Malware Analysis Report

2024-10-24 18:21

Sample ID 241018-cfrgvszerh
Target 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
SHA256 c3a52e7cab3aae3f7d403144ea2faf5970f2145c3e71bec435c066588fba81d6
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3a52e7cab3aae3f7d403144ea2faf5970f2145c3e71bec435c066588fba81d6

Threat Level: Known bad

The file 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (86) files with added filename extension

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:01

Reported

2024-10-18 02:03

Platform

win7-20241010-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\mKsEIcsQ\lScMwIQw.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\lScMwIQw.exe = "C:\\Users\\Admin\\mKsEIcsQ\\lScMwIQw.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ouUwQEwc.exe = "C:\\ProgramData\\dCYMcAMY\\ouUwQEwc.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ouUwQEwc.exe = "C:\\ProgramData\\dCYMcAMY\\ouUwQEwc.exe" C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\lScMwIQw.exe = "C:\\Users\\Admin\\mKsEIcsQ\\lScMwIQw.exe" C:\Users\Admin\mKsEIcsQ\lScMwIQw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\mKsEIcsQ\lScMwIQw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A
N/A N/A C:\ProgramData\dCYMcAMY\ouUwQEwc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Users\Admin\mKsEIcsQ\lScMwIQw.exe
PID 2444 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Users\Admin\mKsEIcsQ\lScMwIQw.exe
PID 2444 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Users\Admin\mKsEIcsQ\lScMwIQw.exe
PID 2444 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Users\Admin\mKsEIcsQ\lScMwIQw.exe
PID 2444 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\ProgramData\dCYMcAMY\ouUwQEwc.exe
PID 2444 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\ProgramData\dCYMcAMY\ouUwQEwc.exe
PID 2444 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\ProgramData\dCYMcAMY\ouUwQEwc.exe
PID 2444 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\ProgramData\dCYMcAMY\ouUwQEwc.exe
PID 2444 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2844 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 2844 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 2844 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 2844 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 2444 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2564 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2564 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2564 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3044 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3044 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3044 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3044 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3044 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3044 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3044 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3044 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 2872 wrote to memory of 592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 2872 wrote to memory of 592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 2872 wrote to memory of 592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 3044 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3044 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3044 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3044 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3044 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 884 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 884 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 884 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe"

C:\Users\Admin\mKsEIcsQ\lScMwIQw.exe

"C:\Users\Admin\mKsEIcsQ\lScMwIQw.exe"

