ce244f987f2eff580ec2b0ebc385c2f
SHA1 ed587395dbac1b15b5e84f9df5c5a464d5aee339
SHA256 5d58c9af29fce4cc7062d73736e11c72d95bd8f5d56dab8e59b9336b32b68dec
SHA512 f2f6f3739a5891c114cfd25827629f538bc8a75f64cf673ef4c1544edc49083687491afeb157ed86c905429aa6182ee2604e1c2368c453e0ee17633c2ea3dbc9

memory/2356-26-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1956-22-0x0000000000320000-0x000000000033D000-memory.dmp

memory/1956-17-0x0000000000320000-0x000000000033D000-memory.dmp

memory/2548-16-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2164-34-0x00000000000B0000-0x00000000000CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mcUcYIUY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/1956-42-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\zwIgUQgI.bat

MD5 53e4d3124b8a0e3ddabf88c13ec74a08
SHA1 232125545bbdd49bbf501df82b87c8ae0eb863dd
SHA256 a9df083637ca2bae6ba03c58de0be168192578fe4315e18eb2ceb6428fe5cf2f
SHA512 ace856a75fe67d9975342f6d5cef7722def886bf9d6870998c96b3c486a10abe991f45b0a662f22e5a5af409315743cbf96073edf099e675fc44eecc523de2af

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

MD5 d715f659c83f2b95e8a4ce1233822e94
SHA1 c2a5cedfe5e05fa74d17bc6c9665d27823c3650d
SHA256 8a3d3787c7a87042010865e1d0aff07486ed919cecf52b21746ab8c6ec7de94c
SHA512 1afe9f4713af2d2e0a509fcf2e727bc4fec2099291480d2edfa9f4e0853376d690a42d5c7af37232d21f21afa98d5e8ddc6c45fa8f2829e9eb6930792f92dde5

memory/1552-56-0x0000000000270000-0x000000000028F000-memory.dmp

memory/1552-55-0x0000000000270000-0x000000000028F000-memory.dmp

memory/2800-65-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nqkgMEsQ.bat

MD5 44776a8f41ce696715a79043336cc591
SHA1 93f9e30550161a47fc5eba1a9be35669213ed111
SHA256 dbc054d01efaa537ea4b57a1b5c3da1a56b159ed218ebab99a592de97a9b9e66
SHA512 494f6674afe532eb7d66a5ae7cfdd82b1183a583fe969ed7375c7195f57f44dbd5350d066099b316872a314a8b9d788cecf7b05d18e72708400da625738e484a

memory/2864-86-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xqIAAoYE.bat

MD5 2be510b529b009df2e2cccafdc11a935
SHA1 aaa0248c958d46bb29244eedb293d28765aa5fd7
SHA256 190f1a02ef57d2b5a8caabc574ba73c3c823d615bf56c2edbb11d6d7e57841db
SHA512 7a0eef45fd1c21dea72adf4d83e62043e413cb1b617a940a7c711f6e674e46f73c03524498c58218ec454d57a5f7e40e5c763e50b005f110415c0b2e740016a7

memory/2072-99-0x0000000000270000-0x000000000028F000-memory.dmp

memory/292-108-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XkgsAcAI.bat

MD5 b8ced1ab0f56db60904526823b40448f
SHA1 1693f5f6e52f87b8e695284946c55f818eb23f7b
SHA256 16d983ddedc1e148b5106efce91853d5b45a8cf06cb2949506a7ee4a8f8582a3
SHA512 9fb626622e543e7b6060fe2ad470252eafa0ceeefe6c29fa2cd0fc5e9d59a243f78f781b23f725ed6056ef081c0dd9fd7e1befa7723b1a5ac899e38f6ac3c908

memory/1208-122-0x0000000000160000-0x000000000017F000-memory.dmp

memory/1208-121-0x0000000000160000-0x000000000017F000-memory.dmp

memory/448-131-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\okIIMkog.bat

MD5 2789043679feb8745123fe5dd1901330
SHA1 435263f48683b21010bbf8d0d64043f07e9d4bfd
SHA256 d24a00855202102309e15839f46bf717083319be818a280326b84220c711e563
SHA512 ed206d07bc0d9b45df81e8584e1146597ab92e897fa3449753b488a9d99ec5d8410dfc9801d01b16f968c943bee0ccffb17b55009fbcea4424324b7909aa0946

memory/1420-152-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GYoowUIE.bat

MD5 4074ff5f16c51d1d3bdc1750595907ee
SHA1 a0dabb0bf6322c8614ea51a8c6130515611a5b01
SHA256 743d6825da50660b59a3abe51aba736afc3ccd629d792c7f410ada75b71243fb
SHA512 25942ef463f359b1cd54a5a9677754bbf95a5ce5e0e61a13aadd2857a3f06bf5b8d64a92af231e864e6932d27ac199fd7c31c50cd722f5b4110ba17e6348fb24

memory/1744-173-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OYEMwUUc.bat

MD5 15d672b545faab7cd003bc006b8b6ca8
SHA1 352e6eaa4c1a8cc0f1ad0e26240fc3abc95961ea
SHA256 5ef739be40f9a90f45c10e7f85dfd45e02556aeec074ebe756d1fa2dc3029584
SHA512 25a3eca5e52207be4e37e5a4002594a43c248034402e0ba59949b6335097d5ef7ce2862bc2b74278eb3c1b2f90e363bd4896a9f1a7aed19b4856180d19d48849

memory/2876-194-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SCEkcsQA.bat

MD5 dca83fca3ea62c5a772e378f4202995b
SHA1 9f997ce0c4f4ba06ee80f634533fdd5210056e77
SHA256 002afad1907f51a7897001b3f81c7b94b90d6ec47a0706bac2b1419627a1e1cd
SHA512 22ef512df3301cc677ebf1cde0019742ae0673fad4b7e27759e9d3c90cae852deb876a727acd6dbd47af08cefaac392ccdba791cd207d4cbb0f130d65b48c896

memory/1976-207-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2180-208-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2592-217-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LEkEQQYs.bat

MD5 155da8ed8df933cbffbcfbc0c8ed3370
SHA1 f82c00d065224383fb3fc6bfd648fdf8939d36f6
SHA256 43a381bb1d8b3e194cf4f12d25da2a044d03930e8129629e2adbed7a997a5bdf
SHA512 7f02353ec91cc8e8203693588a466ad0f80b523da019abc310e050e608a76f27db7388c9bfb56db457c2219480d225d0409482ba821cf626cd2d9a5fb719c4d4

memory/1984-230-0x0000000000170000-0x000000000018F000-memory.dmp

memory/2180-239-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyUMMYQE.bat

MD5 10b05a0d42204f0b49b3d55b037c151e
SHA1 cc45f09ab422a110b4c22b0f54f3a9bc2fb080b3
SHA256 01cb670120b818f6be8f2b31a0fa27a81e49905850a8b3a706483c0555d9ac51
SHA512 01d5da08a23847a7eb65856a238ef023d279d41730123990e2d4bb0612f8e82a2836d82bd1f3136bc866bd67aaa604f7b6d398809bb5d998341783b8153df318

memory/1884-252-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1508-261-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TYogwcEE.bat

MD5 653cb791f29ab4effd9802d1f5297ffc
SHA1 e7382a27dfce42b22cb27fcdd4adb69be39c6611
SHA256 cb9c6fc03021bd26842e069d39dcbeef47b7e96e5b0ce1ff02f9c2c62cad9e3e
SHA512 abd2287fb7a559528ff3277c45ded372697d3d5647dad000d25ffcb0dbdbffa3baa00600938abbd46fe5355ac1f39d6253f1191dd9b3b752d5527771dbbeb37a

memory/1048-274-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2072-283-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HQYYMkcc.bat

MD5 2a45540784605a96ece612210c2e1e30
SHA1 09f18c7ffed246aeb5e70b6e79bbdb2ca73ea070
SHA256 986ac5356d9f9dccad8903743a24a2cb502323f35b42b2a7ed80b0ebba05b3eb
SHA512 535b044a215c84eb4e1b9435914cd0a66accaa85dc463676460078e39a9f330aaa7c4ecb41118eb93465cd4d2f9721bb69eb4fc1499823dc2ef41433a49da60b

memory/2836-296-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/1488-305-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xiwsoEss.bat

MD5 a8ed44ef361b51cc913bb3e00e4726d6
SHA1 79edc8be6ddbd7b037399e1df839237888f2a29c
SHA256 7e8721bd7328e6aba1c7d83f585fd81ae37777d632845351db8a790628825977
SHA512 66fe95b35862cc8f4271468891cac2f03cd1be85cb851c04ad8ebb9075fcd1a3e864f33653b81c0862a024ae35a30f34476edb90a3a1c4e8e248610f1468f561

memory/2132-326-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qYMcsQEc.bat

MD5 5a8f7d77db2bf412398ec5349a1c4956
SHA1 33e86b4b0c2a7ba6fa41e7f5caedf210d99862a6
SHA256 89623a2dd0063a627f04a663b95e098daf70aca54aff9779c4ece04755def8e8
SHA512 6e9743d7f07c9ced3a0071100a2c3ae2e194de7c8c564ef002ee7845668b14f65be2d9d79db3cc651c93d63f466841291c5459e1eb692a903077cb9c6e9868aa

memory/2164-340-0x00000000000B0000-0x00000000000CF000-memory.dmp

memory/2164-339-0x00000000000B0000-0x00000000000CF000-memory.dmp

memory/584-349-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ogIMkIQE.bat

MD5 99f22a5a0eea9a2fd5236d53c089b4cd
SHA1 1cd42cb2346fb9766a98b1f159f1548effd820f0
SHA256 56f0ef2ceda3e69202e181f834db7dcb556e30ccc98e0bac1c2575b049ca5519
SHA512 f2ba26517e0e01a77d3814b0c58aec38550e9d3dc7347962175d991876f0390edf3a8164b5e1d3d5b39d31bf43cbc267e1bfb4f33850d366976d2f34e36f8790

memory/1700-362-0x00000000000B0000-0x00000000000CF000-memory.dmp

memory/2592-371-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iSQIEIws.bat

MD5 64720af8c8671577fe087d3d037dd859
SHA1 03fab5cc49f6409599342ae1ff3922cd61cdfca3
SHA256 903782f46b6d433caa0845bc6f6d00499fa0aa77659f928cfa0c57eb091d2228
SHA512 6c5150a78ee062a8313776e515aca49e9082faa1cd11e2070eae58bb1e60c5d7249415c99d963d53d4c2856b9963e8106855be95c271431a20270fdfe0f312a3

memory/2424-385-0x0000000000160000-0x000000000017F000-memory.dmp

memory/2424-384-0x0000000000160000-0x000000000017F000-memory.dmp

memory/2864-394-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\osUkIYYk.bat

MD5 1f4c25f669035461837890b8ce1ea209
SHA1 9d73021df81e0bef0b6e80afacbe4eb857a72401
SHA256 11f11a2a718dfc4c03346a72a01bec81f8bd26cffe7f7c32d65d7c6b405be418
SHA512 b689c0157fc95bb4e7638e493167598ca056b9805b67b1bb133d4e92c558063d20a5b2291a2c52f5fb4f1b5392ad2e0c8dbd23fcb2c4dc9870d5e6a91bf38c67

memory/2884-407-0x0000000002240000-0x000000000225F000-memory.dmp

memory/1996-416-0x0000000000400000-0x000000000041F000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\TKsMQYsc.bat

MD5 63d8c04b66967654236b919eda85fa2b
SHA1 a8830620d6234739e71f9feba177a7c11c2463ca
SHA256 53c464fb8f92ea058f909e45f06d9bf3d889e1b13a343e31b7aaa1cf9bf7c888
SHA512 f5e5cbf26d02a8ffc535bee86207923120a7632508c3e03e22428d8ce6396cdc5dce4660b5d7d57635c012e6406d56feb4df69ff66be9879a9c5a6fe1ed12ca0

memory/2916-435-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2780-434-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2780-433-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1492-456-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\soYQ.exe

MD5 d6fe6c8642ea4372620ffc565ba5a050
SHA1 40eafb88e6a7c00171c89057ea12e56971f411c0
SHA256 489feaa60f497655c738346accac6cb705611ec8f13e0e50e9c65738e41fb64c
SHA512 b841580b351b5fc49de72f457d1e5dfc480cb12a289ed242304a2c30237d5fb90ca2c672a16d3625f25e179b3e7024ca3c0431235028367512cb7784ffd5ab37

C:\Users\Admin\AppData\Local\Temp\XsUooIIM.bat

MD5 d167d5c821e0945904ff20b876dd0f33
SHA1 5c98fc07810d5c8af535bed044ff36ac9979ccd4
SHA256 0df7f4e395fd6664fa45fef5aca963e27012e057b92f33728277144e9d9addad
SHA512 d86c814907d138c4cf8e0a0ed9d10471f902c2910907d5f1cced29f65209c143c929d3c36acad561b5401ee0c56738791d9daeaa87916eb60b3da4b1ff097b48

memory/2912-468-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/2912-467-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/2916-477-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kscG.exe

MD5 76b4e40a54ef0524adab9b2e0d399d1d
SHA1 87352521400d4c1876324684d88cadc4d9922019
SHA256 896a667f7bb70f79c41c0aacde4c8c8288c834a56c934d54706cb7a2e6f06a54
SHA512 0a8a85d9e6532f22056b62db1668758c57b6a99e2675b9900c7742f46f241d140eca1e1750b4690df18091a06c14291eb251ceb005d3a86ee774cc8b8a6a3a61

C:\Users\Admin\AppData\Local\Temp\ggsw.exe

MD5 1cbb94a71472c69c9c2ead16c6d02c14
SHA1 ae1ff0299ac7360089e8563302f207e9a05ebf1e
SHA256 c9655467cd1765e44dedbcca149745058207ee2184ce860aa6261a701f3e4be7
SHA512 27e623f76664f184a672cdc5695506e6a659be5e108e730fb31d34b096cf228085b64f544b6de416c44294285e7f13abe8a5683806601810e8dd5bd27261bc67

C:\Users\Admin\AppData\Local\Temp\sooi.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\eUoM.exe

MD5 09f31a31fffa1d4f71f60d2541f6ad9a
SHA1 adf608a53bf5f41b0af85db5664539fa34fb2a41
SHA256 26d2275323379c99ed1e02510993e873edd95d38aea4baa2874a97e2a604c48a
SHA512 f861a1669c308112977c95197da65a23101e9f81e049157f1375dc8a056ac6125f77017f03bb010f44199f49dbaeec9624e45d0671ac82d19f2076c3dbdd1d8d

C:\Users\Admin\AppData\Local\Temp\RWkgEEEY.bat

MD5 463d4ff8dcb2e3805a9105f0c1fd3b63
SHA1 ecb08afc35aa17eb021da7a441ce63386a7811bc
SHA256 8e3aed3902346ba49364792aa5050522693a438b8ca26c67de21299515cb6def
SHA512 3a7787f5fec1117c631e76d05050ad41ae3dbc5b7b105a1221d8b2e6851bc22dbac6da74810051d1d3458bae1e65a49c1bb097e0afe8051f5a0e1719abe56ddd

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 94d907b1c6d375f211882d374f1628ec
SHA1 a68af0f5e44bbc540b166e83fd3a32c62a2415ad
SHA256 08ebe2d6cf1ea2fa1c5959147eafec9042b642c360f7d45aab98aa1e0cc13e7f
SHA512 4d4bf6141add5a191da03591a459a7bac6f941dc16b3bbf4f1df5a4acb6b68f217b6be1f60bb01db5f896ef624108a2f1eda2bbaefdacf51efa08f427ae2b21e

C:\Users\Admin\AppData\Local\Temp\EIwa.exe

MD5 2f5fd9661e62c9191cfa8901eda67208
SHA1 36bb7a79f51b75ea84a4f48bba8639ce57cd6966
SHA256 943438848574c30c3595217dfcb84da2d8a74cb08b74760bf7c174c6529b82d3
SHA512 e3b02a19e70ade2d47e2369637093cf50f4f73a25d452ec16b64cf7bfcac6d86809c1d743fed79f25fc149a380ff2e846bf00f3d6cafe8882d11d16fcedb6d65

C:\Users\Admin\AppData\Local\Temp\cwgo.exe

MD5 ea23e0105d600db7e915c76292ecfeac
SHA1 3c0b73d14cc1264531690630b47eab7492a5afc5
SHA256 0a8a19500292d2e442268ec2043e79bcd21b264d86ab3809dff0b209d815fe98
SHA512 d13bcf26b82fa89dfe049c8d1bc1b9567b440eba5a188a3ad2db8707f415d433f1f64e55f4c13f9f8a6451359ba73081758b9a3c5e3ecd24969507545b95f85e

memory/3028-560-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UswK.exe

MD5 3b2e1e3c802155bcaecef02d935cbe21
SHA1 b15cdcd39d69162e486ae4ef74ea7da507b81552
SHA256 9348bf1f889702c55e92b3105eda628f967b08248daea889deb0d338c5526177
SHA512 8c00ccd8ef57c5f6298049bb58b9254db053bc5cf3cf1f3a2be6f1ea1f441857106f38c38f284901dbb60acbda71aafe71101344a72b949034751ccc559fc960

C:\Users\Admin\AppData\Local\Temp\CUEW.exe

MD5 06e7d62aefa6a65157fffd42dd42e958
SHA1 574405d2042a4d737de5ecc6177b1742e82133b8
SHA256 06118d88d0fa5fcde2fff028559a53a743c00cff4d4b0f7deace5e8502c434b6
SHA512 7795281ee61583f68a314cb20a0541793951f35f4c11cc32bfd3ea4ff1ad10826766ddb5a8105ef5a5bc098e4cbdc3c5ff566ef3fc7b6b0222c7f460735e3c7c

C:\Users\Admin\AppData\Local\Temp\KMoY.exe

MD5 01411d77038a9611adb44e2888897b1d
SHA1 2ffad892a9ff057f15db17954dfed65bcb48053d
SHA256 a44d12e7301baa2c1302bf6b10c096c1e993f51813ea75d9a79a915734fcb2ed
SHA512 3256ba0339064bc76fb91cf8a19734ee323685c21ae3c757103980890e4d2d2adfd862b9b567e150a8448a31a23850bddc304279665aa28d181bbffa6a9e57b3

C:\Users\Admin\AppData\Local\Temp\scIY.exe

MD5 7343da80d5358171b12e236e566a9abe
SHA1 ae18f1287dcef06a9a5189bf82e6abc4136ecfe0
SHA256 26d26c01655305953c2d08e5cb5835c6704504a3ff269f632ffbf56c39e4e854
SHA512 2b949773a4b874dae5545f545245e15c2f2d697bd4068f257855ed47fbef5e267244f6fd6fec676d96682f00a4a458b8d5eb981f17aebc0dda1cd8b7a4077a17

C:\Users\Admin\AppData\Local\Temp\zEQMwEcI.bat

MD5 eaa700f29134f159843245638a53f422
SHA1 a821b600210d0ca3dc5162ce99569481d5fe6a1f
SHA256 b56f972d539f929ee19ed32c01def2e07bd77a2569789ceef01522222e0cebf0
SHA512 3b3b23dbeb62ee2a33a6fffd35f39c42f6ea45a84af8515875bad3f7b5a3e06b7f25ce5782a174f1d623f635f5c55a7f3d34d2deef8c9d7455127c4d764e9540

C:\Users\Admin\AppData\Local\Temp\QQgU.exe

MD5 e07ebc223329c038ca96982bc05bae10
SHA1 8fcc26db0c34fbfcf7b3b64baa8d88a9dd377083
SHA256 2272f9d872b47e95af171830309531f2350c252298d5cbea5966a2ec1a842c87
SHA512 2a35d59ece198a6758ff29ec403c46f3153123016478c7eefe8a63d60db84e2c3e90613357f73a369a0b2c44340957836cdf1866ca68c107752f35205f87fec5

C:\Users\Admin\AppData\Local\Temp\uIMg.exe

MD5 fea71e130bee9ad3c0c2e04ec0099061
SHA1 b0f2a6aba5ce4f16ea91804f34ae40f66b957c47
SHA256 ebc291c09d55ac9f6bdd8e7921c6b828fd39f7227747cf91a2713eb353618ce8
SHA512 d1b4e38ff0be34ff037f2ce8116f2543147583bccbe1e22a411f86636d2accb0acfd9ed2c72bb8280431d0cd40d417ab4d75e1c84098747ab3fd4eba5f1b5f89

memory/2072-661-0x00000000002F0000-0x000000000030F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cIUq.exe

MD5 e0e5204d76b1b5a76d84ef62d18445f3
SHA1 2f1a54b674758aac2efd2fa0cbe72436a890ea8b
SHA256 caa9623664a49ed0e5b18fbe538d121063a92562ae7b5ab336f1e2407ac1a1d6
SHA512 425c3743d79c29b2922d6692d185096e9d67dc597f8ca9c716a124489cb21db20be4ca9b6a88210562c765663dae78606096738f8643b9b2040ca242da1eeffa

memory/2192-673-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yUwg.exe

MD5 a3f24d37e9aea4e312ee0ab93d7088b2
SHA1 b6335c2ae46a985308db98bd3bfba962311d9e8f
SHA256 006cf7f0d2d05a7d8a85585bdb5377af89efdc48b8f02ed3a9098e1e540e0670
SHA512 28a504ed07eeefee92bce46015bef1773eebc1c6be32b40529454de1c31d44d099a5b45046233be25550b273df36ca65518def1cdbc3a6937f0d1adadcbef4fd

C:\Users\Admin\AppData\Local\Temp\OAIQ.exe

MD5 18b8d7abbea2c191f49a8e10d3634ef5
SHA1 14fc7e333576f3f739cda3b2d18adbc39e746620
SHA256 28dec85fedfa698785abba8d11fc8dd5a014ffe83173bb6955d816c7003c44e7
SHA512 0bf5f148442e52038116eca670333fec01d9d4e3ccc52e6d5a2cc1e5e2b5d8b56be9f1c3d8a19df9091fa952e979a5fbcc67a97a70b005f012611faabfb3fd1d

C:\Users\Admin\AppData\Local\Temp\gQIq.exe

MD5 2fc9eef1f112dd7f2424242739b26947
SHA1 a9e70c1c689a1ce426ca652e04119f5d4f6f7d32
SHA256 c9c5aa8e86c2c99aad0eeb8d3374aaa2ae82428ddb1e539064380464b9c6f3bd
SHA512 be13c0125b58eebaedad214e009e9b875bf2423b6494ad3dc77d851bee4e855eac8f20b0dcbf4530863f500e9c419e2cb03a4f7d8e7cb18f05954a4d815ba6d9

C:\Users\Admin\AppData\Local\Temp\iosu.exe

MD5 887430cfc66c7d9b88862ae9e0ce01c3
SHA1 b07545d994f23c5f719ed92625ad0cb02c471224
SHA256 febc725351ff62d0a1c815e87856f74d560c55f166c1bc2fa46e1af0bed04a3f
SHA512 5bccd5fbe7c34eda56a0e4f40608b106644b6a0b77bc2f68433fbb67784ae7b4e6b57d1f6ca2dcbbdf9bbeb744c1d9ca966d4718e2e2b67f52ddc5e089daf6be

C:\Users\Admin\AppData\Local\Temp\uwsM.exe

MD5 f630ad77ea6462aaa1461c7900857a2c
SHA1 b3c419414b0155f498015a853e56ba1a37cd1bec
SHA256 fa468b694e49c83a84aab6930231135474cc5d7670cd2a39210cd6b995b11c65
SHA512 ea5cf16134fec06a0857a0b91288b4ab5c2e0d426ecc1f8f7070ca22719b7c99af17c58baac5553b7248757d3f08f0b66ee31fa5bb51c3e67b188da081f2a7ba

C:\Users\Admin\AppData\Local\Temp\sUQA.exe

MD5 f9a3c84c4d91b978ac8dbbbe045a49d6
SHA1 dbd75b6914fe9b0113e3fe42a153675b8bcb2b4f
SHA256 10b6e684213d6a35153ee80f0942934abe64369a47eff2ae0d3f6c2b8368ecf7
SHA512 037c94c7e13c05e474b3763bc8fe6c575ac0a95515f25bb471e615a2f0f5056ca4c17772f5b349c048bffdb6a8e5ac957e3eb1320d0afa0fb93b0da6066f27bd

C:\Users\Admin\AppData\Local\Temp\siQIEkwQ.bat

MD5 385ef899e3cd01220b6da6dea3514111
SHA1 bcebcc21adf8db7c5aa0ce55373c6704ad8bb0ec
SHA256 a33788b4680f4bf808d1e3ed01a9b272ec27204c54eeeca8ad168b069cdedd08
SHA512 0150b4046f90d6a64dec88473435c7b9dc082b64cbd16941c317cf022c529c86307213b13b8acff14899d7a1153860d999b886f253d4b3446b7aac2511fe1b8a

C:\Users\Admin\AppData\Local\Temp\iYAM.exe

MD5 9e6bbb3acff6375187dd4e63adc9f752
SHA1 d08883b3a1765e397b9cd1e1c78b51d09f97860c
SHA256 36ea8466c39a873dddd328566b00573513a19e16ef08f6a1f27ae954d2ebcfcb
SHA512 eba86112b1ea164b0a50d4404e2374cd93c37340fdf86bbc6c1f7599959f67fcfd5ed0f914b20abacbeeddd44cafbdd7e90d5a6d0147994beffa502aaf76f6d1

memory/2504-784-0x0000000000370000-0x000000000038F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUco.exe

MD5 3de5443824ecb6a6670e6f26c9cab997
SHA1 7376fdea424d53804e054c9e9565bfd7013a5de4
SHA256 74ff113b7891aab174ceafa69190433da24bf73ff1e31a5ad7c267efab01c9b0
SHA512 803b085f0e6b114b3f7fb0cfbe8dc5ee0f92a9e32d4d7783ff1ac3ecb4811a8790383fcd001c71696d5bce5242b6abec441c9f982c0526a1aeb7913b8a3ff60a

memory/2712-806-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aMou.exe

MD5 2b5cc92b627456cf8f2725c73c4b857b
SHA1 143fd99dc165cd55676b5e59d135e8a37604b0c3
SHA256 9a4919ed420ee73a1ca675cac1d206488308af57677b98c28b9c59286902cf0a
SHA512 06d5b8ac7349b00c6ce8f267300956464374601ef9a0a0bdfcba51e3da550bab3a50061544e6bf3964dc2f628e5007c01ac61fc287cce68e60f7c8f15379a10c

C:\Users\Admin\AppData\Local\Temp\IEsE.exe

MD5 c50a301bbf568f502f710412c38feae3
SHA1 c80d84f2e9e0831fbd2e6c136b40c3930e0aa64a
SHA256 95ace2b9fbd1f02ba367c1d88e6b1b90e5594c6c7e3af0678d03ce75abd324bf
SHA512 2ea143193afa8b00f7d0f7794ad46d0004223da2559f18cd95bd578cb6c71276981a5f71a010d2794713419246dd018be6eb5cdba42608d9916838331ba53d92

C:\Users\Admin\AppData\Local\Temp\sYsy.exe

MD5 fe853106e3a85e35840987ec4c114bb0
SHA1 425764ff6e99237c5f9deb4af5cdc800300e2ddb
SHA256 224f1a331fea128cd83f2bb19e288241de032198f2acc1ea5d3039894a367975
SHA512 dc12851ea9347b3a099ea4f60c4a22acfdf85af7daaae398f2ec12bebcd444486879ca8a8ea3972586ac29c2938b15a726018ff7520bfb0804c9c395cd10c11d

C:\Users\Admin\AppData\Local\Temp\aUwk.exe

MD5 6befb91b6b3d352bd8b186e601cb6fc5
SHA1 0efb6693097e030173d2642f3d49389f8822ca3b
SHA256 f32d4712937b9d5ec88f6c67d8f3ef1697b70aa951914e437155314d671ea2d0
SHA512 36ad341def591862063de76b8f81825e5be39b44ecf7748502ccbf0bba88eee1ba369dfe722dc86df1958827c29351f799893a7117e6e29fc835640b2624b1fd

C:\Users\Admin\AppData\Local\Temp\sgES.exe

MD5 3455cc8ce90df069997dd67fbe97a617
SHA1 bbe83a43e2426679f11da2e743dbac431701eec6
SHA256 bd6e9311878a048c1f099c6a743dd78941bf8a767e77ac274b7522f6793854ea
SHA512 a67354908e6415fc216371e8884400e801bfec87957a43b86f7fffbd70cfa2e147ce717a87b2af822995e4bfc6ce11cf237da5ea667dcf456e07d5ca63e612d9

C:\Users\Admin\AppData\Local\Temp\sCYkwkUY.bat

MD5 9e3caa918d6ad92aa448792dc951d608
SHA1 cf5899780615398ad37aaa64ff202bff7595ca94
SHA256 9fb68fab40b8a2de1ebf274a337dac834b28dec4fa898a96e578f2f6f3eefeb1
SHA512 bc8257f259a4f8cf04819748a97ddc4fb6c335d88f10ba87e9f5c57364a9d09bce7f24bc005bed46e381cefcdef0f7aa819f4f0dea2e7e302c536f607ae664e8

memory/2784-893-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uQQk.exe

MD5 378ec6e227ffa633b64154a887460300
SHA1 194e9aee08fe64221fb297c1005a484c05dd2e97
SHA256 4cd25fa1155b0367360117671c497833e118d5c733e973b932f3e38d40858863
SHA512 596eba4d8855bd2e088cb2497165642ee8314e0e02f3035e81f00eb26ee5bb0a21c450bcf65e1fcd5ddbbd1638fd54844fc3f2227f7165139b026c7747aa050d

memory/2168-915-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OgsM.exe

MD5 17a084480a25186ca8b93a7d24b6cfa6
SHA1 3f06c91246cb451f3872d1c8575138a27cab09b2
SHA256 012fbb9e69cd3480186214ce231bcf60b44012cbd08bd435e694c97400942006
SHA512 e74caa194eed312dd8714ae16dc19cc6501d408ba0cbf6fddbd1f72e955ae8d7002b784e7ff9583c52d56b99cb36f22de6259fe001ac96ec77466de515915b99

C:\Users\Admin\AppData\Local\Temp\UoEO.exe

MD5 c5fb7e6c8f8e1e58e16b42084528cd6d
SHA1 7b7e2a41d5f950c2ba8df7b4014881077794bd43
SHA256 131a5ced1e8371833b74b7fba6465a2bfb404669228a2bd49d1c06c74a3ec617
SHA512 b3505cb8941b7493e2456ff03275dc46e168d2eed9ac4d17031c4d2c249878d38fa49e719e9af5e8a7dd86484c623aba9f67820b0353dd6df5888a8eb3414892

C:\Users\Admin\AppData\Local\Temp\wcUY.exe

MD5 cbd8bc562b9aa940ad7f30900bd4ed5b
SHA1 f85c8acaa1eb698d2e40b4d623a252cb5168cb83
SHA256 50266949e93d6001a210bae69d204480cd6baf0a27a70ed27541282270cb816c
SHA512 99c0d1084515c878d4e206038f21c8915a9ad729dbbfd3f7ccbf07a7dfc7611cfdc6dac1108f296dcd5cd502291b10232efb30505ab25ec897b57fb0cfb1dc32

C:\Users\Admin\AppData\Local\Temp\mcQI.exe

MD5 c0e94bd83d731c82cd4286f75327f86c
SHA1 32aba0784ed81b34e1bb28c97be3e0faefadc592
SHA256 f9228197d7da69605292a1d1398bbd5b9678259021f4f910c73b08c947f6a723
SHA512 406b4fd9e9f16406aec17517ea18459959a1dc79bb0b9bd572a6eec7af8e57e7051f0bbec4d83101a83d9396e921423d733b7da46ba1a0b575fcd2ad773c4fb5

C:\Users\Admin\AppData\Local\Temp\AgUi.exe

MD5 a15e578b57e70dbc6ea1e4604aa92bc8
SHA1 ebc075df8fa49e2b90296f2d5ac0db7349f719a5
SHA256 82066e4a9a7791f9ec0b40fdb8da367ec99429c6f963fad22659c0a20b0ac7a3
SHA512 0803deb4a97f55841d0264c65a32e439fe5613077cdaeb36b594ae6caedb87058f54a0b6a888fd14be24389bd5ffa81f2feb089fe663d284974e5f2a0c6e849c

C:\Users\Admin\AppData\Local\Temp\OOocAUwk.bat

MD5 6cef1f286271923d4e4852e87514d11a
SHA1 271559b3182533480e5cb79005f9b5c80b20b332
SHA256 010f6ca01e3c1be499fb8ee6dcf04116501f8caf3c6b6cca3e7e877204d4cb72
SHA512 0e37f7104fa0d189323beb6a488ec16f5238b8ddfdf2380d78a0d28e5b842e735d1c59986037384ef14d0fdf2409530406bff150a9bebda3fe079cbca3f54d0d

memory/2432-1015-0x0000000002250000-0x000000000226F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CIQq.exe

MD5 3f13983701ef7c10a6f7c4420632317b
SHA1 dccff6e458979126610f697ef3a588edf3f7cf6f
SHA256 4d9c5da7a2545ab4ea290c59fbeeba8142352a585eae6f37ca6aaab7055e7042
SHA512 3c602bc0d1bcade5364050d8e42ccf431667b472ba32d6a466e9db2eb19aaa25b35f3b7f5885d9ba4e4216f98090676804b87bd9cbe074fdd236ac8946ee1728

memory/2108-1024-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SkkA.exe

MD5 e3c80fa2e905b271c1d423f4d9416e51
SHA1 3544f1a8ad6522e45d20158e3997237575525e4b
SHA256 f68a18241a2de184c90ce2ff398de0cb00caad36bdae9337026a67d5733ab84c
SHA512 18614bfe7d6a0798dfbb7a9b15715d9ea9adb43a54d776ac2b1141174113c2a4f8dbc9ce83bb331b81f23a2d76e5cd187f6f5efeb49f2eaa4c4cc6cc265149e4

C:\Users\Admin\AppData\Local\Temp\KIEU.exe

MD5 89abf3cc5e0677681ccf78110a65162c
SHA1 8fe1a0edf33bb5117060e3513ed5de19bdf296b5
SHA256 a43186b9387d0dd3c926d70201b0fbee79a36a8b74c235ca5fcb9b221d894b71
SHA512 29853f7a2a4596c560da529154185490dd4f4dd6d5a31da57e1131bd78aeb4ed0514323589bd0f6574a899a6a19a0a4171e6bb418be1c1ab5865d0f3fb27545d

C:\Users\Admin\AppData\Local\Temp\UMoy.exe

MD5 fe5561631eeec17057de18a2c1015c7a
SHA1 205882d6b40ca8cb46ddc1f9e62666f26a9e8723
SHA256 faae7004efa33bf7a9f909823ecc5fe0a5865780fbc140cb7d0a3482ac66291a
SHA512 6a4e3f8d06e9f7d57d50edc1e549d566ef4b8a46500802cd03bdd5f2657b1fbea8d6ef9eb75930df41e0a35170672f74dcfec4cc4a4844f4f204fdb75b1caacb

C:\Users\Admin\AppData\Local\Temp\aQgS.exe

MD5 a3ac2e7e49f34df57f7b39fd2135ffbd
SHA1 4ab58804ff00d4189c15356f42fd36b537832f0f
SHA256 5114d683cf50dd66880655cc248ecf7f9755a82eed9af4a6b9ae84f7568a6a6b
SHA512 7195ca3c696ad2ae11b5189c49d37b959435021ee65b9c8b9724432d5c8cee937385fdc0e70c646717226d18e6065651bdb3c89d4a52669c21994435a936a1d7

C:\Users\Admin\AppData\Local\Temp\sKIYwAwo.bat

MD5 3b3a1826d513ad8c71f98ee2f5bd84af
SHA1 4d6e74a46e304b9ae0a279d599830d00a4090f40
SHA256 3af30f2f22d39c958517ffc343c63f48bfad81ec7ae9a8897625e3a65f810897
SHA512 976c9251e736b675c4681eb1e3e2c3a6d1b69b83a3d810a7d9f7f83a719ba82c80b60d3a5be2d5ce10e74c64c158314513e3605d8a87c014c872b5517a3bee49

memory/2572-1095-0x0000000000170000-0x000000000018F000-memory.dmp

memory/2572-1096-0x0000000000170000-0x000000000018F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cogi.exe

MD5 c790ba31a79295ee5465018f9180b75f
SHA1 903a852c3114b598750a20965a34ecdb01d443be
SHA256 d5f5ee9e6b906e20240b9bb24451319f606f5e256b24cc834d313dbd630f77d0
SHA512 503f6642f8aac2037dd8b7067d5577bd1bee489b01f0074d6e354594ae7d6a1e57414d86685dd0b07a4efefaef7b7ee899922e83adaf5997aef9b3b15dda316d

C:\Users\Admin\AppData\Local\Temp\eIUI.exe

MD5 41c2fe23db8fbfdea39403c782c29386
SHA1 c458547dcb6fc0d03b104b1c4411d6765ad6e9f5
SHA256 664a718d0bc3032179dd1d0499c9157d8d3b55ab8ac960442b9fb0a4915d792e
SHA512 22fec7119c33d768bad9626bbf77a8a6337c52f08dd8d9b077b53d2c5db32f39e3705d73ebb93ff754440c7f977fc579be20e6a1fd3a9b01b8ed42947ff82d87

memory/332-1122-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WIgQ.exe

MD5 e7ce71fe0ed44172390fe2f81bdc912f
SHA1 2320c79dceb994af7a72d697f19501ff2abc56d4
SHA256 76f0db1776db54f1d182123caed53d89d39cbaffa7524116728231e7da3325cf
SHA512 32265c39b803495c680b20752ca900b25ab1d48b4cb0e722c680b9a32c0f881d9213e74ff6f8de4f5fb40b04603279f43399830c184b295b3820ddafdeff0c7f

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 e9094ee8eebaf954b8b618808c99d2f2
SHA1 47c18cb694b4a3c03b6253d827f62c69a2b0ed5f
SHA256 523c5d9d20ed9048e13a7173877a3ff38dc69f462ec0fb4833039143f0338003
SHA512 fd7fddfeff3dc53a395c73cff10a35753393606ae113acc0ed9609b8dc73c3cdf2bf2d3701074fd4bfa683b35378ec0e7b85ff59fb88061941409e30b41ea956

C:\Users\Admin\AppData\Local\Temp\vEgYggYg.bat

MD5 eb657c3f3971a65c0ead2b8b40c41efa
SHA1 e61ebf59d76a96bc4d58a89d00b87f2a06e805b5
SHA256 3777892e67952c727ff2d744ebd1bbc3f414a3134dce3de936cdbf121791c909
SHA512 d1505b785e85e54faa768bd198e82be354a30cdca1dfbcc8b5846694b0a73f51ede45a671b0baa70aeec3bed79f8f2ce96887ab18eeef9f327727ad72ffaec81

C:\Users\Admin\AppData\Local\Temp\uUwE.exe

MD5 a92d49f203f366282fc3aac4962fabf0
SHA1 fbb6ca96eaa8864ca7833af7f28b31576f5e6afd
SHA256 07be11a63173df1ee8a4ed0833f6227168c4d2e12fc9f4e53a1d4f95b9b71fba
SHA512 a9657e816d3ed7085f9ff1292d809481b112074227116afe186c562ade13423f130b20a027ee73a94414568e0577efe8b549ca4555495e12647855c8e7ea775a

C:\Users\Admin\AppData\Local\Temp\kgoS.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\AkMA.exe

MD5 a038b5c848aeb20bcf121467792574f1
SHA1 8f31749771cd95a3a13f82a414d4844bea47de29
SHA256 a35d5b234765d6398e4e8b1beee13195e02306e0a061b053c7edd01d350932be
SHA512 5253151b8193d563f704a007cff1d1ff732f293e160112bed43c74a896f8b38e494a77914195d260e65c9af670b974facecfae87af08ce26ced619cf439714b8

memory/2548-1196-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QIUo.exe

MD5 22584fb665739b925f9aa528538e3957
SHA1 cd641ae6c99f44b9be73af36fa7a5e3bfda323f9
SHA256 ad74f2be00eef7854f3f1cf3b131d1e3e2fa3d0697250f056f853bd9770f7211
SHA512 56bbfdb9dd6c6f8c89915a804f4d20be762293262d643c729be5dbd444913cc50f31e35ae84b0318791f5b7c525943d5e13584aeff5abb2aca7c4d66f37563f8

C:\Users\Admin\AppData\Local\Temp\IkgA.exe

MD5 c6161f77240eac5f679082065b594254
SHA1 19cd8ee5e36493f911a2574716243b2f9b6e02ab
SHA256 22bf4e6ee8a3342dc9af08818ef2434e2c90a116c85d4d4b3671caabd542715e
SHA512 a55b21ed422edeeb2c6969ffb827cb352b41c7cce7ca0248992b9f123c856465c940616bb23d736a1caa3b63eb3e88be0c1ab9f53c9760399be9f4969e7aedf1

memory/2040-1219-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2748-1211-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UAcG.exe

MD5 88641a11d157c20a62af2548b26ebbab
SHA1 415ec7f3bbdc8658ad95376f98689d49f5b4c14d
SHA256 1577543324e75e184cac8cd2220ac3b24d925cd580db411a2f4c49e88e0ac181
SHA512 e7f68a9d820dc239e3f6e7cfec961c1fbcf940576562e7a298dc5d47826908d3305f7deaeb66e48823f1b1e51909d3393e0ccd17fb529d5875d8dfcb418ccb77