C:\ProgramData\dCYMcAMY\ouUwQEwc.exe

"C:\ProgramData\dCYMcAMY\ouUwQEwc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RkYssAQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LoUUMAkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mOIsUQso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RYsEEMQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEMwgcQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EEswYQcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WwUQwwso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kIgEAock.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EAQcYEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MuwUMgII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iCQMMYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWsYMAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKYMkcYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWooAooA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uacgoQAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSUsAQQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gaAAEscs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EoYkYgAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGIAMkQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2061874226-10872817861228594915-2066508853-1610934505-1290576343-1849610217-886149971"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UGoMAUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jgcgIwsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1225731590-151279431-969689503186118060021013533392075054035580652598166361389"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RIQAcUkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FcMEMskQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "423589352-457269844590639371370101970-837868254-6304348039622731512035297933"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KqkEwIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-183403387-20224823641318124498-7375306312143196995786002548-649993257-577091787"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2055119661524920360-571428158-1970467533-482682805-64403808-1433996204417965975"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VyUggoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "21396382481262991894346598861-943517963330444332-462441780167316668-600897040"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcEMoYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1938558442806336565-4759960451301128664-48019161615743249011228606399-1115698803"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-84274055129878738314291623901716750102-695236838-79584940391481912056650346"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OAwgcsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UugAQMEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hyIIEAQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IiAQAAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hYgsEoss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "680699757-4909836741098084422-62183800-1549948216605068648-2047370462-692278522"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwcIAkUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uIUsAUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14310309794677333271734393142-451586146-14769399801264671598-1855822098737610842"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5269116721011395720-1903760212075482326-5330508406561823681946572455-949690313"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EWggYEUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-93190903845225194-10074428131407865528-2028662862-78782031-1529944506-1338031969"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13567614711131434855997836617602442457-6236380031427441714-175563707-756341841"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2012853364-1291699275-352133198-247533103-1738982185-1325165576-211282788684204560"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PeMYYkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ByAUMwUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1010777062-2825818261221836812-106707427-204069844619537615872101749811-2025530268"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\owQoQUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQkokQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bKUUIsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18703576545864855221723102642-849816809-1510609045-653377251-403645138893564930"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "174615314920134007-250580094-19331093202107016478-2039163609-811315902204459069"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "905140426-593544484-519007602-1057747206-1191850960-181362718-933458572039397116"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LsUUckwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vycUggYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4986087592085770720471128460-1810595925-59677944534197816-509661791-1638742029"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XcsQQAcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1299017410-1141705419-1877068044-1407202709-1032034554-1082661021-3316443281469739196"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pSEwIQoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1860933506-10104913711829744449-2833699-584126840-8869816562132448505-1166354095"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2107635485-18414889031285329180-10896113881163641944-5636991396865374561422601326"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "24409380110992033135090414102717661661425814814491536641925991539-1457321204"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCEIAQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2618435236256490422136459925768483669575281838-19680948371879670968-1334309010"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-37110533713506659001599226083337225349-1728813790-2141738620-16429255842110470595"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-195767735-433474215-20702957181788445866-212249860825122270411899237972117301715"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1233169439-581708889170682316-2140974199724983192855969886-934075580-913945942"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zoMswoIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19478178811072892953670861233646718334-525588307-138075855216552157031372230575"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CeEAUwQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWsgkMYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-55145746-2029250919-679463579-742309050-301280780772177311-1367247033855112723"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MkQYMoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9845446102136483112-5829700081144971339-810944984-104727232609692802-1135244507"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "4746448111628687195-1691012417-1763046800-15934267899153247862069685010-1180814452"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OcgQUcow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2061741536-130569470920435895792084926005-251345342-467538909-1552244867-769430616"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JoQgYggg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5650921401304279056-1117004897-117021565-2783614076866882691825665990-787400073"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PEYosswY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-21262361232075149606-1081501742-175243302469086343087004987111179458101395220946"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUggcAwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lOIAYQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1972567433-207412100-652925144-650984302121483718615652408601088633302793429497"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\puIsQEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1287471696-75560586713169281361312531391-17277900262043060591-148624007-185592067"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2010363258-163366370016436935911865204325-846592994-576589352-205785962-1233149818"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LYgUMgQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dqwwokkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2099377187-6543392021455327515505193498-120489090-18977343571719311337-1689852828"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-861146297807789266966803649835766737-1988172031629691768-13177281371077836297"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1024276780-854938442-546265602-17494860681453096837-1246243188-1372290875-1330714697"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 172.217.169.78:80 google.com tcp
GB 172.217.169.78:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2444-0-0x0000000000400000-0x000000000042A000-memory.dmp

\Users\Admin\mKsEIcsQ\lScMwIQw.exe

MD5 4af25caba5e57ddd39aba0c04ec1f6ff
SHA1 b1ea3455b3bc443d515e0d50874221b2184cd9e2
SHA256 2c145c0755db929a5aaf5cf9843ae0737cdc626b4d85e1768f729150ec29c0a9
SHA512 14e62f4f353423334350c5e139b90d70e09bbbbee08f3a707dafa4e8a4f6f0b2fbe2ebbe9e15e183367fe279195ee4eec951d682f648b45d2828de53533c6bd2

memory/2548-14-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\dCYMcAMY\ouUwQEwc.exe

MD5 531551d7fdbe5fb3ad785fd9ef2e2818
SHA1 91e871921fe8f928fe7f214759e74e913ca19931
SHA256 fe91d51588d873dd199ecd37dbcea7bcef809c960bd0ccded37c51b956b2960a
SHA512 bd7ac8fcd1814370a1e8c398efef911b5776a94bf857ea54cd2817ceeeb93584af0e31ac3d9ada97c5ee7c1e300814ba15e58717b58d9658a378c9bc75759ae8

C:\Users\Admin\AppData\Local\Temp\cMwIUUQs.bat

MD5 f6025528312e5d04961400bf17409311
SHA1 948d22d3d82b0a8665c415e124c8a0d0228c106b
SHA256 8f7e32b23bbe668bb50971ee1fe22b1e5ab96237f2ea580ee65f059db0c57226
SHA512 6225a29ee956cfcf25fff02f3a0ba9fa537a31026d76dc0e0af3642e3555fa7acf3701b62fc46573b7494d92f3a396e7ffed0a21b82bdfc2929eae3dd9676ccf

memory/1256-30-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2444-12-0x0000000000390000-0x00000000003AD000-memory.dmp

memory/2444-11-0x0000000000390000-0x00000000003AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RkYssAQI.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2444-41-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2844-40-0x0000000000130000-0x000000000015A000-memory.dmp

memory/2844-39-0x0000000000130000-0x000000000015A000-memory.dmp

memory/3044-42-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

MD5 01756f45662d7cff811ff986e2fd4e66
SHA1 fd67e79512c5386dda615835a40dfe5f286437bc
SHA256 1732b081443d1e292dd1a4477ecd8be81fa350cf3b3ce6dd222567b7585a8895
SHA512 c78311075d33ff2a253dcb86911355ed76ab349fc2f83bc6ab042dcea56d5d092af8abb2598372cd988210549376d023f6c34e92cb8816f4736d91dad606c2e1

C:\Users\Admin\AppData\Local\Temp\lwcIIEgo.bat

MD5 d62fa5fc0f9e1f936db19e220f85fb1b
SHA1 de1747f2ad3bdcd50de3cbcf96a07dab4b3b2535
SHA256 9d9a34ad3cca628e921cc68b7eb1d1b0f1ab4a91cf95e2a89be7394b95ffcf3e
SHA512 fe600bea85a0f52d21c31d25cbc15c76df0053e0eae6748b112897541488d0674d4a10f9177e49848c5634450fb862637deeb820169a4984804fe128c5153278

memory/2872-63-0x00000000001E0000-0x000000000020A000-memory.dmp

memory/592-64-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PMwMkIoM.bat

MD5 d4a42f888b404b6b993b09cc0e467240
SHA1 677f2d4c545c7daaf64ab069fe58534f0f89b9fa
SHA256 a5762ca0c640be7d79518ae355511ae8d0929eb5bee0223c3a49b13b059cb79c
SHA512 a5064b5eb66109db2b87aeede1bcd663cdc069723258c807c730f485593332c5208a5ea7dc9e5efb55b1d84d11d689c674e65261df599bc70a74c337c6fcd215

memory/2112-88-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2176-87-0x0000000000440000-0x000000000046A000-memory.dmp

memory/2176-86-0x0000000000440000-0x000000000046A000-memory.dmp

memory/592-85-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hYUAUoss.bat

MD5 d4d27aae40248452cf8dc0cb13e65b8c
SHA1 8db2b5087429d0ba7535133b332d606de2f56fe5
SHA256 d9a68834c538e15d020e18c8f7f27489166661785d6fab77cbda2065a09eb860
SHA512 d0950b02b6311668d8827ceb57dff2c022537e2e69bd39f1ca2851cc2c5cc50b7b06594994f95e35f9c0e846850c666fe1a3f368d84c49a94c506a3ed14269db

memory/2384-101-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2112-110-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TGkgswgY.bat

MD5 0d963af21166633745f85dbd32cae5a1
SHA1 4ae4e071cf4647bc3e1c99bd14fbcbb9b91a467e
SHA256 f1afecf08e8f49f23da6aa666ea9240f6bf5b48ab53e7c4bae35856c6f13418e
SHA512 c0e6d7f0efd617d66898811f1a1bf91891fbc19786fe430ae6cdc3e7ef67b09bccc7a7b64ea75da9bb95d2ca904f03dfccaa74349cc90668ecf1ac203abb02dd

memory/2632-123-0x0000000000260000-0x000000000028A000-memory.dmp

memory/2384-132-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UyAgoUsE.bat

MD5 81f1ad44d5554bf7c63d89bc65963aac
SHA1 150d9104237fca0a253ec2782c188a8652ebae64
SHA256 9f3af7bd60d79d7e6eb03d201e8785b95470b8f2f0e2704f51793b4542d9caf9
SHA512 370663f59d3023db70e554ce08edf2b1da8bbeb160bb8d9a2267bf2653feaef4f37c677b3ef9c477067a13d9282a7134a6a4985991f5d024fd0a682513ee63cf

memory/716-145-0x0000000000170000-0x000000000019A000-memory.dmp

memory/2224-154-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jgUIEIQs.bat

MD5 952d767224aba11e7f6633efa3604c9a
SHA1 d72364e57f2c04540f8ccbd30f0856a4c4313374
SHA256 7af468bddb251819f23a76ba9599137cb23fc9f6d98f12488b7bfabee0eebac8
SHA512 07eb46516b4b95694dcdda586d19bc7434a07bc5beaa2ebe29942bb93606d80cb519ab54159e458b0ceb1b4af96ee556bbe4b1e7be1850b25935b93eb3b044c1

memory/2960-169-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3052-168-0x0000000000270000-0x000000000029A000-memory.dmp

memory/3052-167-0x0000000000270000-0x000000000029A000-memory.dmp

memory/2304-178-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mwkAQYMA.bat