C:\Users\Admin\AppData\Local\Temp\OAQs.exe

MD5 441c46c9a4f43703b0a3b47bf85c5f6b
SHA1 eaa337c8d0251a54f0d3ca13c221e3adc4024283
SHA256 c0da1da322976e763d09170aaee4eb3b54af44f21e186cf1c075e5039af8d63c
SHA512 8c92cc56453cabc828c9b500492480878656808277e6b764d2f9d79622eb287de3622eed72f117582e8034d252c03a7e644ce0b8d79984df11027bfb409b9b03

C:\Users\Admin\AppData\Local\Temp\yAEC.exe

MD5 8664d20f26f097b96c2186473b55e692
SHA1 fc8d0fbd3e0f88a8a0636da24eb3e302dc252521
SHA256 d7d329b12e9a127ba4f6a6641e31560d0d816d8111dfaff0c4795ab0a48d3c55
SHA512 2b355c174187ed6903d671fe474a948b5fc5fec9c1f81ffc6e1150ed3b084b77aa5c0fcc4a7fa8e653a04d869f61abb05ba4de8453dfe4a8764a6b5606513d2c

C:\Users\Admin\AppData\Local\Temp\HSosscEc.bat

MD5 2b195e194f1aea6c3121ac268870b9c7
SHA1 3e82af8e852c3f74947ad5eac86c41623cd5c7f0
SHA256 3528fec41fdb1e4aba94844049afcde6da9307427977621d8069aa0b35714344
SHA512 9d463d068d5cebfea5a8008e40dec5639bf6cd4ac495dee7474e2c18bfbddcd88f466a2782450cabdc8161f1eeb7739c64e689eecceea13d1252065d586b7aa4

C:\Users\Admin\AppData\Local\Temp\AUAS.exe

MD5 49824b9682634b807a5747119645e2e2
SHA1 87712dd03ac44a98abb96bd0f946ebc7e37dee70
SHA256 2af73d548848ed4d83634852e8fc1d5021587195bc860b39dc8d4cc7ca149a35
SHA512 430ba48bb9a326354f4d8dd779ff3341bb9588d15000a4fe10670535ca7ba21f87d7a044a05fdd88f7c88fb0c2e3df8c09a8a1fe1ed39f15f829e04a1f0d31e1

memory/2356-1306-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cEgu.exe

MD5 18ec8e617eeb34a429158a455f799fb4
SHA1 dac2a33106f37837b3a360add73de7a4f0330579
SHA256 75aae6abbd21a1f406080b39cbc70297c5cf3055badc76c03b1856dfa34e0e50
SHA512 4dc442b30a117f7d798dab1b3bef2fca111864ad7c9129f8eefc04343c014b37f891febbafd6874431f79a52713002ec30eebcd82369d3679876d3037cb8a4ae

memory/2484-1305-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2376-1304-0x0000000000160000-0x000000000017F000-memory.dmp

memory/2376-1303-0x0000000000160000-0x000000000017F000-memory.dmp

memory/2748-1319-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GsQO.exe

MD5 99e59e5bb86f43c6176f8d192cf86c82
SHA1 a0361f0ec000e72b66a1695ae4e6bcfbea12a18c
SHA256 430d5d21e66edd49dbb3423c126c638ebe6a4270e778be22dae670ca13f6fc86
SHA512 660a3aa97f277d15caa0df009cfd8a5a16fb3b5f89481a5e521e03776970e47a4180c8547a09b191cb7d0fbf811dc123dc97f865fadec1fe82b013946922ae15

C:\Users\Admin\AppData\Local\Temp\cEoi.exe

MD5 40d42860e0c861394fddb9b7c1ed574c
SHA1 1cbca0b4c9b73e559b696fab2496c7c1325a27b8
SHA256 7ddd77b3a72dd02ccd677e91e36f87d414e15bc442858cdbe06e2c383103c31f
SHA512 712b300157386772b45106f524c859b61ebd971f3c829cd1b60e0531fb8ceb837de040426496f339a51caba28c2232f4bf5bd67b87f0df0c3ee3f6a9c792c6fa

C:\Users\Admin\AppData\Local\Temp\lYMIwMoI.bat

MD5 2298d375e0820f15e7ad7739437be654
SHA1 550e5c316155f3b796bc874353233cfe301e0273
SHA256 a53f4037ea466be73fcfc9262a780966c81a229d37ad01f1dac88fc3aa75e50c
SHA512 1d055a9d614f8814bf3ecaa089ae77f76d7998a9c4197f805d2fa0bc34b1d5ad39d0ec781de463e5330cbe525f7afd15924734b1ebe4665fdd08d64b2195fef3

C:\Users\Admin\AppData\Local\Temp\OsoS.exe

MD5 b7f42b7e7de2dc46e3434f4b8a95891d
SHA1 50fcbb1d138fc2c8ca5b97ee41657eb8c81ef6a0
SHA256 247a65c1164b3b033f67e0b165a56630d5986bd082ba53ad068adc0d25743539
SHA512 46ac6e88299bbbd290d0b73db93d3281e6e5577ec70d314f6fdaa38b659a925b4e707ba0c7a911c52a710d9a8a3c812342860e3db4b639f538c10b2ad98fc98f

C:\Users\Admin\AppData\Local\Temp\Qgce.exe

MD5 e2127c610e6973bb6cda9969208bf14f
SHA1 113dea34781a814add2abcc6e599d301e9bf14a1
SHA256 5fea656721463a1fa9be168c632f8d7312374d2dd8e56e17ad5eb5c16979261a
SHA512 aa2ebca2e60d7b93e95104c0fd72cbfc52f5d657e9f2608209f0723f81f635d9246ea88c089c5e9935fa2c74d55340929820a50b05d7cf401ae41e9b49624a61

C:\Users\Admin\AppData\Local\Temp\cUUC.exe

MD5 0f439a54df9e8a0777ee5a08f31e2c39
SHA1 1b3abe29ddd60f660fafdc7704047b8e465e8886
SHA256 cecedd041cc000c0e4cdd8a3657423d9f0d8c2c6738826c9e09a7f3e9b425cbf
SHA512 921c4097f6109446af5a15353558d296fe78a9086cc22546627837483319b117f03309c53a58beea7ff7b91f20d75411202d6b2eea800be04c886ce90a1581d4

C:\Users\Admin\AppData\Local\Temp\EkEg.exe

MD5 4d0f842794ce969b92a0f6abd401a8d8
SHA1 0bc05471ecc64c0db3aeae67d5f0058671b69f7a
SHA256 3e4d7aab7b8763daed35def230719a5e812233b0db6bb289dfb1832bc01980ed
SHA512 25da592cfb12e12411c73f6a02239b5b400f40af37a1eeacd4f2d404fd878412974166e6aab1c56cb5edc3c4a488afad36111c0b77b2bb139596de885c9112d1

memory/2484-1403-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1208-1395-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2096-1404-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ukkw.exe

MD5 c7cefc2cb66480c1a27528e3ba85207e
SHA1 bfe27f0f99cef263cd53f93930b586f01ff81f62
SHA256 d2ddf110876ef76eae7cf70ec43353a8860b8ee2d1aa0974b80821092e851510
SHA512 00652518a1d33815dee747bb1dd2966de7670ac68d82ff78a8e66b55fe4eb725b325ce8f7d05da29d8061864e2df345b638364fcd0443ed2526c9eef7b044af2

C:\Users\Admin\AppData\Local\Temp\WcgS.exe

MD5 921e158461f4b29c755ee6bb4022fbac
SHA1 955f400cf8f3b588f4f6efd9a37bfb2ecfb84cf5
SHA256 38b3f15291f79370cbdadfc6bcdfb9dab2a306f25e57e0260875413a5ff44355
SHA512 55e13470e755a9ffb76dcc5eba00b9487aeabacfca0e36aed9c8a2c14937507def804eecfee7edd8cb1373a5417942579fe32dfb9ee8b3e30d3b2b1b8a6f76d9

C:\Users\Admin\AppData\Local\Temp\KYIK.exe

MD5 731c03c534048e876ff3469a4790ab15
SHA1 5b1591354134e4126eea39b24c7376b8e3d5ab33
SHA256 1a7bc78f513c964221af2400e16190b5f03d25e9a37f3473accbaf39afd60756
SHA512 5156a8783b343ff350858cb0f0b47ca7dc6981bb9ef1c0aec8737374f13f41f6a854ae1c11c35055d107a1bbe626045fe9fb72727d7b9a2fc939c88a9289d791

C:\Users\Admin\AppData\Local\Temp\PaQUYgsE.bat

MD5 b89dae8f25330eb7c65958be7fc13016
SHA1 7e0a3ffbe24dd94a8ac44fd0a388845760aeab4f
SHA256 8817db1abbf193110f949ac2796ccb47fe681c991d2d086ccdfe56d37fe8bc03
SHA512 936d42e8fe20a2b2a86fa7436673a1281a27ed6c6b5b0bc47d1b6668d8162f3dbcbf3782d89f39cac2b044aa446b5dfe816cb6ff6831d16c70374adadbb69a20

memory/2096-1480-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iAgs.exe

MD5 b0653b4af5b7954cedc79feb4302120d
SHA1 491e0e4827263203215517ebf714a0eacb1006dd
SHA256 06a0d5a651b04d17e6372ed732a58b48c1c011c6a0fc85f212b9804d9b64282f
SHA512 8f7324a2e8309871f894a0bf86357dde625a5b89ff807c8322a9389c8de470e1bb914a9d16767dc79828a27f299ac88360ad5287e6f66186970e6539f19f0a58

C:\Users\Admin\AppData\Local\Temp\Cwws.exe

MD5 f728c177e319bf2249ebfc767d9b79ac
SHA1 4791e89ce1073ee4a6a65788ea0eedef633696b7
SHA256 7652cc19b6998bda2295ab25ba2e44206f5aa23f63e057cb51229383c8e5c7be
SHA512 4f485bb348c291f2a5b9788367bcd1731e0fa6ac153b23f130fcfffa5cdf350b711847d1717ab89df4f4c129b4c5b25607eae2688c3117467a6b32a9db80588d

C:\Users\Admin\AppData\Local\Temp\wowo.exe

MD5 8946e6291df304238b59527729cd3adc
SHA1 9e78d0f51742b53442abae17580cd89a10a24d04
SHA256 d25526129f2f5b0d3bb35781b1e12c0bb33650f41a28d4a1335ebf5a04d80f44
SHA512 3432fa315a5d3321544884ee2ba7b56636e9efd41c7b0dd6a602800508077484cdb9e4f83368230252592da6fa5d56decd071865db7538dd98baf331cf58ddc6

C:\Users\Admin\AppData\Local\Temp\UKcUIoQA.bat

MD5 a4f9dd186f2bf24edb9eb3b1cfe27a7e
SHA1 77a9d79d33d659e75e6e2b3fbdd5592fd07b7033
SHA256 0e82331e7063765983c0c6f314af6757a2fbfd0898ff9c27539e0d9ee753895a
SHA512 902e9c5f9eb76b414cb83751d89e5ffdfadfcc5a591c689d6728e28694c7e4b5ee507eb110c79eb2d2176cf331d31c45bfb1e0ba5887239d4b81803665c2fde8

C:\Users\Admin\AppData\Local\Temp\agkm.exe

MD5 2ad14190fb9fda90af4fd0a34689f6fb
SHA1 cd2932edc0fe78651079ec64cebbb69fbe024d37
SHA256 8c13e3238f3027fffa91a2fcebe846410d075d6acfc43fd3166fd0c308ddf539
SHA512 fbb6ecc4e6cbf05ec774f17c0ec00315fd1a28ad4061a2527fe59d842b8c35869026787e49d6695b65e7b6110433eb5889db2bb00afee434e902cb87ebd88ee1

memory/1540-1551-0x0000000000260000-0x000000000027F000-memory.dmp

memory/2904-1563-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cAES.exe

MD5 6a12a14ff808db63a7ae336f60d6dd99
SHA1 126d26078296c08c744a0c5095b4af632dae4a21
SHA256 1ce50b98dafc46f387063116d82d5e28744e9b81d3c5a2dd60dbbce67cbbe8de
SHA512 316a1f54a482f3b57eaab45d0e196beb9d07e318efb81ded3df4a89cdb4fc4d6bec6c900a44607df41c0a3ec151456e6cf8d049098531acdc2c3200a2286e85c

C:\Users\Admin\AppData\Local\Temp\KEwM.exe

MD5 444c9db5f14b87be74d0e2bdfe4fa399
SHA1 df96670de598f7578fd013a036390f5634167b5e
SHA256 0330b3fcfd22bd926fa04df38dc632f8b9f73d2a4c3d504742e5a21bd200ac3b
SHA512 9d2ce71b86e3075ff17d7933327b840ebae3b3a64fcc1bc711bcb3fd493bacf095de7ff775c65319a70b85c0d1a209335f7cb1ce32f7a2f5c0a2430781982281

C:\Users\Admin\AppData\Local\Temp\igYo.exe

MD5 14855ababaef446f0ec1040302ab09bc
SHA1 0e1857a249375bfcdcf788b00abd66f38b253543
SHA256 4ac314478c85191c14e9829665e24758fdbcd029059920348fbb798556ddecb8
SHA512 f96092e1fba7d65c5fd0a6935574e4f03c7f2be07f4887ed4e8719417ab904b49748d86f65b2fb0aa6a64b32867223e84f98ff72c9f934479b5b46db0f4b22fc

C:\Users\Admin\AppData\Local\Temp\OMcIYwgc.bat

MD5 6565edc1934d44c6c9c3e23a8aee3a57
SHA1 c471bb7e290dd7885307791ff2366c6bdf8bbf56
SHA256 c8323fbc184c36b93113d80780f38502b8defbfe0998cb0a8de2d5fd9a454fb3
SHA512 851e9111706779633d611d966fd541cfa4e43b76f77a69e481b21ffd32b0363301c8ef24fab434d4c2b9e652d48fee217b23a3237c937d9746c716a7d0116175

memory/2640-1621-0x0000000000260000-0x000000000027F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SMYI.exe

MD5 c68ef41f14b15f7a61f6bfae30431cd0
SHA1 2002595cb7011cae6ce31b467a3cb0c8a11e20a5
SHA256 95cdf297fada6ca14130f0dc06bd3243b5badda3e6ef1e5f730bdd6ff8f35fa3
SHA512 ce7c3abcab2f2b0955cfac4e177f7081571d0c193ae10f294114fcef203bbd51c066a1cf3e3b92f19f4182534a70ee64bcf594c0de99ecefd489c13a9ec767b5

memory/1756-1643-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KUkO.exe

MD5 e204ba7e4be8319815c2ca990d131858
SHA1 89de558123ecf2810204674f0023ae7f6922d77b
SHA256 22a1ddfa260e6f71807fb7b7eb2c1f7ffae59fff8f7c0f41ac8216f3edc4da01
SHA512 508fa2b2fe535c58315f90274f267b0196d89604851fba0102b1d372428ad804132f7fa17278b52a972522b81cef565facde7eb5a894ec9cbae76b09823b158a

C:\Users\Admin\AppData\Local\Temp\IIAY.exe

MD5 5820c2a5cf1e5d64f5853d7e4c9c397c
SHA1 f574c3cdda8dea77d46ff6bbe99d41cdcacc4d74
SHA256 a785b10c641e484b23199082177f318d320c44cf5133b38a25b66a784fae6816
SHA512 eeb3fbb2ca6bec617478f320a876ca256b0cb613950504a58acaeb7f47824f7e5889cc016b37d972912e18072ae691d5e904c690e784f3f252644b104ebc6b46

C:\Users\Admin\AppData\Local\Temp\yQMa.exe

MD5 f7b9eee3d7cdcfa9569d4800b11bd1f1
SHA1 55d95204d37f7940ddaae70e422df889a75e5680
SHA256 bc4df102881c960a90fb04843c2b1deef1dad9dc22f6e4746a198348a693c95a
SHA512 ed735661138e330539c920d573c6d781c074940c334f3d9e3cdd5c4659027a1af8d028d0cdaa62417ddf66a506439ef82f309412511bd01c846407f1fa4cbb0c

C:\Users\Admin\AppData\Local\Temp\ukYowIUE.bat

MD5 3559e60abff9d15fcf10f9182d9463d3
SHA1 f5151d9984490fe8448b0224ca2b609b3530101e
SHA256 77d7ccb5bee264eb46b27015c9b66798ef34b8c69df2d8e90c54b3aa7aa6151c
SHA512 8d36cae2a5152de982e79c4afae65266df8d5746a12f1bbe59b7bd6d3f9f75cb4787fed3ed5d4e560da5351b8e5d5ad819598931a9c3cbad2389c75f1bcec792

memory/3036-1704-0x0000000000270000-0x000000000028F000-memory.dmp

memory/3036-1705-0x0000000000270000-0x000000000028F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gIgg.exe

MD5 01a1339ec85d7253be73054931f3a055
SHA1 904865e82f8885d31285b5d591368a25b682507c
SHA256 2002a57919dcf139a1ce769dcaf2a1f3390e9fa6dcf35d72686d00726b286d78
SHA512 eaa71c5638834cd2c1558ac76be056fdbb234f3dd71dea177cf0b462b349a04bdacbb2266e386e24c3e701dfae38ae669e68866b09b767427b8e4f6b9bb535a7

memory/760-1706-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AUYG.exe

MD5 86a032a09f0ff1b50eb59a9e6a21a63f
SHA1 0895d3c4c8f6b1bdb3e52402b923db6beff2213f
SHA256 93c8b4fd993c8a739e00ac499b08c7bcf9a264eb23d37f91d119c7de9b204f75
SHA512 783e0ae60b9f814cbd11d1dd3b1db360a07d2a04261b9e165f000d642454a9af0639f18a8d137220696bcae709db0f0dce9add284ce4aa1a02b90a2cb16b72cb

memory/2380-1731-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IIsg.exe

MD5 ad7eafa34042e7e322f5d0279eabfa71
SHA1 ceb95da6f8c56a65d3a2c7c2d9c4d60a9035f72e
SHA256 f74f39fb8cc1462b8b3749ac500220c8218c00f1e7fa9a55ea76a567be2e9084
SHA512 9a4e8be15839738f2d9c7813a358891b658b63e91c829250ca4fc1e47ce774396bd5efb7dbb81ddea8ffd76a2eef0ce463755c69f574f9b68839bd98aec08f46

C:\Users\Admin\AppData\Local\Temp\wccQsAUk.bat

MD5 13fecd524a8af3af517e8c203851036f
SHA1 5dd78f8c44d3fc25dbfaa829a2013fc210b2b6ed
SHA256 88b5c624e493191c5244bf9d0b0735aa13384e69fa7dffd6ffa02f4f65ed8891
SHA512 b55230f73ffae5d91022ff657b60f12cb9a10ebddaf327c09e5a6ef5f78c601484a8474b56c28df285ce288b9d6e9fcf1c8164c394bbd39f2fe3385ef98d0382

memory/1948-1775-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2072-1774-0x00000000002E0000-0x00000000002FF000-memory.dmp

memory/2072-1773-0x00000000002E0000-0x00000000002FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iMUa.exe

MD5 b05fa5c90d394991574ae41e85caa7ee
SHA1 0d37b85f3435258dfcf8230e6804c4b5918052a9
SHA256 b9ba89d522a933ea91aa3e9e2aee7c1b49e7274212e031601f02871e5cbcfddf
SHA512 4ac25ee038e956d0f2276241653ec21f3462de2dfb59b272f8d79de662f34e217f56ae9a9006c042b506abc0222f95fe5741e35c95f37fa72444f8596cdbe899

memory/760-1797-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eYss.exe

MD5 3c1348211768587ef2112c0a9f8488fa
SHA1 7f05d660cd6d934ed74009abc648b34bfe60160f
SHA256 19e23ace3febbeca1f499aee835a13e57bc33e27cf8dfdc2c24841434532b37d
SHA512 d111795f6a4daf091f52391cfa407e45bef874c56f957c550781989c6469a9b61e467b2b220435f1be7ffddfc5fc19cd8c60ed9591e49c4c189f9b0b37b65e88

C:\Users\Admin\AppData\Local\Temp\JSYAUoYw.bat

MD5 96449040d8e109a58dd237e62371e3a3
SHA1 3dac43a0e79edd419f127960e50267ed0f1fb331
SHA256 228082939f512446d5eeee24f077912d390c0431d74dfc1d5fc6275d9d2d9404
SHA512 1597e3259eb510222477544edecb5b92084cc2e64b9fce5faaae3ac8b12d73aa4236a52f46b270c30a004559c37c5e31584a552d5b9694a14baf15a3e9a3f591

C:\Users\Admin\AppData\Local\Temp\Assk.exe

MD5 ec5ce417f1f0fc9325dff2697b5b4b17
SHA1 d79c0e29ca5a80a0db107f036bc03d6e4eec132f
SHA256 878361dfb34572cd08f71c534faaee97dd64d8553e4f3ce6ef2cf708aa15e667
SHA512 187509d354ff7cd0fa79c404bfdd3466a5f2d7dd132324a8c9f279e253a288bbab5b3b00ff52f6bc92d020912957105f0a0dfa2fdee1eaecd196e18512014e51

memory/1744-1841-0x0000000000400000-0x000000000041F000-memory.dmp

memory/848-1840-0x00000000001F0000-0x000000000020F000-memory.dmp

memory/848-1839-0x00000000001F0000-0x000000000020F000-memory.dmp

memory/1948-1851-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EscW.exe

MD5 bcf0b8659e7024046040551b83155e82
SHA1 1817ec4b13caa3ea86b407d2d7a63306e84b1129
SHA256 4cd48746102949c30921c2a401e84d98d391d69dfb9a2f5a5886e13a811c9318
SHA512 ab47f544da5b16b281b2772c1bfbd9c29cd8c3324504b6af412a899d554c48a1e4fda43ee648fcf32e353d9b629b1c3cdd72b2920b640b30bb3c83ab016c5530

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 38aa2097c5e81e4cdfcf784b5921d66e
SHA1 f555ea26c06eccd954cfd89b7f6b1ab5d0e39bb2
SHA256 74db65bad279d1f6e2c18ac6e8be0fa634a5c31255ec5caaf7529551bbe478c2
SHA512 e703027fb254ca4e8a6f69049938c6a0f177f6e882e5ff4563888ad2ac50f9f2fd5d2182e5bd4d1871f33ca7569e0166ff3a7547f29b9097a7b30b4572dd75e4

C:\Users\Admin\AppData\Local\Temp\ZikAUIMk.bat

MD5 782befc692539a9f0b6f9ccb997f28d2
SHA1 e1613cf0e177fdfb11259f8402191c049aaca887
SHA256 2f53cc09fc4e4fc27c083d288d4fda7fd524781ef374e2df640e7c499660b058
SHA512 fb8e10eabb61be36ed96acf081157d43d91c9df2bf58eef031e4eb4805de8005ed90ba452766e7203d298be1e6d59e1bbd264fe547c792ac745864dd8fc26530

C:\Users\Admin\AppData\Local\Temp\CQgw.exe

MD5 e2d92e7ac89c40806675ec26673dbd05
SHA1 c20d33730ca36707c2426ad2b731eaf9b5829d43
SHA256 1f26538514c76ea9bb89c58fefea46d6be7bb20a236c9738a0eca087db895d21
SHA512 867f2cce6d79d8da6e40aae873989d906d6db852c407d91ef4bb2d0b883a9aa28eb6dc7604d57c8fe2e92e97fcfb9764b2ae246d320dcea4670609ab930a4fbb

memory/296-1908-0x0000000000260000-0x000000000027F000-memory.dmp

memory/2580-1910-0x0000000000400000-0x000000000041F000-memory.dmp

memory/296-1909-0x0000000000260000-0x000000000027F000-memory.dmp

memory/1744-1922-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ggkc.exe

MD5 1d86bdb8b2276dfad9c4376bd913e12e
SHA1 7a3f152ec704267b4ce29c343acdd538eb7a9e95
SHA256 0fd8c6fbf19a1c581495b207f02dc7334ca20a1e712853c737a60e71937536b3
SHA512 8e82c9d0703a8a27bc194ce3e3b035fb97f3f3ddcbb0caeb4598d7073204a5979d57aa0dc9fc481478f7724e66783b9bc793e9b910d83e1c907978996d3d78a4

C:\Users\Admin\AppData\Local\Temp\AcMs.exe

MD5 3779817ae82960880098e3dd9535b7d0
SHA1 4f2030765970f4365566cb80a28574d11a082c7e
SHA256 c087aa2dafb9dd266b75e36eb3962276bf31973a4a9d95edd864a3099c6b993c
SHA512 fe2f454661bbb393707cabf3f5e280d1b53f4340a6c2e068ac83732601197c97e40d40c1f27b78f2b37f47f3e31c0367bebce72d5a2cd85abb26f76faa90ea7b

C:\Users\Admin\AppData\Local\Temp\pQQwwYQs.bat

MD5 24a4223d8e1612aecbdd3940b0ca871b
SHA1 13b596ae293b97cf2419b881a38410c2e35fc393
SHA256 c6a18a1d96ae2042f07072893fad585aede95a597522da7155ea8764d390f902
SHA512 6a77981d0e5ad416d217be03d21db6b6c505d337f9ecc5dd68bfd23d9524d219f4cb84910de8c49bb1dbaa0de7c01ae29a8a6c980b0dc6fc7675be57583c67d0

memory/2692-1978-0x0000000000130000-0x000000000014F000-memory.dmp

memory/2692-1977-0x0000000000130000-0x000000000014F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AUQA.exe

MD5 584780bcdcf59162fa26d6f4f8756127
SHA1 e2cf943efc7866d3f8539e5a8fb509794ad99664
SHA256 67f25ced5474b7dcfd22500678fd317a9c634eafef09b6d9dab466a5cd8be3a1
SHA512 b3a31fb1ee722e4f536c5422569b8fdc051d0b12cc2cb95df411a806ac4f2b50e7770ca9942ba8f1b44b54961039378d08d9cdea993837c2dfa35c92dc825ddf

C:\Users\Admin\AppData\Local\Temp\egUe.exe

MD5 eb61efbceab63236ef2fb4f5d5ebe585
SHA1 54fe0e5f4bb699a33a4bb1a28143a5308703c56e
SHA256 f0d733ccda25176b6f0042d75bc3cdbce53e0b962ceb5253bd3055daa22c8c56
SHA512 174335926a7beea6f5316653c3d46c7cd670355649afbf55be58ca4e41eb0dd3655c6272edf345e2734ef1372b3b95170e928a28487f72219ca5bffbbd204277

C:\Users\Admin\AppData\Local\Temp\bSwgEogE.bat

MD5 e13e9b965750e282427bdd86db6de545
SHA1 db7c2bdf038e54d1a57fc22d93dbd207419bd9da
SHA256 58f3a2a244f29cf542509fa28bfe8436c8c1ee25fe94f622f14a550ac36faed8
SHA512 66a4b971fa168f7761a2f32553576b94530862f4506210c84d9e345522ac0c43791a1c0daa4548c54cf3e07625bf68f31205700fd8337a3deddd2f18d842e0a8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 c65c33a5230d9e5771ec04d661910b1f
SHA1 492c1092fdecc83e97abb9cada75409832b3f32b
SHA256 e3f94525f1cdefa66d0696784b651019db03ae75fe975d9196b003f6392a2b99
SHA512 8eedb3528b9b093a5734cb8f886d77bda1761387311877bd8687ad742a26e9e6d5e548294152aad2375ef4d3f0d8b52f5a37356546f38aa0d9e7fde65f43d16b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 8bfedb45d3d0e68151f7309e00bf199c
SHA1 b8a8350f951776326b676757f1a8e587a58b2b3d
SHA256 395df0e67bb695c0cfac9c6d8a0fa13b45bd5bb4c4d1f766de101f032f60bc42
SHA512 1069b063f7653b53efe25ff352660a97989ed5e82f760479c7ca1253703187f72b79eaa17e99fb8acc2a3987f15cd7d72128017e17562ec28751dd748d5de611

C:\Users\Admin\AppData\Local\Temp\KEga.exe

MD5 445659fd7ddc95014506466ae6fc4757
SHA1 2de3d8fe7bc32543b64ab35e9faf2dfe24c98a4d
SHA256 5564de039420684186d1e7dd85b632b133629b986238d872baee338efe919ae6
SHA512 10e1a968dd209438c2b185d5b661b6b3ec46ea533bf9deabf4c88c0a1743faea059cdba221b96b5657788f40d4e3741ab06ef401ad38239665a5bbc8035e093c

C:\Users\Admin\AppData\Local\Temp\mMYQIkYs.bat

MD5 71319c2ee790cc08713f755917fc2695
SHA1 d17e78e174e09277edc586f939c225a2eae394c6
SHA256 3386778130f649da023d7aa2a63f1006e298afe3bcfbb4d341eee0b3062519aa
SHA512 8726e53e9678e1a2bbb69c928d02e69078fd1d250f3812fcf84f5c1f806ca8720833d97b2f08024fdf7b697fabf7b28d71aeb93b87ff1d5d5a3eac13fc456c21

C:\Users\Admin\AppData\Local\Temp\aQgK.exe

MD5 2db373b8680e0ef64ebb054703537630
SHA1 055ae6f3650ba1132a3376b2208e32b33df7c7dc
SHA256 b915f1ae6ac085159ac6a1ee4dc5a1c664b70f522633a390d19de85b6ef7e684
SHA512 327d5528e5faa0716ac9d8bb413e91a7c6dd7ec33399684ce3ad2ce6e94b654832b00e67526b940778eb2405a4f3858d37ba24485c74273ef9df46fee885a748

C:\Users\Admin\AppData\Local\Temp\gAkm.exe

MD5 da9867548b76c269adc442e23324bc80
SHA1 56e8b442b69b18ef7eee9165011309c761177098
SHA256 b9e2f7853d1ecc6865c1f63b884808f205c98edd49fcd15f2833110e3367b407
SHA512 478c9514164c3e7eb20dbed7ee9f409a61e6fc2b7311c2c22aae1acaa579c9d754ebce08ff4a5329bb33080ad467be5a67ace3d2fcd11a336975902df6c3b915

C:\Users\Admin\AppData\Local\Temp\coIC.exe

MD5 a9cac946fc46019df8865ef5c2424a7b
SHA1 fd3523b9769e29d0af5e9e1b910ae92552dd0fcf
SHA256 bd77b9c1374a146cdc534f3df7599717bb2774c4111c181721e22fcef4a4a182
SHA512 1bc45c51e8c1ea0fbdd0e0fef9037f4d343d4b93e06ca12a1e8874da2b98f193bbf477beaccad336d4a06cbd6b23c121c7b8343df96dcee6f66aa3ec636c9ddc

C:\Users\Admin\AppData\Local\Temp\kUsG.exe

MD5 dcb7934122401ed81eefd9d9403b7c56
SHA1 5f1c6cd0ad4bb44e5bf5e9030d38397cb2a7085c
SHA256 d2c59b8c5e95bb4b7e29947c0dd4279f5fde9b8e8756a9878ead6530975e954a
SHA512 1c2ac154f6a8e8d87f84d7ba808f7563ef1efbb832d5246a9a616539bebc9993b47da8a746183cf2aebac3cde91e47ae4ebb98225f3b4416e11d920f55609bb2

C:\Users\Admin\AppData\Local\Temp\UAEIQAsQ.bat

MD5 b78f3dc53b6355e9b18fe7620d7cc8d7
SHA1 7f9152852952c03fedd788807888190b91a462e9
SHA256 9fbb542aaee71bc27f9669a87a55c28e0d0569743c5627240b1a1ce6fe66d849
SHA512 effb25807abafeeb47b6d15e533d60f963eca9bca13d4eaab824d68278930e4a0f2e59e06e1e78c2a5a6ea16004619293dd8256774b4b1d31138201f6ed6bedc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 d2f2d5e0f46c42799defbb3ca8ea4647
SHA1 3098ccb3c4f96dc12fa9af89042ccfaaf46815d1
SHA256 e75aa708eeab5ab6f44a615a2b0468163d9e8d62c5f03172ddb31bb56b131ec3
SHA512 ecd43ebc7dae4a02ce46cfa413b000972e9db9b1ef1c23c0701ce737f70964b1f153247f7990cffa07e6849e5814d60367665ef41fa1d3b0c2a3e7389d74fea9

C:\Users\Admin\AppData\Local\Temp\KAMK.exe

MD5 baa4d64764e4053762a9ee88f13920bc
SHA1 381dbb0baa0a46d5fb476c9e06529a9d46be9a0a
SHA256 d019957cc7309071dd585014b38a2e7f9f15ccefcd4c55453911b17800e9b723
SHA512 30ce5d75e8284bb4a1c809c5051164b9f1d47ee12756308033e73c27410b2da11ded16eb49fa19abc56a360f1ad953bd7eeee54f1a1e66ddd034307e60e6e611

C:\Users\Admin\AppData\Local\Temp\yQUm.exe

MD5 f5601870f7b51a0cfec8ce94e0792040
SHA1 962c472372ab62a63d4c83f37c5f6c5880619a80
SHA256 d4a2692545d424dcba76260e0862b92b7bb0dd54ae4d20d528ed86d4be6eb607
SHA512 3450b0832261757212566adc26796470a5a3a778b47ad9e41c50ac8909e612fd695893a63736b911f4b70311a52a74a2fc42ec05c1d3338cd5fa901f7a6123c2

C:\Users\Admin\AppData\Local\Temp\qAQIwQkc.bat

MD5 cc8c0dbee512129ac9f5ff82db0ae345
SHA1 ad435d27af7f9b54ba4e6ec58b35310868040d3a
SHA256 8041856e6553a5dda652ad052f08bd3962ed590124b6d0fe6410503dbcd6f7b2
SHA512 ee0ae5a76f79bf52c9fa93dc50f9d070a6eb8899c7a04c8b87322909b576fa11aa3b4a7b15fa9c864da4c13259255f3ee3bca20c64da21188a6ce38834d204f7

C:\Users\Admin\AppData\Local\Temp\qIQy.exe

MD5 fa7d7becba749dd08bd8e228286fec88
SHA1 aebc19b1837ee9bfcfebc82799b63386bf64caed
SHA256 bbb143fe0bc3667cb6f4520791be2edbbf2896dc73fdc2009d37afe54234e8a4
SHA512 92b4753f7fa4ed6c1d0cadf531bf9636ea96f5de46a0cd47468fab3df7c8f18baaac7a5aa602b443af576bde99d84b615adc206936e896758741296addd8a41b

C:\Users\Admin\AppData\Local\Temp\icUy.exe

MD5 6f6ba7a6573084f298bf8064ad57fd05
SHA1 ef91d524700442535d4b36b37bbf41c27cffc707
SHA256 e59237feae8f0344163c7ca8f111e7e748f3cc3ea352bafba1f285ea9528737a
SHA512 88e82f4b860ba30bb5329eabc1d7c03e52951a670f4db6d317b86a93eec3dd367f57799a99a36266f1ef42b14d71df24fb3d463b814700b2c207c36bdfeaa8e7

C:\Users\Admin\AppData\Local\Temp\IuokQgUQ.bat

MD5 e74da03487cbf54e5103cef523fb60b6
SHA1 bce91d0f3bb270c55ca437be071e0f32f26c049e
SHA256 372ab3c4b7c575334ad702b45270afe9f9062fcef637aa3a839a58505b01d016
SHA512 8bc69b58dcb78ea10adb5c974af5e6d792e8a013246612beae4191b81be0e73f21e6351868552b9eec811fc69e4bf1decba5907e49cbc486539a69b693c276aa

C:\Users\Admin\AppData\Local\Temp\oUAo.exe

MD5 5572d550be420d973adbc4a987b77a7b
SHA1 7a9168dea55045dd0dd6380bd154b05ae1643766
SHA256 5fc929cb8af4dde7056ca788b1d72b9f74f7ab2f5a7590c02bc0dcdf0166c9d0
SHA512 ad6742124bde9e0cfab7f84060c42e32c228b826da0b194560c0d10d2ec103aa78ef0872dc3f2def8441f7b4410a94e4a9014050db2f2bffdc4e6f3ece4a78e4

C:\Users\Admin\AppData\Local\Temp\ScIC.exe

MD5 74f9dfe5214e9ad4c552f46560b31bb5
SHA1 7080f570b2966c1d05b37048bfdb13c1a643db9e
SHA256 48716c509311b086f46bc6d4f8dc2d1c795e967a7c7fc779c269783092bbc602
SHA512 9a19d9b83c8ec6ef9bb79bb8682fe9fda55b49cea03a23012551aac5f529867a24bb9f36bd97eca11d806371323efde5f92ef8780d4c3e7f7e9c668f9d577286

C:\Users\Admin\AppData\Local\Temp\EYAkQwoA.bat

MD5 0dfdbfe400d4c2b3f4af91f0bb815324
SHA1 7ac6ea19855ceef5c219bd29b0d94a2f4458532a
SHA256 d791ce5b066b9008d4a5df7afbb88b1b5c5b380a3eafaccb468548b739f2ff9b
SHA512 cd06f6197d6bdf3b128e9298884fa183b920900ac46ec53505bc64219d6e2343d689d37f249afe61bd0a1884f6101cb7145a53a459492f5364e72f8517807f36

C:\Users\Admin\AppData\Local\Temp\cMYM.exe

MD5 2cc19e02af0ab4e196ef860b6de923bc
SHA1 08ee1790b9e13f2e85abde959299fe9486cbafac
SHA256 818d5b64404d83c6a66b19d20e64502d820d3114e511293f796db3c0eba7de54
SHA512 392206dbb29e962e7241509a642f6c40b43965519df8a70185d8a4cc38d348f966e77d7098ac80399d2cb36b0136cba7dbc75651df76be72007a5723c6841c6e

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 32bffd6adb08f0664ff3a956ddfac28f
SHA1 fa841d07bb8bed70683f13121bd7c8c7e3493eef
SHA256 43eebe6e5a93bf70ce526822fe4f01b5664ad9e82b29dfbc144fb928400e0e35
SHA512 10d94b37b0d670e98678bcb010810d8e8cd16aa956cdb3a445660f673467a32c638f0512ae6ea296c19997733058d9ae0c297fda160f222bb92b36e865ae9b91

C:\Users\Admin\AppData\Local\Temp\RwkUAoEA.bat

MD5 464fb530077e6e5a17f5088f25c8ed1e
SHA1 df5d875d7a5cfc8f9e8e0df139428ef7810e0e34
SHA256 7ce638a644eafcdf90354fe6335047b41ec830c64e2b119b832643d59ae4fd0b
SHA512 90c31b632f17d4f20d4a73dbe7bf0b80a8cf24861ce77a936d481dcf6f025dc9e79f5fe5da2e17ca846a810144281ddfebb9a928d566e534233c8226f8e34b44

C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

MD5 eeefb63a1959ddb49fb8e053a8a60230
SHA1 594056cf28b37c33589b2e28f69aaa09ca65bf9a
SHA256 73f500d57b89b9de18f665a7cd470641058d3ea2f0b20e6038bc9d357e21938f
SHA512 5ab08d39bce1ca3c7495e6f2aac63523a0a5fcff8bd9270c7308ad9a30cd74e92fc65d0a00404564ca6f57efc40a97eead5ed7aee83400c03f2432f00f094059

C:\Users\Admin\AppData\Local\Temp\TCMwUgQg.bat

MD5 e4a9d9a91d024531ede3d245b53948f3
SHA1 cbfdcc3ccb6d222018f856bd906abf7d389b9b5a
SHA256 4db07a07978748ab0dff7b53cba125979822b148b471466892a83eccd140b318
SHA512 ba0efc45a44a8446155219ba16b93cc37be689afd5757e774274433de50484744d23901d4937090ae30d2b4be565d65ecbc1a531e63de019cd685f6bc37f7d7a

C:\Users\Admin\AppData\Local\Temp\kIgo.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\GAIg.exe

MD5 e0b52410bb0e675eaddb4db3fe9d1e00
SHA1 9fcd0745e9d50300b41da7de0b2dcdd781c4ab38
SHA256 cb380ebd62cc8d1edaab114748035b71ad02a60b67cf64f989eaf1078b0e0663
SHA512 ceeccb6aeb22118221a143d7bbacb22d227c3d537a1c4497ca6d36c85cbffdf068012af6f9a36531851a6834aab7a2f9924b71b3748c41cd61bd6e170bf854dd

C:\Users\Admin\AppData\Local\Temp\qAsc.exe

MD5 3f55281c0c3a782ba560ccdd9c8a01c9
SHA1 eb2f69ea075bb1bcdd382c53e7610c30abe21a4e
SHA256 352d2afe4d4aff3826ae0c1e0cc4a474bc85bdaedd063f128691f1dffa91af04
SHA512 e8b1369fbb4c0d8b93f38eb70f9e2e8366ff4656f05b76076a631649076a067b55a4ffbf384dc4d313bfda8318b859dd50e9fc2b5d699cd0cffa5ff52b836610

C:\Users\Admin\AppData\Local\Temp\uEge.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\ugMS.exe

MD5 d530435c8df511947d56434f1e28cc59
SHA1 12e6c8664eb6f4848f35daf63c6b6b9e43e19d18
SHA256 79f634021e6d89fe81250ffe1c570d96411180fd3ee38cc218b3133f4a851fbd
SHA512 95e6033c1e4f2a31bb896c6ae35098931bf04369d23b2721d5cc3d63c1352c1ca4b7637ff1ac99f4829b62aea20614125bade8eda5d091382b0fb76e060562f3

C:\Users\Admin\AppData\Local\Temp\gkww.exe

MD5 87160407f4bb324ecbe65bcb354fa801
SHA1 67bbd5e4cce67a126eb771902038b58a1f84a4f5
SHA256 0bec8d5f619244a92c3a692b32a72a0d11a904f5caa10fb464d99555ee6f670d
SHA512 fb32200d9f47a7ff81893f5fdac083891e0caeef0e6a5daf3f6b0d8922c4279ccc8f7f233e0b8cd3dabca99ec1e13a7c9f7706bc94f9c8f445b0e43647931965