MD5 badc9a497251d9a7ad706a7a615458b1
SHA1 d3b1372dd2dce4d9ef205e7b24f5f7147970d07f
SHA256 ed0d443692b8de47557882fe16220a016a3c5db8dfc06496830147a8fa531579
SHA512 63b43ed490f595dde297e10f70282911b18d50c86cd41fb7b69c61ea5ffa25a02efd02d5f46113cec31bcc97537d59a5201c39f8d86264dde25ad412880acf3f

memory/2916-191-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2960-200-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MesEYEgw.bat

MD5 c935bdce95325ba88c63b48b5be5c38d
SHA1 504a318c5076a2c810029b9e573b1ab5ea130003
SHA256 5c1edf56b75b09da69f7d0013bcf1db4d3c21f2cdd0894123b18af6cad187a40
SHA512 212484a8634a8fb64abfbd3f3b59587a8a87eecdc271b12e9f066cb5d34811783fc582108294bf62c62bfa1e1958c35127a38ddb1830ee0b0cabeee99df23753

memory/1032-213-0x0000000002270000-0x000000000229A000-memory.dmp

memory/2600-214-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2916-223-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IGcEowEk.bat

MD5 75b04566dabcaac7eaecae2c29688021
SHA1 956a2ebb07c3bfc63532bf56c020084d28d83e22
SHA256 408f3f50d95dc37fae37b94360e413689deba6e61116d52e2101d785ff2b05d5
SHA512 fed42a02ac844e9b5f94ee51c268784936457f374f823932089d6f38c8f7bdb0fb29042bc0d6fc4139d11dee8d968117f48826d3d58614299dfe2dd959a2bfb6

memory/1840-239-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1040-238-0x0000000000100000-0x000000000012A000-memory.dmp

memory/1040-237-0x0000000000100000-0x000000000012A000-memory.dmp

memory/2600-247-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fKYYMQEc.bat

MD5 f5fa06ae0aa8e18234c9616a5a711ede
SHA1 a8cf3f44ffe740bef3284578dac2468cf670979e
SHA256 a36b1207de97b8bcc974b3c969757484870734fe6bfd2542f95cc1ca75864ed1
SHA512 254e42a69ae864dcb27e49293660b67ea6a5e5dde397afa8e6b33487b2453ff89b49acf3516cb4ee152bd3fa9d4a8ad1730a21029ed702a1557098343537a146

memory/2004-269-0x0000000000130000-0x000000000015A000-memory.dmp

memory/1840-270-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2004-267-0x0000000000130000-0x000000000015A000-memory.dmp

memory/2284-271-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PKMgoQEg.bat

MD5 a726522d69daaad2c4ed5f8ffe466bb1
SHA1 5aa829f8d17dc76a5e500b9d07b8798333216ab4
SHA256 594307995ceb10e1714d5af787ef1674db9e622a020df2eb50abf5fce99538b1
SHA512 d879d1f629fb324da35882d33bb2ca8c6dfe224c087eb3f5662febb6763e1b0705c6bb1dfb9ce657af164effb647997a4c3e499f28a1162c941ba848f1355de6

memory/1068-295-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1620-286-0x00000000001E0000-0x000000000020A000-memory.dmp

memory/1620-285-0x00000000001E0000-0x000000000020A000-memory.dmp

memory/2284-294-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wscAQwUc.bat

MD5 ccb4ecff2222be6efabd2223053416d7
SHA1 42aa0a4cbbb17fe08ed245e0590fb2534a55c346
SHA256 c689ec42058c9a2628e0891498d7915dee3810316a8a66d82bdf418c526b1920
SHA512 9e5e386dde5599ef8765c87d1360a7a8b9c4ab34ac5dd90576d8ad7b00b33c7212428e1fd705781c1cca4563c3db67c28f449460c7461f80dd212da3d545f6ce

memory/2768-308-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1068-317-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PYgwAsYY.bat