C:\Users\Admin\AppData\Local\Temp\yYAs.exe

MD5 b05da87408693b4b4a8d75aa5c5bc1d5
SHA1 137826baea9b3688581b39400c9a0954a8b9d847
SHA256 123d85197ebc4c1cf6ebdaab2fbfd4346c32e8e810e54c834c0635775f58dfce
SHA512 5deddadadd25860ebb189cf61e9b1ac9cd86dfd260343c7f15494f19d1c03be6258e4969cc450b21b350bb6c16882c51742d24e9a92bf3281424b33f7a59f545

C:\Users\Admin\AppData\Local\Temp\IgEM.exe

MD5 00645e35d1e57834eb3a99d347bbc50f
SHA1 3f8e38376da06ca120e86a2fbc3e4821c9c35ee4
SHA256 1bed878afdbb9bbe8f269d1d6a348639bee70fef106ccf6b672efc6eb459c108
SHA512 65e09e8ec0ad691986256261da21aac2f2667c7b90c666767988f51f0f6fe811e31a51855c3ca7d7406f7d08f2571354417a81dd5deebe900711634bb30c6cdd

C:\Users\Admin\AppData\Local\Temp\WkME.exe

MD5 b76bc8cae23b28c537719f6be2221f3b
SHA1 ad8a69893cee3ccc4aae94bdd17b26b0835888cf
SHA256 85fe4ac0acd3790e080d51138e7ccff230de3e27911a27098369566b61c02afa
SHA512 ac4333ecf98192fce5c93320d6657c1646223c30b03523c273c1efd1606e5f0f545fe76e7cd6df0d444a742b534a704a585f29e172d4cf2ae7a50b3b60b786bc

C:\Users\Admin\AppData\Local\Temp\PMYoAUks.bat

MD5 6ce3413259a48fd470cfadb75ad0e470
SHA1 a0da8a72654565746d1599d5b05af26b3691efa1
SHA256 3a08679e42eb693e49fd9dceffd0f49101c58830924e30b852f5af840fd7ecb7
SHA512 de02ec529ff69d5066ea908e1956d9e739d0d72c33a303bbd1ec247852f7d3659022135096a242d3351551edcbadc7c7e8dd81980055752a0e61b7455fd62a4e

C:\Users\Admin\AppData\Local\Temp\RWQQQkcU.bat

MD5 dd1b4f0f87369d40d9bcfcee8b4a31a7
SHA1 ef2516a95451570838eb4d543f0b393e54639ce1
SHA256 dbf3ec0255be48cd63fa9b522c69cecc3fced15485db581f32d6799f3cc39a3f
SHA512 a2b84fa52dd0328514b323b959b50eab338775e27ceca8e384bb175a4a4ce13c759aa0c15137a1a7b5c1bbfb6b941418e2281fbb0a868c84d7495ac4bcbb86b1

C:\Users\Admin\AppData\Local\Temp\mMsu.exe

MD5 10a81a0a694e1afff4842d7f62facf0a
SHA1 1042563adb2f5bf48f35c61419eb5cf8c89385a7
SHA256 20a5cff5b4e02fbf4de363bd67bc3267a1c5cc3b2f46f963ba7a192b79992dfe
SHA512 d0d2e9c29752f73d92f0233601358a9e85003f05ae4e55989c95e440eb079dc9f16bbae81ba99cff59f3a36bd010f6c5df7a5a145d59275363c54785ef4d6fc0

C:\Users\Admin\AppData\Local\Temp\MEoa.exe

MD5 d59474fe957a38b9f7817de9f701e707
SHA1 34cf86c0f8a39e52b938887802a77ac716f2ef8e
SHA256 f05a56a615e111597af411b30ba292cae945ba4b924fa59f5f312ccc8c1005d7
SHA512 17afec7d806f05fd393df2077726b67e363b227d42b0fb55c8bfcf40f9565bee6e1d74552008eb1b51a3688e15c6072124087172f0cd527d3419ade00690000a

C:\Users\Admin\AppData\Local\Temp\ccQm.exe

MD5 a2d62fe94b7bcbd4473c926cf882d1aa
SHA1 6bb68e3fadfb59605b5b498712addd85a04d154d
SHA256 423480290a2d5423feb3c040bda37e59189ec3ec330328f20b0394b7b84c9986
SHA512 69ccffea893d249fcbaad5ec59c73c55e75d212924e59f0aab865f0e35273903fed131f12cdc8f9bf8eaee8178a3a7f90a75f30baca262ee99791f0d4b7c37b7

C:\Users\Admin\AppData\Local\Temp\WWccogYU.bat

MD5 19e4237670a7d588c373b946cd25d4a7
SHA1 e1e85e1de664d15b53cbf19fde34b63609405b4b
SHA256 4940f754405a5c23806411a3f971090c7443a8674bbb37f77a2c60b74f09025b
SHA512 23b58d046de54f4609f2c73874cece1eb213fafa1d82440af19a1fb0e3861158fab512a2697061a7eff80e1e49c2ea680178d8e2d68695a1aafedcd10e59c626

C:\Users\Admin\AppData\Local\Temp\aewwQUco.bat

MD5 e504549cc369c5d45f1f2fd7a0ec3fd1
SHA1 8b29afad6c3aa70933969051f1a1b52fae94ef1a
SHA256 dd407c4480f1996407444501f114c1ef2ec5a2b7de5d699ebdde68b12cf34cc2
SHA512 f56a01a42068329a76bc1955fdc08c25914436b71cb487552e0417135bf05d8edb2dc93155692cd19d62eb799c3b9c9f8fcd29d6c788f0ee0ef6f4ebfe858f52

C:\Users\Admin\AppData\Local\Temp\iMkcgksE.bat

MD5 2fc2af01f475ee9d01ea8d2e942bc095
SHA1 9a97491552f6b86f24ec3405721462d6e2b6027a
SHA256 4776046147ea3d4dff3d48d1ebc0129dbaa8e54f7e4b329287818f03ffcb0e58
SHA512 416ac7e6ed5877ad4ba35f76a627212b1038172eb7631e6cdde099c4c81e1fc6ff4189dc26da8d529d7957c3cf1255f392dc7350fadd91c654e2618ece6eba7c

C:\Users\Admin\AppData\Local\Temp\UwcoAkQI.bat

MD5 d61c70703b7dc6eae0afc5bc244f14a4
SHA1 7ef4cf9bda95e54961ac276a1b305030fd31eba7
SHA256 8d3e07911805ca0f026876da19056312685a35aaff720e22e3d51b1490105de2
SHA512 203194d120da0e2ef878920a2c442cc6d793ef2ae1ef715d2f61a5c8d99871988b619bcd9ddc32e963beb415bc74c6c01821b843a8c3c0ca9675665967c47d51

C:\Users\Admin\AppData\Local\Temp\dawUwwUA.bat

MD5 29ad90d3cf4b6c147aed7aa14e358e16
SHA1 c6c6354a60b6f0f282bc30cf3afd4ebd14640191
SHA256 b0f5568bb5bf0afaaadd53fa566c72cdb4654a50a5310807b9a0da7fa5a1dbe8
SHA512 03be4f38954361ae16fb1fe02f12bec2b85fed2e565e2f350ff21e2a65f153b256c3c47ab44d7de6d68a31f900797b897c4de2cc55fb99bd23827d25e2c3fa84

C:\Users\Admin\AppData\Local\Temp\PEgUQwQs.bat

MD5 3488913c274d74beaa312cb2cd70a948
SHA1 320a7b990564650886fa527fcb5f1deede8e6d6a
SHA256 a872c46813e96b0789062d7094ba6884e0180ade03d9b1a4509a22059b3a8c71
SHA512 b4e0d871141ed8b641483d33cf85c345f38e3b13c29572a0f0d5a005f5ca50711c4413550d09642dc0b1f7bc0894f4a8b7509807d6b7d2d52375151cdb4064eb

C:\Users\Admin\AppData\Local\Temp\hYMYgYYk.bat

MD5 6cf0d169756ece68d286be7c0c5527ed
SHA1 0f6eeda1dc6cb2852cfdc66dedfa8d2393432199
SHA256 4a47f7592a6a41a6b6766b8b3ec7a61df8f4c8d6f7d57e2119dd0a76f84d3226
SHA512 13a0855ab4bbf224cd284b77c45fb3c93eda5b53e6516f5cdcee6afdd0061c02328e9942533a9489731a0b419e1832523539efd8e697155c23184655a2add08f

C:\Users\Admin\AppData\Local\Temp\TeIQossM.bat

MD5 42d57e45f851f3958890b69ec96d0f9c
SHA1 aa59f272a357f2c95fdb4acc089c68d6a8d42317
SHA256 cc85c489c13a0e6aef76894d4c870276f01133f6cf1eb2197f57a8f64fce9ebc
SHA512 1e4bace2b985316fc2b98e682ecd748e57a6a596ca51ffa3fb48cc078795ef4fade8e6dc9f03d0f14c4408b36d598a33eae3ba9c7fcea0d5292563b383642a4e

C:\Users\Admin\AppData\Local\Temp\wWcgwkks.bat

MD5 1bc2810b59721effb5f428306a02960d
SHA1 bb67b62c87f6fb705bd07f504e74d8b222f8acf7
SHA256 c60203e194a876eb5901f088f44e0960f5d2a21b533995384e87a128048316aa
SHA512 c77d3ef4b5d8a1396704084d9ed10fd0ca8da1cdf85797c1a01d1873c51ddeb0c41bf78465529a353b94d9a905bc56248679c890f78ecee76279875acbed2a1b

C:\Users\Admin\AppData\Local\Temp\uesoQMAQ.bat

MD5 bdad788b4ff7e5a4818b256ecbbffb87
SHA1 a2fb51acfe7086d447d985f323394a4a99d606b7
SHA256 1bd113a8eedc4c3e0b2d1a954cffbd72ac21e6c6446da900453260340ce3547b
SHA512 0cba565399aa186453dd005b3dad1bc47584d8bbcfdd589fb65a816cea48a0a9260a57d38121dc19d89c2c0b0c6d25367a8c26ebb8d634160fd28be845d73cc0

C:\Users\Admin\AppData\Local\Temp\WAEoIAMY.bat

MD5 58fa3cffc21414e6b11814b29030ff32
SHA1 7085549b6b6afe6702dfb5f947217b4be5061dc3
SHA256 06d5e441fb78d36054fcfb3439b802f013140fe62f748b245b7dff85c327a765
SHA512 17a2bbab360b754f611e463f7793cca66f57a65cba3457a227fb76773e150530649e7a3d4802c7c46c05f0e6a21054efcb64d2918e6673b15d395bf91cf63dd3

C:\Users\Admin\AppData\Local\Temp\GeoEYskY.bat

MD5 2bb2c44d9f6b91da06888c84ece9c149
SHA1 1b08dec98754c37a5c45f6067986e13e0189d48e
SHA256 d4fbfc1fb3bdafe4dd5a94e1db2e2ff8543f90e795aacfa9282f37f5b074f476
SHA512 58773b9dcd5ed15d9db40fa2caebd6d59fd6683f8fb54da1b9eca8bff4a65e4d1f6d2e76e5bf60b2a829ae6e4df4a88787618ba5a1befc8b1bbaa4f32bb04053

C:\Users\Admin\AppData\Local\Temp\iEgMIIgk.bat

MD5 2ab720f5ac8e249f0ac46c86145267c9
SHA1 534d92380ca38d4d092f94badff1bdf251f978b9
SHA256 699b00c613c4cebdcb379fbcce9b2165f9aa3411c5eff9d308a218f4e52f0099
SHA512 155b49a36c630f377b9ecc4fcc27555bef2e26f366f61ff48b79e95583995c48d6f6bf46e9ad00514d8ef404568431ddb2e3d35aade9f79281b51b178cbb8833

C:\Users\Admin\AppData\Local\Temp\TQQsEYEE.bat

MD5 07d799aeb14d8376781b2e143e23ea7b
SHA1 7a697e48be96ed5cbb640ed0375b1b6fd72416e8
SHA256 1c2b1e4cb759cc88094be12554f23946105d03782b269bdceac672d8de5efd7c
SHA512 3e2d6db39dda3bb20db00b1f50ae237425a253830b267131294fe30f2915ee699207daf78def7e0da33c6e79dac727353aafb1a5a2f5de4f165b445e52dc0678

C:\Users\Admin\AppData\Local\Temp\liIckYUM.bat

MD5 21ccc4a49b55f0c86888ef04d388dc08
SHA1 4c761193e5cfb73c554166e1b9aa7fe8d3731cd9
SHA256 45f5ee95b74c47e01216b1a89f1d81baa017c5e7f84bd4d3ff08449375b2f18f
SHA512 8f716c6ef6ae7811683120393e3d25f2e9b55e7e11e105295a46422bb16e70bcf69bd5a7a418523aad3a3729aad814668e18e5e7e9cb239760bfb6a399e42e8c

C:\Users\Admin\AppData\Local\Temp\dUEssQwU.bat

MD5 8353a02d675f0b91b05fcd22a86fd6f1
SHA1 fe3d152fd9582e66060fadafac89246e72866b88
SHA256 451f384fe86342a9feaeeb9c3631e7664ec0e988d051a16a0460cb7b375bac92
SHA512 df26b70e55a7952d0d0c0db9a1fa174fe61e7c26b02e41435377b825477713a20f297d3b784a4158449fb6ef08c762f48231688b02078c9eab2b3a4205bf7bce

C:\Users\Admin\AppData\Local\Temp\dcssMwsI.bat

MD5 311745ba931274d88b59864c361d71b0
SHA1 81b979bb71254902889c2fedce9c87296222d6e7
SHA256 cc4acbb37bdcd875a480a152fea2c9ec057ff8d0f6fb803a8ead1409fe5788b2
SHA512 22c5d085a7982287fc92cc82a12cfdc3ec4bba272c854b189849f30650a33771fb809b86b91f2ef18a0a4cfdbde2e40c80231d25ed69da19f2b85e19654dbb63

C:\Users\Admin\AppData\Local\Temp\AqsUUoYg.bat

MD5 9b66b32c58d2ee15b82c15c182436129
SHA1 455e486c76937e5b48a6cab7a9bde0c6a4579f0b
SHA256 98cc7faf085481902caac6535e9f94683be3c545a40331ff315b010ce4d5bd44
SHA512 9bb83293860c554023f05d045c915bf1ed4560f6449aa7334eda931c040785da2f29b65cc120b8e89429701471955ddcc311a318deff72ef32f2f64b20c48e35

C:\Users\Admin\AppData\Local\Temp\wEcQQYsY.bat

MD5 b91e96a620523504517f15eb09a190ad
SHA1 79fd1b11931a07048de7a323b2001e6d8f5b6863
SHA256 9a22375e91fbdbb11fe5fb0090e33353a7b556f493d2304798dc553e45667e27
SHA512 2a7f62caace487797dee6d0108ff9cf71422da6dc965b0775025612febfc6095fe4dc9b03b2ec276f038fb227762110958affc16d60ae283b7042f0e495f30bf

C:\Users\Admin\AppData\Local\Temp\YucUcAQY.bat

MD5 f762d01c893443892656576ce76c8144
SHA1 e974bcb50f8724945835ba4fa990da105f80ef82
SHA256 81488b5b50ced9e56abc73cc6bf5372baf9fa4b0a730c5ba83561425b8f9a76e
SHA512 3d9334727f245a0a5951c1eecc087814d1f326289c1e90d8ee7c71fdb73e7044dd4f9fe4effba251424f5d367a9259a755cf59c6b7e7aa9fd9019265cef458a6

C:\Users\Admin\AppData\Local\Temp\iUMgcooo.bat

MD5 8807547207394884854bdbae9efe232f
SHA1 77a9991865a1a5c1ade61b889f8205453a8184c1
SHA256 dbcb5e1e0e838a91678e1c8391d4d52af0ddb09a42a486a51498c45a8332f2ab
SHA512 e1ebaecd993fa4ec9717de9e9efe23a90865d87c5da2c9c13c0bbd6aff78529dc0c9e56c1d2b598292eccbc5d8aa3e34b9f57326d7bf36014ea34a4078bed43b

C:\Users\Admin\AppData\Local\Temp\cWAQgosA.bat

MD5 1b00dc526bab6526fa8ee3eec62bdebe
SHA1 66d187d2ee65ecfec6ede3a3a20d229c5aa06a2a
SHA256 c3e439904e06d887adefc9bc3998737db7015abf4584181b5dfbce19e3b47410
SHA512 8f619ba69d8eb5f4f4df4792cf2e558c2b99ad6a3ba84f233c59f55b062a79f72ca5ed3eda84a2606833c8707e693187b44bd5cee103e5729c67ec86898e6ada

C:\Users\Admin\AppData\Local\Temp\zUkAAUgA.bat

MD5 a376a32a90fb0d7d2b569e914c484f01
SHA1 04e69dfa0f564909cdb78cd78936f7a87c46f940
SHA256 4f214c69cfd4e78c3750a665bc0a36299f722e7a9198a47ff661c9ea2dc2856b
SHA512 f7f47f044bdc81451c1a66c0fc87406495d458534c0143bf5673434229529fd319a87cc248ad60233836ebf7efcaeea5ffc901ac2d4964eae6dafba3be8ed8e4

C:\Users\Admin\AppData\Local\Temp\jagIowAo.bat

MD5 1a5aed3fa6729aef86e1d459966666ad
SHA1 cdafd16f445768b628b5c9ea9ace924fc2217c54
SHA256 91a8c1f08893d2f3a125afc28d163b25ba6c492848a28cb61b2beb6dad1d8fcf
SHA512 70a5490d14ed2fc61b1f08016c877cf8be4a1fb6387aa16cf334ffd0325f6c011c3606f979bdd2687692b65a9943e2cf25b6aec79aa9758919c6f15ba88f87bc

C:\Users\Admin\AppData\Local\Temp\PegIoYsM.bat

MD5 6960c29e5ba6cb8651cbd1d95a12b9bf
SHA1 f6b88021d94681f274254d39493378b285c10ad4
SHA256 d130cfdf418805a66441e32912e2d1bfaf65c0b780da479051dd7abaa82107a9
SHA512 60651e1215d66a7174c1aca6f8f87d7337100a6b04de563ca3593f30b1ccf0deb52f20bbc5a61b642a8d0e7d43194f91a49465d0382102742151a0f1e0524fd2

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 18:00

Reported

2024-10-16 18:03

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (84) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\ProgramData\sAsoockM\WAwQUoMU.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BOAQcgAo.exe = "C:\\Users\\Admin\\DocsUEgY\\BOAQcgAo.exe" C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAwQUoMU.exe = "C:\\ProgramData\\sAsoockM\\WAwQUoMU.exe" C:\ProgramData\sAsoockM\WAwQUoMU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BOAQcgAo.exe = "C:\\Users\\Admin\\DocsUEgY\\BOAQcgAo.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAwQUoMU.exe = "C:\\ProgramData\\sAsoockM\\WAwQUoMU.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A
N/A N/A C:\Users\Admin\DocsUEgY\BOAQcgAo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Users\Admin\DocsUEgY\BOAQcgAo.exe
PID 2152 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Users\Admin\DocsUEgY\BOAQcgAo.exe
PID 2152 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Users\Admin\DocsUEgY\BOAQcgAo.exe
PID 2152 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\ProgramData\sAsoockM\WAwQUoMU.exe
PID 2152 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\ProgramData\sAsoockM\WAwQUoMU.exe
PID 2152 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\ProgramData\sAsoockM\WAwQUoMU.exe
PID 2152 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4228 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 4228 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 4228 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 2152 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2588 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2588 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3124 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3444 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 3444 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 3444 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 3124 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3124 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3124 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3124 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3124 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3124 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3124 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3124 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3124 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3124 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4968 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4968 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4488 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 4616 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 4616 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
PID 4488 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe"

C:\Users\Admin\DocsUEgY\BOAQcgAo.exe

"C:\Users\Admin\DocsUEgY\BOAQcgAo.exe"

C:\ProgramData\sAsoockM\WAwQUoMU.exe

"C:\ProgramData\sAsoockM\WAwQUoMU.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUUYcQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukAQUEoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWQwMIwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGQQMUwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIsIgswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwUkcAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIsAEMcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuUQcQsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSAcwYIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOUQIcMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIsYokEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyAsgMoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkAsMkYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUgkksgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCwYQUQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgQAwEcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QykEIEUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUIQocgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuYYEsIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAwoUMIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hccgEEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pygoUAEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zysoIQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqcMwYYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOkAgscg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aaMoUYcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIwQgAkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYMYEQQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAgsgYYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyYwkUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMcsAIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kicQoAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgQUccIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiIoMIMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HooQwkgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsscwQkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKYAoAUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQMUMEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQkkwAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMEUUUMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsgcssYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xqkccowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcAQoQgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcUwMcMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiUgoYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CScAwAAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QykwsMQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUgwkoAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsUUEMAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqwEwwQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyYEgEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMUAsIEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUAEsscg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEUYkUEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pscsowEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIwIogUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGUsgEsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKwMskEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agAMkcQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\woUEwAgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaoUosgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqYgswsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQUoQUsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYMYAsso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nacUUcIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eugMsooQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaUskUQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOYowQww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySIEgYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqckswQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nigMYQcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSMwAEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMAoEAsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGkskQkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAsMowgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWAwUQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSYwsswo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAEwkoEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOEkEEwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kygocwok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmwQsQMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKcEUIkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUYowoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYwMAMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zacUIMkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcsskkIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUgoEIIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quUEEkQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EckEsckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEscIssc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hykMQwwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsMwsAIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEMYsoIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAIYAQQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaIwgEgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuMcEEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYoQYkcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQIEcscs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\busYIkQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcQgIwIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsQIwgMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGAMwoAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCoskcEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv kuntvdUWbE+3wBSbvdMQXQ.0.2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imwUQkMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWgYQwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/2152-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\DocsUEgY\BOAQcgAo.exe

MD5 2654db924573af9971d9f517bd64321e
SHA1 e49510a7405faff4dcd633cf56e0153b9337b604
SHA256 e562b04c745aab66949565d980fb3b4b9426e501fe7d236232db95f271170394
SHA512 a822541e50b2cc2d83f9b7b6c662be2c04776171face1b0ed88a78b0d9c8f0dbfc8b8889d3436692f2065119798b531e049f05fd7c9c0a2316d8e62e32e3bb3e

memory/4120-7-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\sAsoockM\WAwQUoMU.exe

MD5 cd9ce3db3a6f8fea752380dfbbb427ae
SHA1 a06a51a5b85e725159c1f9ff1152f1583f0af931
SHA256 d5524f6b42e86ed2d5324f597b3a0dc9537ac1febed351a0a8c04c35b4a51280
SHA512 0f5e8a2af64d06317cd9ab21ffe48089e74b3ff5bc6d36ae0b38dd43d8cb2bf6caeb3aad639556244b802ce5e46da1c8cbe4c6c5ede53788087210e0a75180ae

memory/8-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3124-16-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2152-20-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bUUYcQUI.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock

MD5 d715f659c83f2b95e8a4ce1233822e94
SHA1 c2a5cedfe5e05fa74d17bc6c9665d27823c3650d
SHA256 8a3d3787c7a87042010865e1d0aff07486ed919cecf52b21746ab8c6ec7de94c
SHA512 1afe9f4713af2d2e0a509fcf2e727bc4fec2099291480d2edfa9f4e0853376d690a42d5c7af37232d21f21afa98d5e8ddc6c45fa8f2829e9eb6930792f92dde5

memory/3124-31-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4488-42-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2580-53-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3548-54-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3548-65-0x0000000000400000-0x000000000041F000-memory.dmp

memory/864-76-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4936-87-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2224-98-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3952-109-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4540-120-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2172-131-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2220-142-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4388-153-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2068-164-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1032-174-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4900-186-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3684-197-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1720-208-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4360-219-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5056-230-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2732-241-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3968-249-0x0000000000400000-0x000000000041F000-memory.dmp

memory/864-257-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2272-265-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1000-273-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1604-281-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4384-289-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2472-297-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3092-305-0x0000000000400000-0x000000000041F000-memory.dmp

memory/544-307-0x0000000000400000-0x000000000041F000-memory.dmp

memory/544-314-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1624-322-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1236-323-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1236-331-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1312-332-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1312-340-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4148-342-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4148-349-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1788-351-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1788-358-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3320-366-0x0000000000400000-0x000000000041F000-memory.dmp

memory/532-368-0x0000000000400000-0x000000000041F000-memory.dmp

memory/532-375-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4344-376-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4344-384-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4964-385-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4964-393-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2656-401-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2888-409-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3252-417-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2408-425-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5032-433-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4360-441-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3828-449-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3308-457-0x0000000000400000-0x000000000041F000-memory.dmp

memory/540-465-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3932-473-0x0000000000400000-0x000000000041F000-memory.dmp

memory/212-481-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2912-482-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qcAs.exe

MD5 f8d5dfe8f538e1e28a9a53b705ea15fd
SHA1 5810546591b4659b7ab2d6cc403299252481c6b5
SHA256 d306adc5df056eb893ec40d617cd6dd117935b5efd1b2220e047ddca5b2b1363
SHA512 69fd2f07b80978509c34e78aba8e5704d7e383bd9d0a498cd73051458b9b3d1103b2aa3b90a598bf991fb80735181e6f0ad866109211de746ab250fa625b0d60

memory/2912-505-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KYEe.exe

MD5 b5406010c21e7666a899df001b4c0509
SHA1 a8b146427c367bae6d488e400662fd618e1f0563
SHA256 d6b12a53a7c080eed502e378b6fb89c6058c907bf7d2df1c6ceebc207e390079
SHA512 e174911431f2049d641d9f6f28e31b5be886c22fc88b5ccce15bf2a5db4ceeb80fe156b62c2231b2320a8e547a8dc1e4c9d050a6b25b2b736248b767612a7338

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 cc36bde28ddc468b7e9cb79b853a68e0
SHA1 0b1f47a93495c287428fdee67a9ca71c3dbed15a
SHA256 593cf7587507e894741712a5e956e8a6845152b2276ba241857f9dfdae55045c
SHA512 56cb6e8cccf87337d6f45e13636993c08cfa0438ed03d14560ae6c33ae743ed15f23af7bda73529572b5f4cd214173bde0f9b6613986339ba485f996ee2b1652

C:\Users\Admin\AppData\Local\Temp\YIsq.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\OoIa.exe

MD5 1aeaa5a4251a91a3c6adb8cbbee09fc7
SHA1 a1a9d4b2e602cf314c2ac7d7eaac9fc1b1bedb9c
SHA256 6152c9e54c8aa8ca96d2e6bf54c05fe7a026a063d348a6f0310754b018d5583f
SHA512 c277dbe3d046b551ec70ec9bdef2ef57fec4aaa490c992225f9adaaf6c1cd91da4df89cc74d1b5cb3fada7058eba4e65a3d107def594e0bc780c3d7400f8847b

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 e6b7bf6a1c483fd9ae877bfd7fef26fa
SHA1 cf2ad307e9c5c07fd051de0845f42f1766d1f528
SHA256 adb7e5dbfaa4b0f311745eb587204b20cac74ab59f699ac4bee06bfd6ee33d3e
SHA512 04634b2feaf5d6e4d1bd905f2f1807a4af3a3e8f76c4e5992482101126239e7153b7237309e7aa1f9b816993cbdbe1e1c09556d5b419bcf170b45fc90e7aca33

C:\Users\Admin\AppData\Local\Temp\MYEO.exe

MD5 00b878a1df8e5c70535fc092294636bf
SHA1 9ddac8084e5fba94f849bd73222afde4c1959731
SHA256 a42642194af84f226e4194383c15db7735a587db5f402df6f33cdb4e618d3458
SHA512 ed57adf3e69a1e7cba7e729e9cf355486869664e132250aef1d70552f3cbb0293238a6b359a2eea2139877b4e94e58a333e18a40d2d715d91aedfcd305ca7682

memory/2656-583-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QUAc.exe

MD5 a45e8537163d0d457dc842ffb905b9fd
SHA1 a3b389864520bc7794a52ae73e77bd515f5ca151
SHA256 c9182440b9a478a75b85d42878b9dba4a6321238493018cd90ad06afdd1b8188
SHA512 9304e13f11f512e30cd32dea03c9c23950c606cdb9ddfb1d64f20ad4400c05ea7475c7f2c7e9d627e93d93d35cf14cc9d8c19b68bd160a57c966e11e918fedf0

C:\Users\Admin\AppData\Local\Temp\SUQM.exe

MD5 b6820cff22a8dc50b3399608c750be4e
SHA1 147a94b5e1bf7e6166cccc13087086c7470288ef
SHA256 c5b7f6e3c95c2e69da9cad24704651dfb6ee0b35ed3152cb7e5445b98bd7df5b
SHA512 d6ce226c2fa054a90455f9a34959cd9d346da71481f34fc0e4167b7c4f4ebe1cae52fd28bec04ed05e01e1af220becb769afc60eb9f8e873d44d19288cce266c

C:\Users\Admin\AppData\Local\Temp\WcEM.exe

MD5 6d6eaa8d2528189828e375d758660816
SHA1 73d06b79c5e1431440e6554d0ae28a63049b0b3e
SHA256 b67349dfdb64b7bc556edf4288cb7bcff8e9e5bb660e1afb88d49c9ac9468fff
SHA512 7500a6ab743334db1a9193134a762fb55acc62e031eafe145dd6af6c0a156ec551bba83f8a0c1074b85f73c2ef6fcc1c8ba920490295ef84da0cee657c97c22c

memory/3152-633-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UcUk.exe

MD5 673855de7a9b08ca62d07eaa7edfa152
SHA1 9fa2e40dac070c5c638c162dde5bdc898712e5ce
SHA256 52d393b93d31e7bb8d6d55d9250ce428b8d132a007dfd86d3a575e03f538e2a1
SHA512 05d1ee26ad125480369402818e13b77ab0471c6566f35fb84cca6e636691590dbc0ec6f236e5bdff15a86a0dc0c19f122eb3fde2760a33811a4ead3ec0803565

C:\Users\Admin\AppData\Local\Temp\YosI.exe

MD5 b17413234ebf6e59ca09305f347d94f0
SHA1 2499732b5f040a82fe25810efb374c83a110f918
SHA256 c381c668d9bb76649e23ad28c8a15387f2add00d3cb8725f0f762623f860a46b
SHA512 dd7cb064dc1c62051c35f6707ab32ae4fd7c59910863975e53c62438709f7bd924f8719bcb86dbe09c827a32e3847013f1d249c19342f8874392d773e16e7f0c

C:\Users\Admin\AppData\Local\Temp\qcEK.exe

MD5 6f6066029de794b4f24a1af63425ffe9
SHA1 81f7e462dd303b47aead48056b0cfa4ba0e70521
SHA256 9dd45924dd56aefee61b9686de5029468c2cbcc0dca5741bf0ff8b1cedf32b47
SHA512 6574ba5bec599564607547317ac2afc2ab9ee850e7574b8ba158fa3c292071cb139eba13dd1abe90f54a03a5b1b2be150ed7e79446180169ff51251c3b5f9183

C:\Users\Admin\AppData\Local\Temp\AUUA.exe

MD5 fa3158284349eacda703c86957a3313c
SHA1 6701f4c0942185b58c092d9dde83e78c0c783d91
SHA256 423d5dabd808ff9f51d0f3886f96c3eda9d8d12153b23884a994d66cfd8f5053
SHA512 0dd09b9c204edf46f6b12b0600e3bd89e99af32104dafbde97be920d39b40d8f4ace75681449723e9b530d0352c7a1246b34a1cbef36c2b59677e307fafce53a

memory/2288-697-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2772-698-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EckU.exe

MD5 abd345264a073afd0de31e936a086c58
SHA1 791af5099ac851109a566b5fdc7b1e0b6926b23a
SHA256 4da737c5055f8db03f039be11322a17bd781c8c71ddbda02a029de506cd5afb1
SHA512 035f1cfb47f2b2d2c485515e63e26b859445f555ab1813c8da0281f5aeb8ca8db6265d0f0dbfe9e3745fc8a1205e739f4dbfb54e9b93b2d5444219c8ee4c1b60

C:\Users\Admin\AppData\Local\Temp\ikEU.exe

MD5 42307ef617320b2933c2d8c7534bda81
SHA1 da0ebf380505217d8d4294b694037d42fcb0fa96
SHA256 baff5532ca018c111e10b12bf55d8c5a3d88463f2c38efd34c380b4c63919ae3
SHA512 41f55550fedebe64777ac717538b931947fe47c4387cc778ad6b379ad0ab7ccd2827ff589cba33ad896b04ed3192b867cbf51a8522636e48e14af6382f5e42ba

C:\Users\Admin\AppData\Local\Temp\qEsa.exe

MD5 04c4af1a2ed1fc89f953a7ddd269508f
SHA1 c94c4cdd535eb4b8873d7b7ab538c0d431304837
SHA256 727868266751472aeb616ce9fc5271bbcca3c974677a2728760bb5d82fdd8d62
SHA512 3e5494c7424b2623cf80fac14c5ff2d4a85a462874a3fab80c769368284ffeafc37695f6fff5e2b58e786826b75d12692c3d69211486b33e55194c12b05a2dd8

C:\Users\Admin\AppData\Local\Temp\cEwC.exe

MD5 245a5153adb40a13cf4f3cce068e6e39
SHA1 31b2401520e47431f9698e28fee8afe538a5d728
SHA256 16682971cfa50a349360927cae2c1ef45b2e384c4d69bf3207792d31fc96c3d7
SHA512 a9253a6125ccef905c7fc2409e870870f7f585bf508f30c406e4c9050a3d1ba76bae687725cf7b49f41548bdb31a0daa1014105abd39afa82c3d4fbe138a306a

C:\Users\Admin\AppData\Local\Temp\OYQm.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

memory/2288-762-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CYwC.exe

MD5 d6331de8ac81cf4e70d58864f290732c
SHA1 88861132a761cc09f84acec5c3b9e5082b5680c6
SHA256 2984342c02517bcd7503e2f158b41d1bbb6ecbb9fd83578d304b18cddf9976a0
SHA512 9e14e71cc6ba9cb720c0557a4eead7d044c6baab37b5828f683daea73f9347385e5eab12238a4ac53092de85ca21349016f63d97230d27fe8efaab2c86f503fe

memory/4708-777-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUoE.exe

MD5 106e12ab4fe7f4133231e133d1f67ae5
SHA1 3bf35cc532f766557629b6220a8170fbb3dfab89
SHA256 de25bd3ff5be8d901aeef0fba8cdd28fc8d6f7853389afa7898ee84c3e6486e5
SHA512 fa38da1a79884848f90fe22716103eabc079fdcf3376f1edba8746ebc22bff7e5cb6aa02bd30ebbb501b2f5ee7b0b30b997ec041ec6d5b8f890d23e5e828cffb

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 a80ea4ad844b87f494641a85caab27e2
SHA1 187c90a09a74330302dd78189b11cd3872ee90c9
SHA256 1c89fdefefc69239bc5daeafa324c0c93b2d210c2b1c74cf903f5c43e7e7a8a6
SHA512 2de4a64b236025ae5b78837dfa81e6c4bca9491a44df25d83f8e63888be1d3f936abcf0edec0105a08d80551909dce154b5ae1ea8df5548bb3c09af9949c0a64

C:\Users\Admin\AppData\Local\Temp\uAgS.exe

MD5 e27e0e88c821147d6cd02b2bdbcef213
SHA1 132eb36659954f22f4b33e062fe4d892f5b6686a
SHA256 9c5f6bd6672b13a32bbdaedb85eb3417d81f864f72897469148307dae51e3b1c
SHA512 a41a14e960dda7a1403e58cd06198e590601cd568da016c4a622fcf41efc39505a037e07271e90ca8d6775f753f5f0fcb8edca3ec457350a45d0cd27fd7adb86

C:\Users\Admin\AppData\Local\Temp\IUQW.exe

MD5 1f1c39eac5c8b89727a8540f83b27a56
SHA1 bf7921a0265ad010310c22ab0043acf029b340b7
SHA256 9a7209f6d6353c1ceabf85511382a94376e45a85a08961dbb986ed61e3a142ac
SHA512 239291ea75654b869b3a89360e97fa2a7949e6de1c6853ad9249641a3dd872625674c11c3f72b4d3b5ab2dcd03b15832cf29324b0aee90330c0a4a362bc34143

C:\Users\Admin\AppData\Local\Temp\MIUW.exe

MD5 4667edf300c15c615167e5099d3680db
SHA1 7156a28334d1127a6ee2294e31043c09e027fe76
SHA256 e4cbacf6aaea596d86612883282c254fd1543ad1a9416e2a79c1c273b041baaf
SHA512 2a9a69f4e628ab73417045e331dd668395376c147bc8ebc3383a11588797b3172fad44ed24ce7230e9076bfecc29503c1cb55e7791e5839132121c62a0ffd24a

memory/4708-855-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CkoG.exe

MD5 e97c598d5a67d05138755b55a48dbafc
SHA1 d634cb6e18d1cf52c31c8e3025637d8a74e53829
SHA256 c3a81c3cbfc66a04f2abaa3f3295e1cbde91676d1b5ee1db37cafc9f6211bd07
SHA512 71bbf77173348057af8b6ebef99a70f1b442cb3eaec9465064b23c3d75f93e75e2cf5dce19ee5e42937d6ed99e9f8df08ab8bc2313a44c78e4eb22fe8d70b7e8

C:\Users\Admin\AppData\Local\Temp\cEEA.exe

MD5 c582c40465806a4e7d4574d49fc155d3
SHA1 d8d9d7feb8f08495a6b9eef3a102662391e08a5f
SHA256 bb7e0acb67ee52e42ac047b7e7d5ffe45e7938d7233cb76bbaa12ddb812cca6c
SHA512 668f667b87f72907374381f80beaf8ad0930e7d463c6a5af0d98a00a1294978fe2428247cb419f8999940700114e6f86693cd786d69026d9b52dbe8bb5f03abe

C:\Users\Admin\AppData\Local\Temp\ecww.exe

MD5 af94f06bd8e3e8b60f101fe2de9edec9
SHA1 07dcfa5bd1ef047eea5f97bbac2a376a4c708117
SHA256 6b4a739700507b3465f3378245cbe9aa3d565658d551167b6f48f0eb511a8473
SHA512 ad41f4606d25da153deec13603ced0a2c5e8b2e5bcc1f9df57827e92b57558b54140db9cecee35f28e3e57ba1b6d80ef8f95011d695bf1c843a40fb6cbe05972

memory/2656-892-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CoMc.exe

MD5 b803227a3fce0a9932569f286db88403
SHA1 fff23acc3eac1fcf641c450b8f550b5e188897f7
SHA256 60e40b60f027438ddf51adcb8c3b1dfebc7074521a08202c73e7d5cb18d745a8
SHA512 34f0e909c61b3dee682047aa94e16011aea0b27450d6344f8b986e2c0e4af388878ffb07d8f986ec13d5b31bed42b9eebad081d57745fd245801b4a5560b6777

C:\Users\Admin\AppData\Local\Temp\iAAU.exe

MD5 6403830fbd517a7d13e1947b598f327e
SHA1 9cb696ed5b598b9e63ddfc7c0f350a474f2c11a3
SHA256 a84765c642ad5331abcd77651af46ecce2392e2de8be7175cf10b9b141e1cd4e
SHA512 d9869b1bc569779ae8af819e26c0ad1b192ac91b784024f65d040bf84802359d021320cadd89ad4d4da0f169a85cd5bd94022cbd6bf7491cbc8fd06678701120

C:\Users\Admin\AppData\Local\Temp\qgoa.exe

MD5 dd4dd66355f7b083459b8e8f192a541d
SHA1 9f4a278954eeccf0a9a417d984b9e82035168890
SHA256 29302a1699961cf0f3d78c07e0b5448e6d6c27f2051c230ea0b2e4bab72b11ed
SHA512 506f9fa51ad0ceb8f47ad278f32b2a288557f387994cd821df8098425d771052c99e768c5026d820ffbb91fb37119be1c5038b52b21a31de4e91b82beb3bf50f

C:\Users\Admin\AppData\Local\Temp\YYEG.exe

MD5 23d87af972f9a708825c023c29a46106
SHA1 91f46340a73a3e6cb6c27533f14f50b5ede8580d
SHA256 46c84698af3783830c7d0a1ffd23ca806f0011500028a94157431372064b96ba
SHA512 6aab304f60ac97b958b7b9adb9316a82b63a95be80fe0ea2a9eb95fac09eee521b0e79c7f5f0f5fc6832fe325496bd41daa474d7b1af3332238d39579f62a22c

memory/1468-983-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1612-984-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gAsu.exe

MD5 c3ffda228b56dbc080d9b01b353339f2
SHA1 2c53637fd9f98bf4bef587ebdbd622011ac34828
SHA256 3c73306afedeacaf8c9413d157dcce240c0127c41f35cfd235dd2708a096bfc7
SHA512 a394f0e0c23a0d3557a442e852c7438dc613be5a9a6a81341ac829c5a51959cb3fbf555890fb85cfa0a9eea09d2e6d9e65449f7bd0a529470b22a0fa1cd2101b

C:\Users\Admin\AppData\Local\Temp\kgUI.exe

MD5 3f559efe1b7f76df01931e0be50e99fb
SHA1 8622877f4810248bfbfe0186844f960e76f58948
SHA256 90e0b9a24549b7ded47ff53a63b45342f50dba975df7ec2463b7231474aa0b59
SHA512 590292eb0587aca4c26416e890464c7d1454ac6eedf1a59ed6a3df82bc060ee7d9aaa9fac11bed20aadc997400d8d62ebf2a945ee5ac180529bed5808196265d