MD5 74237175fc08971a2eac5cb0467f641a
SHA1 2568a8f1630cb97c34e6d93cbc5fc460946f20e8
SHA256 16e0db57600d8e3d2badcf356e35667f912293e1d9b99bf6b5b775e7502cb10b
SHA512 c78581d6dd6ceff2499cb1003bfc62107d0ab07106a52dc87e36c9db422c46e6cc03225de1d33988af2efb12897d714045132d10a327c35ad64987abd7304196

memory/2144-340-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2884-339-0x0000000000160000-0x000000000018A000-memory.dmp

memory/2884-338-0x0000000000160000-0x000000000018A000-memory.dmp

memory/2392-341-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KiEAcwQQ.bat

MD5 af8f88e72bb231cb3b446bf7c210e349
SHA1 41bc15e9a2908f9bed91f827cf4eb82de097f086
SHA256 57ff13127f48f58a58535912ed8d04415377427e3105272cc1a61853b0fd7514
SHA512 098e8c703b73b7d064dc9fbf484db55e34c9919a7bf79ddcbadedc1e7fd4d1395f43f89d2a69492a8bcd2796ce838ca5824bb174f92834054d6f14abd575ce41

memory/1884-364-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1516-363-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2144-362-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VWswQYss.bat

MD5 a3bc5eecc240267859d834966c5f291c
SHA1 16f5e252cc81bdf86a03d7534740b98888786e54
SHA256 f14ba79d08c830bf894e65962503f2ebb8de915bfd1fe9e452d6df12e4c4ca83
SHA512 885fcd6e83f43052098d8b28048e71067b33ffd94e4407ee501cf06f4e6119a5fe69efa82f554c33da9f4d65c10f5eb1a0d1bc1b0fdebd4f8816377c0bb4312d

memory/1032-386-0x00000000002F0000-0x000000000031A000-memory.dmp

memory/2668-387-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1884-385-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uMwsAIME.bat

MD5 ad087bd2f1dac5bad0fdf77c8ab41d51
SHA1 0d3ebb599cc6cb8de1c59cd5ca273bec2bbe01fc
SHA256 417e865c9a01242dc4b69bf755d6ac983b110c6f6efdea5c346e86526fa66414
SHA512 994ca92e7c404cacc6e8c0024f9d9255da1b943bfa417cbc4dae1571f2836eb5cc9707b3426ba7a09917bc9e71e38d8cb69d7361972fc499a61c184f475365bb

memory/1672-400-0x00000000000F0000-0x000000000011A000-memory.dmp

memory/2668-409-0x0000000000400000-0x000000000042A000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\eocK.exe

MD5 d724fdcca094037733dfa1f64c656cea
SHA1 d9379304b9ff9edf15e7d34eaf317b2f90789949
SHA256 0d9187ed15067463e2a86c6271fddb63d210308709818d13628bc183ade1cc5b
SHA512 0765aa54cf5c6dc442a6f123c9f80ffdc29e47a5a7201aec9ecebe8aa1ad7da88d9ec0ef81fffbe49b7364e5253e918bea55cfc6faf169eb3779f04d945f9064

C:\Users\Admin\AppData\Local\Temp\OIMwgQIg.bat

MD5 0b0225130cd20ab3490ba2893cd794ee
SHA1 2b2b8b93bdfb1d992f33506338e140673f1b2635
SHA256 8cdc455886172f10ea67ffe1182363c9fa0e55abde3eb0c43a66c7d6e84882b9
SHA512 dd621ac945c357dfe472896a7b3fa4d458337565a9c8cd46dabcca53ae2f1c3837c6c913cf8546a738390ad3eb4ed27b713758732a32e059297d9d7b6e7c7c03

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

memory/1164-447-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2712-448-0x0000000000120000-0x000000000014A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MMoA.exe

MD5 d228a7b911c73f854e5484a01dafbe65
SHA1 acef80153bd6b03681ae44a6462c881a6e2ac234
SHA256 d16c124e8fd4349025b809e0c625645488224167a3fad1bf383ee273dc797e44
SHA512 f543500431037c7b6144dff61e59b982e143fd1a1559e443920df13f9621a83246a486ffc73c320368cfbf90eade5b3f81efb4d4b73b73c7f6ae91b2dc0ea6c7

C:\Users\Admin\AppData\Local\Temp\MoQM.exe

MD5 d54e7d3a116595239164c24dbffcada4
SHA1 c00e4cddc8887896a9fb84adccfd24b1c8198240
SHA256 eba176f32088f65fbc4669718155986d848a3a8dc9d2bef045ea7163345aa94a
SHA512 461cb6307bf241e9244de7ef69c74c1b9b02c1abcea13bb9230c6268b8b29f69192db69d4261f191f2daf0380a93f86e4e3c75993a0b0656104879117f6569bb