C:\Users\Admin\AppData\Local\Temp\okQw.exe

MD5 2d8d49af0665f67a0de2bc387d8bf33f
SHA1 b4013b2b716b2cf8eed824170b06e83ebb570250
SHA256 0afa50422c1f0a6a9042896ec6342dca3ae2c6de1e539d1ce8196cabed68b101
SHA512 116ff012eaf0fe31ec909cc7fc90c04fa4c9e2f194452a8d5719ae55e30504e96be5d42c830e4c3d0dcc63eff166377178fbc51fb8fb1eebb1489baa08f39784

C:\Users\Admin\AppData\Local\Temp\oIUk.exe

MD5 fa50ee56f8b547c84dc2249b315ccca5
SHA1 7641d0b6dbd3b4117419b6fd48d63df8c2a5cd59
SHA256 44832c0979e53dd6f73540f6b3c452b6a78f0c51fc9622f65bcc2a21c525460e
SHA512 94624a593cc0eff512b3c51e0f9e4e4410da0a3950faabc4b64409a54bcc04376bfc7b8c16d05f9d1d5f71e6d37ee464e9ca6fc498fa21e25232463888f9ee83

memory/1612-1034-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4336-1035-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UAkU.exe

MD5 1fb4748aa03edd4c3bc33c28e6c711a6
SHA1 e674c61cb34ff6684e51824252172ba959305d33
SHA256 5d950239c02dbc88202f3e255c4cacf956d285b104176a6be8db23b1844813d3
SHA512 250752d99558d877b90f5e4af60b7fe87a47824ab4388078d48962a85d84a93a6b9aef69c8ebbbb161a2be506ad3fc11168bc36079c29b66ad74c7484efbb845

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

MD5 da3227a53501edad25046b1c68022a81
SHA1 ba32e3d53fa481779205b1eee26dc4f903fbbf9a
SHA256 fd2330ce57c22ae71e0440a120c5d22076a2373063cb9a4225d37c4b147a8b47
SHA512 e407a9b62a8286406f22ae869e27cf911a530552246adfe90a757d9e720e1bdb300525a24eadf135e09f24700134816bc2dc4a0a69225f8daac0272ea77a24a5

memory/4336-1076-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iYgq.exe

MD5 dbe8dac3d1e27449205a08d779fbb331
SHA1 b41c02fbdc84d21ac45f44eb1fff8de32fdc9672
SHA256 4dc30b6139b5ef0a10dd0d3fde2854c28001bad84c39dd9cabc719861cf1a9f9
SHA512 c5a2530b3da1c876d19969c7313fa13f47147951c05b5ba9d4c57c7bd9ab843b03fdc0d37099e31028af23402131836b25965f2c55cf59ba287bb85c314464c7

C:\Users\Admin\AppData\Local\Temp\qkkU.exe

MD5 eda01d24edbebd182f54c316ffe1a082
SHA1 99d90b8ba68226244f6827e8b87762a9813ba796
SHA256 20ce03a25c5bf077cbedef17981434fb987358512b62413059a3693e79e4a4d3
SHA512 a963523fbd88dc225ad5ed4a1218788c37e48b3e2251930afe228a594ff3a471f253a5f2b85df1b1d6ce874b01fc36bf2c3d5464b42ea471870724d26a4d00fd

C:\Users\Admin\AppData\Local\Temp\CsQo.exe

MD5 c4e9b1246a04fedb7d7dc6a0f5766eb3
SHA1 f991ca622928a37a4e5b75b80c835e2c35840433
SHA256 388d8a9f912324132c1e053606d25876ffb597ff4e4e0407612312d948e2844a
SHA512 c090873505c3b41a06c1880f2efb22d591ecf044fb4762f3188eb37e331edf062fdb3b5a4ae6f629d78a6c4ff3f4e0eadeebc4332de79fe5c8e69482b6fc669c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 d53a6c398dbb88f4ed65bb7f6c6bac96
SHA1 6119fc4e864a1d24ecec8417b30619dc8b935d39
SHA256 5b99f39b3cff3aba13f6ad9aa45b643dc93cb38a01272823377e48b546c6fe57
SHA512 df6e0200d93939d22be8b79171fe247c7a9e0f2590b5503c902f88531862407e1cca0334196c8e3661ee7f106d942c60bb86c3ba639f00232759fab032acea1d

memory/3860-1134-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SEAu.exe

MD5 273768624fd45e84a78dd776657136ce
SHA1 e751adcf7f49a2161cab2ae1e1b3626e8dd819df
SHA256 8fee2820fb0e01c580067c07c472e7bb5a4b66b744eea010927f0d280194cf46
SHA512 5797826bdf65e6b019d47f7fac7514a5b86b4a7e7d94691f3a5b30583e692794f54f1102bbcee538c48f3a5a6e65da8c9649b44096dd215b2c347104c12e1bf7

C:\Users\Admin\AppData\Local\Temp\kYgC.exe

MD5 57b15b319ad0b5eee6f1dd0e82a91cd8
SHA1 7a20eb375067e48b43608d57d831ea54265702c1
SHA256 ddd7e6718ceb2115b326802a561da141170d661cbec3f3030b3fc303a1a49a32
SHA512 75f9c236752f8322917c560495967698527fe3cf422b6154fea7b5cb75ef146def5f3cc365bbfdbfc613dc0c56b57426ca5319c3702970344b188628e83a0b3f

C:\Users\Admin\AppData\Local\Temp\qcYu.exe

MD5 439f356b21f9f44bd45f851cacb5dbd8
SHA1 c8f15e199c1b0525285954a31f19fcbc77082286
SHA256 c1be162b3ee9b51efd628cf5b7854874bb5a84b4fe79bdd9ca46760288065f32
SHA512 85b9537d73de0d413332385ac388a2945080a21be8727973eafc35338e8b3d579cf41eba467fa92cab5ef126afe3742f71e54267e351287fce49a26dd8b2bf95

memory/3132-1185-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iMww.exe

MD5 1a327898728e6954f2217ce9c7fc6d24
SHA1 4095966b5ba7669500cb4303c381c6c6ecf7c898
SHA256 9b360e16e5e7928ea65f91fbd3749114f0b253483288102429c69e9794a22309
SHA512 4805ef7b517e1ac24560896535485cd01aa4085baac3ed027fb16511f390abcd910291eaccb2b64e5c47b86479b38ced40b6c1967282d8e3caf0c9ad96cec56c

C:\Users\Admin\AppData\Local\Temp\ywUA.exe

MD5 e53b365ec2e8ec16d8c762751f105646
SHA1 7ff3138c4e7a60895dd68aed56bbf04cbdbaded5
SHA256 59b96697d29658d617c43a494f59145c301edfcc634797d9f023b2c0f203614b
SHA512 1d08f38d990621eeac7826b93fc7e4f41e92a78b027ef4fc6a8227f844e50e936ee6483466cfe447b9e539a321d92f02815e0060791249cb43943d23fbb018a8

C:\Users\Admin\AppData\Local\Temp\uUYe.exe

MD5 a81d7ab3440acbd2d4afe5b92b62958c
SHA1 cbd06be17b9653279fdc0a60645cec4fc2de51ee
SHA256 c2bb9be7880390baeb7c2615d6603f0379896d419d3cd9995694ea89fc8d7339
SHA512 e6e23a2042fb706954824fe302b6f1464020854a99ff163d709e01176355b10dd67b923ba8fc644df3affe8ec16b23ec61b68cf4b774f86d6913b07eedab7b02

C:\Users\Admin\AppData\Local\Temp\oAYc.exe

MD5 6307f21c5ff90063a8c0d5da64126c26
SHA1 b4345cf2ccccff2ba6046529715b8c61d3bf1c71
SHA256 b159a0e7a78c05c25cb3818ec223277f3c624b68ca7659a6fbfae19301ac8078
SHA512 a099ff34b639e6f2a9800aeeb5f76fb2f33d4d414e17a89b65b11dd3acc91705e8785e3e1fddfa86b6d39745883155e47aeff0c8651e6661ea91da835ef7fb64

memory/4100-1262-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eIwW.exe

MD5 07758f9f343b14df0c5b026ab0e5de7f
SHA1 3bb65108318ad9d54dd4c07f63ee46754f7606b6
SHA256 02bcb931198c37663ef96872a6a4d7af96e18626eee0016fd0063a0b2b654c16
SHA512 829f41337f5161d7c4f3e2bec4ebb6128ddaf633345fd04157e5ea0722ca9aa1da828acd5a1213cc593ddb7533703b11b98a48d1afd5c1e137a5362593c4adbc

C:\Users\Admin\AppData\Local\Temp\akgU.exe

MD5 30ea6c24b41b7c23cfdd90e45a54a35c
SHA1 06895ebee5c1e816bdca3556252eb0be3da5c142
SHA256 72c4c74d3b73d7d3028a4eadc635b097d131ef03d2a9c770cd8874e0c42e5415
SHA512 0f0646de93868af7436ed4c4a63b6d09b37a4dac67b29182ec232a0d582752bce6dae2403a4435713ab4f155aca965878961e42cb5f9018757d657523952f71d

memory/1676-1277-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wMsy.exe

MD5 2270cbdddd54339456509c886c455cfa
SHA1 cab3b7f811eff6ea3fb04d2caf078a302e3a6e24
SHA256 518c5cf91f83216e07bab5333bfbf7d3e71b5cc3aa1efab2990cfc8edb2e21a8
SHA512 cbf919c59617690e1b6f1d049af85f21c5d841a1667c280bfb51fbf52d2fbd7dbbb6498ca20d8f20971112c3ad26801db311d83f7da31c239f61848d4a08a6a0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe

MD5 926270055a26dca9cb29046526caa47e
SHA1 578a63c8996ad3480ab67e11c92ce5bdc265c2e1
SHA256 b1e322c224200a0e8066bd8de851e9117016c5173bd6b167013f270f5908db6a
SHA512 ab69198590cba553515258dc5a8613246ffdab092d06a352253d6735b315951be0fe0da958ffe446d184f7968a3f2a348d135ebedafc4042316a3c701978de59

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe

MD5 a9de2a48a45eb2d245063b53050fe1e0
SHA1 086684c51120545808e42df8d08ac52d33cd36d5
SHA256 11bd91c3a270d7c9cfa9ce6ecd9ae4e21cf5e4722bbbc91c8baf1eb4e09894f8
SHA512 f3909086f8c9405f960a599cb495047e4f482e5bf8e63cb51938b1b9ed8ad71e13b40a7ffc2f57e7deca4d9589d0bb62e8aa70bbec6cc0efefa4afca3163c9f7

C:\Users\Admin\AppData\Local\Temp\IEgi.exe

MD5 10f1b8326b0d3da47b30020b4eb23eab
SHA1 88f9ecea3a5d62915414f1d245fded55d7d31fd6
SHA256 597f2889a6e6c6fba0cb802c2640348558f5e69ce845d5716886d702ed7501c0
SHA512 b2e9cced530176465641f61299f24880b6cb2f2f333fa0473362b00edb7c442ae60df68146dc237e83ccbf42b925c6f6a324cb994a1b16a9c79b768c654f0770

C:\Users\Admin\AppData\Local\Temp\UMIG.exe

MD5 926146b094388922c4be6957c9256165
SHA1 d132ccf06a2db97deba13d2c97860ee1914b9097
SHA256 9e338215bb5709f0384bf78e57ed1eeab982bfa15e8dc8f3e1f3df6b9759e170
SHA512 65903df8cb0d9d2432924a7efb195a004cd75e195de03acb5847e96b47eb276f0188875e1f4125b8c6b4e63c99d8a35b60ddaf3c39ec1d6aa5409eb39847c396

memory/1676-1355-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KoQq.exe

MD5 4b9b151e37eb87773fb7d9f51cbc7733
SHA1 d5ea39227a52ec3c3155ed877997eafc0754db16
SHA256 fd70e371f5cb8d209d6738fafcfdff5b35a6bd008899bdee92f691b039bdb8dc
SHA512 3e11b88dbac40eac9a285936b4a23efcc292448ab8025f873f202e6392198f6ef6210bf9cd5ba471775f1874d4ff3956cc9dc5cc62b3ea0b3daf0a1e4b319fe1

C:\Users\Admin\AppData\Local\Temp\kYga.exe

MD5 746d22e8bf3e5bf464acdcb25bc6a78d
SHA1 b8e8b7d2e31dcb18b950323f60a53e437f597ab1
SHA256 79e3da11a266a088770cb3de0dfd6011e946f9e8e47a38295e9ae92dc8b319b6
SHA512 bb0d9d8429076ea75b7739f590ae54f9e32f1f20a48fe3dedcfbf0b371c24b1fca5a1131a79848ed4f38ce2e7ac483bd9a2f0a92b7c5bcbe0ecab84b3981d13d

C:\Users\Admin\AppData\Local\Temp\OYsS.exe

MD5 1a9f9a6dc9bd3e2b87fcb172dbc5f6bf
SHA1 41e1d3c7482efabb26833062ab14dca645e4007b
SHA256 6a0cc30c778ce14d54a3e1ba9b4c7f8889323072354cb406d704c905e218783d
SHA512 ab55e2f06ecf3d2b52787b58af5fb8f3a356293581b024dab7986437f870d3f609b2259605c02fbcdc504114609f4bde4e971d064439ae9da98710bb334b3301

C:\Users\Admin\AppData\Local\Temp\kwwS.exe

MD5 7bafd821e93144312b177e438d268c8e
SHA1 8d8267c3873f10a2d05f49964dcca46470b701e6
SHA256 a08ce043483f2d2f29d40ce7f36e6a8b4c5c041c9c975716337f4f530e049a2a
SHA512 60124955a7eaf0d5e493f773706f2725365731750380d174a5722a13a168b66494cc2dd49d54f806227adaae0d211e661a1ac61e58f53f3d36752bdf0200a3a3

memory/1036-1419-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sUsm.exe

MD5 a1c8ae13fadf270fdd25b6966b363dc0
SHA1 cbac7880f0551bc513b87526e45c8c7de1cab0c4
SHA256 9a12863e2919ef26680e44f41aac27cb7b68df79d43014ca008ffcd4b09d792b
SHA512 1c917e2ddcd3ad14ff9856ea400cdcd97181bf82c8df6eb559a989201e5f00974670231df743f89077d7dc55683edfea9ee2c36a9f6ca43670c03b603ae9e275

C:\Users\Admin\AppData\Local\Temp\YoIq.exe

MD5 8961854888304e1502233a5ad4404781
SHA1 0252e5a7f70f0f22eeac3363df7abd9b85808cc2
SHA256 03b1b4dfce25d27491b72223c08b589d513c3ba89e7976d8b892d0a3557e19c5
SHA512 65b688685c40c22f33e4f9a5a5ef7979823b957d5cc09cae607470ca1b28f85c0e827a695b25dce2d28e8e0c6c2605815ccd5f22e90f0cd4bc2ab701f2f91021

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

MD5 e309b4b26fe2ae0556d4d922c493caa2
SHA1 5d5bd1dda91d1822571b357cbc899136efe99804
SHA256 3b15b8106cde715e9e615cdb8703c5cb790b8586d8b5ecd35bb8417c6cb9e031
SHA512 b5beb9c5aef956aa15a0b9e66b0505fe61b43a70b6523c8be51e949205ae2db7fb64166ca05e9a189922d4395c0089ed619258f4114daecaef9d0f7413921d72

C:\Users\Admin\AppData\Local\Temp\YYEs.exe

MD5 5a2cb0b7a2bc3e2bd286d3d70f80cb15
SHA1 259627e7308c8a1d695260d69bd1d085290efd4d
SHA256 c663901324b50bb0bcddb6df17d64b97ffa6648776799302cb0cd9e57c8e4b42
SHA512 7f863334be1d8b87145ce34806e2ff438aa0dedb004a6fed2b2e402d3aeda31b4a353e28955dc5131866d182509e75598f01939bef938fe04dc0ac3ae0a0a99f

memory/1200-1483-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\skUW.exe

MD5 9756e82b8af675a4761052024e9aab4f
SHA1 d6f1cba563edf03097a3a39c387847bc986412cb
SHA256 8b93ba88502e6ef0160acd35d6c34ff7e6cd4d1d86e2c78e55308fd6e005bce9
SHA512 be9088a9a98219faa093522bb05c28eb12aa7462b797f3ac7114b63cd3fae62eb155a387eb7dbbe6eae624a5768fb350926301656ae326bf7a836083092cc616

C:\Users\Admin\AppData\Local\Temp\MoQq.exe

MD5 74508dabf8c433ded446b455f871f184
SHA1 2c10ff66b7cedeb904471bdda4eeaae28c44c1a7
SHA256 29973002c07bd76ea937fc80b78d5de7ca65ab8bb1a28c33d4f7e12abcfaff3e
SHA512 8073520a4b5d7c332e6ea5286d7aca04606fd6389f8e7746b0724479d4adfec2ee7514539afaf5ffd3abd485b7c72755715f450dd67c811ddf8eb30a82a66d1f

C:\Users\Admin\AppData\Local\Temp\EcQi.exe

MD5 8de3919b54f332810f4e9aee844272a4
SHA1 7fe474dae0ac973255d10a8858fb699b6fc5a241
SHA256 362c1bf96fd6710d02b6a5c3559dd6b1d7ddfea7b330fa9d59168cc53bf11860
SHA512 bd5a722ed0949be805a885735cf7cd15b5ba379cbb12eeb28e5b24efd82f65f8f52dffe410f84785459a2a1228ceeef4ee29c72d22df3e08b660662077e77e6a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png.exe

MD5 82408e12bb9750396c1f12790572c15c
SHA1 814ace1c46be501b10dd0d737547824588b8b3d8
SHA256 b7354db501e0ea4491f7e3082ce3e20c479353042d598cf7d9b7dc3330807e84
SHA512 36b1e74ca14cd49afe8864c9da0edc76adfffed0b5c0a30d4cea3d34607665d636ad6cde64c2d1e7986a8ca5ea6247a9819e3dac20384fd203e18b46316670f1

C:\Users\Admin\AppData\Local\Temp\EAAU.exe

MD5 a7b30f6e904f236a9285f412b0055f35
SHA1 9793e2f8dc37d8b4279c4255a0da0c1184e1e906
SHA256 0d8428b7d4e1e49ee5d82cd598ce3d7609dbc1ad8fdb744f1440fed06e40b6c7
SHA512 2246dcfe3a86f74517616ebfa2bd1f9aed504f0f3d2d21b64787fb47bcd45a512b1cfd5242c9bd4fcaf269648058417614a039c81272062750edeea052a082e6

memory/3548-1561-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CEIU.exe

MD5 5b399beeb651dd8396e38c2b5ca920ac
SHA1 ac9771eace148edf99cca689e8afbacfff521615
SHA256 0705a5cf82b607c67122af7e4a0f66214664903f3e862e3a8b83bb2deacaf10d
SHA512 a51be0c6b13b80f0eab1fa51106991a65e8f58cec4f9a91d840ee808cb8d4091f4faec3303c70871f115dbb325ea79647f10c35b616171e7634ac3f386fde068

C:\Users\Admin\AppData\Local\Temp\CoUG.exe

MD5 347eb21781dea5c3b094be4db52c4395
SHA1 f8c425a68f6f59d638ac93a047f10d0a3acdf7f7
SHA256 db3b07b642cefc7ef939ff5be2940202830f354390aede5c040495949cc9f6f4
SHA512 190c985cb53906362743dd0447de48926073705610cca6c747d0ada6cf67bab97fe25a51082f8bea2c3bd1192324e774fc2bf17302d7467e5685b130fda97f50

C:\Users\Admin\AppData\Local\Temp\cIQS.exe

MD5 fec45f3a7d9a82dd48c37ffd6a340d70
SHA1 0ce735b1124bac75d5d8d2691d60972291f37886
SHA256 d2e79487834579fe1f9596b794f976a7cd13fe0545de3b132af042fe7f83a17a
SHA512 ff0364add86a016990d2a895537b8f79253b1224c1d5b7969f071aa19090c83b4f113365c4091cbe37e83879bf14d0870d79939035f8b0f30ee8080975d72cba

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe

MD5 9450198771fc2bfa3dc9c297a30d7001
SHA1 35f26cdb2696998ff9b68990da9744e90193bae8
SHA256 a6f254f507ebdae128ec4bdc8ef5f70e7e4dc4421eec28ef483256a2df7727e3
SHA512 b2c49fcea2545dfeb141a32de1030d71f82707ab89801a933aeb3fc82b7a2b7e7130121bbfb9607ad09043d0f966f11135c26d94a8e31027cc653ab5cb782f29

C:\Users\Admin\AppData\Local\Temp\swIy.exe

MD5 23cb143276b74478504541e450ff269a
SHA1 c601a5417d68643f9bb30f82cc49cc8de4d7345d
SHA256 03f4b598083b5d2515ea81ccd02390a1c4af95e87a541802c05f0d617a3ab42d
SHA512 8a9107f2dbec037212ceaa447694504d1b55b6ae19082e217069f68b18a30e37537bf9855aed7312071111b36b86939c83af5f0ac7b968e36ee61ebd5c8bb4e9

memory/4544-1639-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UwUg.exe

MD5 01b22bafdbe213565c8f958d57c360c3
SHA1 5d49bacba13c6cc062644be5bd1de6c3387c0290
SHA256 b346e93abe073170477646419ac5c4e0e899cac154070d246d1afe1f93d558eb
SHA512 fd5e832bf47e8d2132dde367b5fbe32e62c0877f17679e44b31b9e61359cf70b4ce487f6049b56e3baab9fe04d2982473748777f51964bcb9f5ea34f41e3878a

memory/1260-1658-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1236-1662-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oAYw.exe

MD5 a2dcada130eb235fafd9548f113a928b
SHA1 692fd1b1c1999bbc8be8a30d2a4815a0234984f7
SHA256 50c3bb0625fbc19d2b0a340693669dae56a14aba107e7c8b5ec6ccc162ec0c8b
SHA512 9bf077b81302caab253c191a5cc2c5d373a1680446ef1916990a974ad2b25ef6cfb797fdc02287b533e27a627d4361a5ecbc35475d971ff888e60bc45d17d282

C:\Users\Admin\AppData\Local\Temp\AQoc.exe

MD5 45e9572cd430d4b7b22b4a1ef320ccda
SHA1 cfd94c6d772e1405133bf06fa6f617e6ed484091
SHA256 1b46e8456b746219873d1083e49281ce1a18807223872140c1d37259a2cd7d4e
SHA512 ea583472d98942cb83669221bf1021d0948c0cbfe35ee29390c304b72cae7cbd25276fe3f2bd64804d884945b5413d7ac713d4d9910196f34af8e1589efcbe49

C:\Users\Admin\AppData\Local\Temp\KksC.exe

MD5 c0fca3ae7a68433681fc5bb9f1226144
SHA1 0ad3e26b6c48e59b2468ba490f63a1332e354198
SHA256 8fffd26336fad15b5691de9b109edd0720c0a17f514485de8964f00ef4a23916
SHA512 41a2f90e3d6fcd75df637fc062139a9f91cf139a71681730c9552a3349374480599cf3ac24e33417cb213c884c1623a86a9052d185b60cd62775b27e88aded60

memory/1260-1712-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WYkq.exe

MD5 215a61f47f99f9853ca4932648c80a25
SHA1 07b57ab71d66a0c8a2230144d853932fee5ded24
SHA256 6a55486206e4320fc7ea67a4f5c7a8d2a135c6c77592eeef1e4265e16c68305f
SHA512 48b1fb15f7b2a3102822c50c6f93faca517f214795c5800d62f127893d261efa62e236654c2cf331a187257d559b8be252fe710b498c81b86118d32ddedb8f2d

C:\Users\Admin\AppData\Local\Temp\coUC.exe

MD5 1f6f436092f883b99b52079ac6a8efe8
SHA1 24519136e480d00d4df40e56630dfe980e9cbbd1
SHA256 fc7b990f50536cdbce054d88d5f7f68b7594a9eec69186192169cf701d94098b
SHA512 fa0fdbc2749fb03b31a7da2097b98f64d72256a1797caefd621b493ab7e5d814aff3c8d62e4cb0a3803899d85542b73b10573290737469d794b8698de449bba7

memory/1204-1745-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2488-1749-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SAgS.exe

MD5 cc413824a7e1d009a69752d1e947b104
SHA1 44c8328ab5305ad90be8d564a8bc6f05656e4a3b
SHA256 902c7e928203f44c7da3861ae9b30ef21f0408b0c41ccb461a5a5df77e67ae90
SHA512 1a2f39e45662e6740e2a360b15fc28934a29b6b92c8e540e3c9fb5f194dc64848130df0d87063d91a32f63daea86a796b0bf63feb8d0edeade879635f1bb2e80

C:\Users\Admin\AppData\Local\Temp\UYYM.exe

MD5 51c53d7f8b0ff444d8a502e0cabc2e39
SHA1 283f60994a9f206c732fac248aa0b7ec8c3c07cf
SHA256 3eddf709437488ebe0ed54350e0df226633478090930c1c3902f2ba51969a2a2
SHA512 94de5a35c316fb22928263b6dc3df83dd6ecfe89317dfd9ca8d219e18f25b99f273fc68a84bfab82a096ea0421b67d83dfefea3b555b007392e470cd6013e1e2

C:\Users\Admin\AppData\Local\Temp\uUUU.exe

MD5 4f85bc2a048c9e5e94d4ae7bd49233d7
SHA1 b9fb6e6f1d1f667799483b478e022a0a5a38be9b
SHA256 c640fc34b0a0e23b35fd1a9e4870f84ab50df89866ac1bc9d9e799486612be36
SHA512 a4deabd2d6e7f0d2b5a0850910031817c4eca3c9e1198471e1b980df705e707e0be390c5b33c375512273b85194a04abdf24847b98b839dc37b833b19dc9a693

C:\Users\Admin\AppData\Local\Temp\IMYg.exe

MD5 c9aa3b1107c1353d198184591817af54
SHA1 cbae40ada1ae057fbec2ead9e32a43edc52e091b
SHA256 5aeb90ef66d4da9019644b5d787913e2f0f3a7a68597c2cd1409e1a27a3bd101
SHA512 a3997e992c3bd2d759bd1d3a18a5468a0f046736a2dae92e012599e6bb380c6966c0f992edd6106f27c3ce2b248384f956646744d73e1f9b308f14ddd52c902f

C:\Users\Admin\AppData\Local\Temp\eAcM.exe

MD5 00a722928bc006005484c7cd270258e0
SHA1 9c6096245b50dacf2e8ef1eaf4419dcfe5871609
SHA256 a16d007eabce1b79dd07b810d6a4f2982bf4b32699725365e8dfede1a6432edf
SHA512 a133790dbd87161e31452a212466d8cbbf4c31236718cab3552bc234c0b1be04dc97caf1c1238140193f812b38069675bdb546f437030930687cf46aadb44db5

memory/3192-1824-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1204-1828-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CQYc.exe

MD5 9120973a07d994e7a6a257c1f191e03e
SHA1 fa49e5ac8eb9b1b12c7dc20c056124d6c9c34708
SHA256 75b18f9b87a30ac28a95614fc1b64d79de8a5ed021c2f4bd3c8c0f618e93fa61
SHA512 38bb6d9444ed2ea27c7190d9eb37941aad152da7c908bbfa710f8024d9eec9c234e2f60a07563514c59a03ced476dfc1eb6e1c25106918620092ad558cb76565

C:\Users\Admin\AppData\Local\Temp\kYUm.exe

MD5 aea0ad6a9e89d21593a591f4c5a089d3
SHA1 e6bfe299018f88585fd8d2df5a6b5c43f5c4ce46
SHA256 3811cb163ca2e04898912bacce700eff4179755a1e1c6d9930651e80e98b2bdb
SHA512 a10e34dfa72ec705a9fbd1bb2cf500f9bf602171e0a1ab80fd6c8326cd463bd6806f1b3e491a1a873d6a7ddb51e2dc65447175c7b5da604018a3cf21bb79950b

C:\Users\Admin\AppData\Local\Temp\cAge.exe

MD5 4ee76f57b282db35e0989d4f74d6ce39
SHA1 84e3343fea3f76152f191109691759e029982955
SHA256 6b19203854988f3d7f883fcc297a17db9489a56915464fab5e8a07b98a925738
SHA512 2f095d6d673cc4a5feee09281044728827dc8e32803399f1601e8c2a40b3c0e568868b6b76160f716fff874a789b02112f198e50e378c7e4d31e58c11768cc35

memory/3192-1879-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2472-1878-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ygke.exe

MD5 bb9a610aa8edbd38e4bafe9c87d65054
SHA1 9b98e8b4c47a9eafdd3d46179e3477a58536bb7a
SHA256 18cec6070e6f05fe932c1e873dac5b4128f0fc766e2c217f217735bb83c5f84e
SHA512 d4545c76f44861611f530cdb23a6fb66f9ad393ca958c4cc5dcf9a73600c769158a219fcd4664a504676f0109fab2c3485fadfbee77e17dfa9213fb3cc5e7a54

C:\Users\Admin\AppData\Local\Temp\kwUA.exe

MD5 a359479ce87d0879fdaf54c1412baac4
SHA1 f250473aca7229242d50a68531775a04754e30ac
SHA256 0bec1521191e3556d2a54ea8014ce960f7d38bb10aa2a7a609f759bdd5bf61f9
SHA512 988d68fea81b33680e253ae95502ecbf2642e86f8d700712275d85e6870f18a99c066d1b1a4638c6d176907195f94aac5e52f7152c97a45da520e76417388ad0

C:\Users\Admin\AppData\Local\Temp\oQoq.exe

MD5 75f426fb8a22836831de1c253a755fb1
SHA1 2f8175d7e291c26687a10a90d55c3e84957fff06
SHA256 5160715398484e43d98ffcaa0d27d63c9ab963400188731d2f78476c0d0622db
SHA512 862ca06c779437ad6dfcc44f796e9b12735c37a177ab7e360ef03e8d09945253ea953f3e7517862b972d0d78b4e79e27f7f4f4c353d0394546fb968d63dd4abc

C:\Users\Admin\AppData\Local\Temp\AEsk.exe

MD5 65cf647eae1dc0f4ccfe2bf25e2ed228
SHA1 838c491954e83dac796e99437c37dffd16adb144
SHA256 5434db08b65f3118b77b88d9ff1c1d42ceb9f7afe0fe1ac713ac5594ddf1677b
SHA512 80c7fe43615f1b5b06ad94a80f42901ed656bbb93a67c0daa78f103ec45f83f8ffd7bbd2f1222ebeaf49224052e22a086a867eb86f04bc22a51a003171cf2d13

C:\Users\Admin\AppData\Local\Temp\sQEC.exe

MD5 01c843c276c564adc99cef20bb04d5bc
SHA1 21e111204439baca296a59aa664c9ff41af76414
SHA256 083a67fe91f8bb0ffd25e08d8edcd7dd2eed81291aa0e8f567e8779f8b6e763a
SHA512 e20c27fe096e9566f3599dad6a0780618353bdfb9be7e13a943017dde74fff29f8e0f694cf3cdfcbd4d14e68ef8e9b39b2089954f2d898109e6baa892c9f6611

C:\Users\Admin\AppData\Local\Temp\MgEy.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\EMQY.exe

MD5 0c705f02667440f996c797ebfc22bf1a
SHA1 2c2ccbba49ac518ad7c7a3f5098ac7fcad52661d
SHA256 1ea856626affd7048977caab7a42b8126d223e9ef750f0c462262e494cabf3fc
SHA512 47f60082e061c957c1cd618272e3ca2ce89a14202ca10200af248e905185d541085a8c5f57541880b6204611ca7471f9c288b28164ed43be97fb8c98b40f2390

C:\Users\Admin\AppData\Local\Temp\gwkY.exe

MD5 4ba6cd0121b9de58ebbb0af13af89422
SHA1 5de1e77590d1221ed97fa8502c24a3064ea1bcc9
SHA256 780cf32feeb0dfb326460b1370d888c9d7f3f7100c79683c813e306f494d6f82
SHA512 0526ae9735ce6370ca962bc054d9f01615e58d65cf29598b12da806c9be9e529fbca8ce26f6f5bc94e7b1fb6226a17f396f111cdbbb606d8f4a8dcde6001d31f

C:\Users\Admin\AppData\Local\Temp\Qokg.exe

MD5 8917606481a3939d956a30eac1508210
SHA1 96efafaad8fa391544357402fd9c6ab5ade3875a
SHA256 7a1b1de67feb60ee23a7efe7342c9ad93edc2dfe273447bf39b680e17263c579
SHA512 be839f596bec1b524126a1fd7588b55b3c5275ee75243ce0355ce5cf9c7096c5992d92ef4c61bad7794665e5deb1ab808643fe81c5ded093b182b257d05a39ba

C:\Users\Admin\AppData\Local\Temp\gQAO.exe

MD5 d48ec714c941b4f58c59fe39ec03f14c
SHA1 15f3c9ae38fd8903659f56f7a7d38639511874cb
SHA256 1a89837df4bcf2cdc38b26bd4a5566841f3242a57aeca90b524847087db06bdd
SHA512 47f1891109a65dcc983c82462a4b387db32d3d1fbb30fc1073d03deae3c930e0545c5379f42334fbee93aa8cbe9d7de1f083ae5cc482e348c625841c87486ef6

C:\Users\Admin\AppData\Local\Temp\CoEu.exe

MD5 533f9893cd4ba0810d9bf06e8b9ba4a3
SHA1 6063f441e2c99c4023724c6597bae2021451a0c9
SHA256 a90d307801f64e7dba06628654120f8ee4188a788bfde73b9bef3718768f0651
SHA512 b4221f5af497c024e5e8cd1ce71d0ea68b117b67558ce957d5010c450f83a2a52ab23d01b695f4feeaffcf97e9d6bc6bbbbaae68454ef2e561df350cfdf08d7a

C:\Users\Admin\AppData\Local\Temp\IMge.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\eAIy.exe

MD5 0994f00ed64cb325d98b4aeff88c095b
SHA1 be4fa9e3a2e51a68f3eb9e445486ee81f262af9c
SHA256 d0802518f43f7303a52d9699eb36a55ef64efccbd88264e83cf29d4cd32c231c
SHA512 0a156aeaa62e96d4b63a955dfa9bab94170f67dae1553778a45acf3b45035f38ed57186f8202ddb21e6491d4bd472c2b6ec07d75c77c4d228a34e758c4f78939

C:\Users\Admin\AppData\Local\Temp\UYgI.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\OAMm.exe

MD5 45e807fbd5302614ec5b4fd9e9a40d35
SHA1 e9158af268ce0b3230a399897fe915cffec8a1ee
SHA256 5d0244398170a363e042a10009c13efe346ce5de4cf2f6794b6c9ea6a1f6f2f5
SHA512 21ed76519722bc653bd14d3a6b4f0266e38c2342802a51ab49de9443066fc097d10ec22522b6fefdc27d6e9a79d09fdcf19d679b88dcc9caf39bbd9e6c2888eb

C:\Users\Admin\AppData\Local\Temp\kMYE.exe

MD5 4c56ad529ce516407b79a89ba357f337
SHA1 5143c3f71c883ea3249c9ba0b434a8bad71cc117
SHA256 f7ab515254b2b87fc24738951462ad27761a87c661e68a75e20c154e864d6c99
SHA512 23bb7fa48a5783d7d498b7e22f89f0bab85263f5afa8e47c5ed50887f7cf40ca1ad1589e1d60eb6b4b0ce6915c2e78ddb9adbb770cc45d951ce2c2d085ba5d64

C:\Users\Admin\AppData\Local\Temp\ggYE.exe

MD5 be914f0a87f439a502025cc60133fa33
SHA1 adb81f3ba626e6dbec80ebb3ec4c90985353c74a
SHA256 3283a81652c21eea51f51d640f31ca5cecb3a546f9ee3cb3344016f9c88f50a8
SHA512 a410cca3491f41304a2937c2df3a639b4890dfc66d0d996d0bddef17bbd2b01c5e5903a3093654395065b95e8fcc236f88729632d49972f03f4cc76121fa3ea7

C:\Users\Admin\AppData\Local\Temp\qoEu.exe

MD5 87a8d5cfae0e86945a15c52c50622dba
SHA1 546bc9b20e9392debcb995003d3a6444b8a36418
SHA256 dfdb79646ef76419ec2431b8aac4fabbd977198ba790e00d9a8d079187d721e4
SHA512 1e27a89646e0787dccf0fd0124a09ddc9bcd40f8d48c1d93c5942ec23c996d55bd76268d3675d1a47d389348d613ab21f4c8659355d302546be657b443423c57

C:\Users\Admin\AppData\Local\Temp\OMco.exe

MD5 d99a0acf3e9983193d8880ed176526ba
SHA1 7cdf081603eb44478e3ae0f6d753ae8eb3ec040f
SHA256 860adedfffbdae91f683d8dbdbeb6299fc8a3b5432c154692caad03e17677e99
SHA512 b7cf136d079e269c7835805afb21254cbcf638786142dca6f8442d44cd7f8e13b50bd989f0c6808e0326ef8c2368b1785003e9470f331ec505dcf54b227cf4e9

C:\Users\Admin\AppData\Local\Temp\yAgc.exe

MD5 85a47e9c4e3c0c7396bf388443b29752
SHA1 e050e842328bb4370c41f3339f3eb7d7fb4c478b
SHA256 5076e34f29a63824e265006fe932514a5669790b79f89160b67f7bc377c1bd75
SHA512 62d3d72827bdaad5d1ba35f6d707250e1cd5a40b969183fbb2b6cf554b48d89ca75899d40ed5a4c90d8ca61cfedc77b974b9bd659e008ce21988a01efb57af41

C:\Users\Admin\AppData\Local\Temp\MUoM.exe

MD5 8a9a24d8bf7cb0fda8f8e0c61fc7812b
SHA1 23b69b4068f93f99b3dd84b519a6b518d3726481
SHA256 da598b11c2076db9ef1b470c5672b95c8b33ee9d9809f34c5c3fccf710a25637
SHA512 f7c839cd691db80ccc52105336aa5c1155565dfbdcff2d861776ec086c4c93f1939e3591b97b4850a511010be75d3f8becc0ad1f3d307d719402f876acc97703

C:\Users\Admin\AppData\Local\Temp\Ugcq.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\aoUS.exe

MD5 db87c0187b63c18aa842835608d946a5
SHA1 51f8e2bc4f9011a6960c0f948b3318bfba7c6a64
SHA256 e229347aea185b11d3b3005ed71c5670c9f86cb0aa6222ac41fa4f7d146ef6f0
SHA512 a73c597658bc8ebdae6ae4100549d51dd37fdcbdffb48815e281c03a6ce1b0ca71aefca9d5ed41488b48c7c0137e506542a8b6c958794629ded53a890ffb0240

C:\Users\Admin\AppData\Local\Temp\AsMO.exe

MD5 f9c9899411bcccdd2dc3573e2a711091
SHA1 e675444adb4f03b734db93bb8282db9987c76057
SHA256 eaafd1a61b2b328a7f64e6ff60a1757eb1639a0f4305dbf09461c904400e7b20
SHA512 9c9aa3aa7c16b2b9c965657f07fba413bc73e6d25273cbce5f00c126513b8a5e4498fa61d3c05659dad117252a8a08f923a4464fa9740c8f788856cd2d8e7eb9

C:\Users\Admin\AppData\Local\Temp\Yssi.exe

MD5 9ac192b6c6c78b78dae5dca8b7e170b2
SHA1 bd15ff7dad9bc202255b4508e75cee531f218927
SHA256 a60db3a8c9df1b482c65047d1c5be83f97922a584e317885ca46fce9fd188d04
SHA512 455651d0cc7e731ccd0ced3ac704a919df1af08fe372d682bb007a853c4b4b871a6a2a97e4a3c068267b0b5a8c06492bfb1188d315b9276ed0aa5295257ee853

C:\Users\Admin\AppData\Local\Temp\ooIA.exe

MD5 b575cac189ffd723e88679f263aafb37
SHA1 e6e837ea986a2777f36a7fc93ee5f7e7061e65ba
SHA256 cceca792db9538287704fa1206e6c08ff602694f53db3eb8a8015b2bcd3ff500
SHA512 99337d7f9fb3f60af39a288123f27f0e16f24bd6061340bd1667e19f91e55715abc8e635d9b73421d061717d2efc0a93b5b1e77510f78fe95c3e8ff8bec9f26b

C:\Users\Admin\AppData\Local\Temp\yAQa.exe

MD5 9a9b31a7b9057cdeb50c2eb2f808f210
SHA1 897572343d3e83b04b6d60fe11dc832c8704b20b
SHA256 20b577fdd13ee41ac7d737e1875e684e31d276971c967a993437c25ead1be220
SHA512 120ea09f7867b8418601b7edb8db3261a809ec994168dab0471187a2cdc079b2bf1f1eb3cd60cd3322bdc786217550ef9136d05056d0f78678a952c81a0f6e59

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 ac6d4cb9edf6dc24fd5d3164147d4329
SHA1 3d39733b965aee7f3d500a974f6e5e0078b73d34
SHA256 b159d03c95ec5936d473dcd5ac75fa2bed7097b5d82d2277aabb50ea7a2a662b
SHA512 4881faa802c6b82e187d058dda5d7dd6e36f587a6d00e635ba6884aee321fdcd727d4d8e841659c008fa9ff671d1258687bfdddb84f3bfabf34a81107b215cab

C:\Users\Admin\AppData\Local\Temp\SIgI.exe

MD5 d46b1340b3b67e2280e2fcb70ff26656
SHA1 b876b2473840b3d56e23fc181d8a8dbe4a4713dc
SHA256 668023ccd215e7bf1bb9ecc67452ddea570e3e529b6dcbd193d990edb87a36fc
SHA512 7ba01934eac968319ed4b335b4688bbaa4881e20fde00b4554b529ce2166fb71c3fe7fb4dec21c56bbf0b76a8fdb6c85b747e0fe3a170a8c6924d7e3c9870095