C:\Users\Admin\AppData\Local\Temp\uskQ.exe

MD5 68db4702fa3a5e520c8adac97482aa78
SHA1 0e7a4a526d9c1de879ed762813c7d24d4513d613
SHA256 6cb0f889f008de2c50b6155b77b7396e07601ff71d2e8fab21ea6359e74beac1
SHA512 ec01524120ba8a62321567f59fec7f625ff2979106e3ebb3299e4de4aac0356bb81ba2b0082751531c84c4fca26f5b33c380d8f71d0c79ff9be1aa4349a11eab

C:\Users\Admin\AppData\Local\Temp\rAAO.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\gkMQgMQk.bat

MD5 0b87219a8a8a28d1d5c86da351b0fcf9
SHA1 e612150379f9279e669044c538d5deaa4518c0b5
SHA256 905fe8648fe3b07af13c6d3e6276f247b778fc5e8e210cfb0705f62b40d41be5
SHA512 1e8d43cfe7ebdf401374a1b788dfea86bbb0f3a383bfbfc06f9c8f63ff2f4acd3a187b864fb0d450d7dd2ddd855de81fb5e99ae70528d2767c7a7a0983c3bcce

C:\Users\Admin\AppData\Local\Temp\BoYU.exe

MD5 f9495fc13eff6be75429a5ee83767317
SHA1 76933406997d0fa9758492fdd81816d5e590b50d
SHA256 0d89fc655c1ea3497ef8f2d2091c748da1ad26a55292fe5a8d0fae2640d843c0
SHA512 3ec52b56f5a77d2074eea2e712a63074d3f8ec7ec87b65c31b4c68a587e6a206e8a83b658bfef4170c0a0ebddd95627cfda5a3a1ddc37fcff54e95977eda241a

memory/796-525-0x0000000000260000-0x000000000028A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zgMK.exe

MD5 1c0ed39bdab746f45a0f1cae4c9bd252
SHA1 3dbf0905262ccd9fdac6b1d372f7db293b62ffc8
SHA256 bcf6579bd4249dda22b806cde5bf877b44c8e4c8f6dc9bc4eb612c4189649557
SHA512 43a439ea6f9cb9468f2e24fdd0c2d615bce73a44b68cfabed0f6734d9cdc20906dab2dc2ac287ffca3194425b1333876cd1f2812c9a211e6dd2fc6514f3d8b72

C:\Users\Admin\AppData\Local\Temp\vUgo.exe

MD5 ae1b65c5951355ac07ad381aea43f6db
SHA1 4bad30d50fa77448282f219939495ff28c1dbc9a
SHA256 06a16154be0fb5446940db923547f6e1b7e65754080d1189209a95d0f84064e9
SHA512 adfe95556692e830c808f9e6caa887978152207dd4b2599fd48a39297d5c9864ee9fa6d7330bc18264b0ca767701f2addc452bf04a8a7b6d79027819edff6fb5

memory/2980-547-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sIAs.exe

MD5 8388ce7f50c492b3931d3b8ebb6ae5e1
SHA1 2473de79dd0a3e8d1f5d015ec64116d2c9d44339
SHA256 fa1c17c1ce23f9e67af5fa80b03807c261cffd98859746e0d842c1275e60c9f5
SHA512 9c56ef51ba852051dfaa3ed823d0846805beb0c42913e34d0b1b00fec00d52a3a4253d2cd4f20f9c0157288257be7ceffcc23e7858e4914308451277f1fe118c

C:\Users\Admin\AppData\Local\Temp\AUkssMUE.bat

MD5 bf079e97f64710ced2e898af9d3af794
SHA1 a3948822d9ab4e138c9d63a8877e3adebc17aefd
SHA256 34b66116e449a344e76d1847a60ce057dbaf24d3e86eadc2484bf2cc6967b5a5
SHA512 a96d5a7d55094b2ac87a14ec0aa5a0a147f798f0234d466910753675ba403f4acdb7f888547b746378aac709ea9a3bb1e3b57181946e24185ab9280470cea4ab

C:\Users\Admin\AppData\Local\Temp\AIIK.exe

MD5 923750373023ed61e8e1cc893d04c90d
SHA1 991ca8b73643d5828ab9d19b0d601e95e8b6ab89
SHA256 bcf4f60ec84fda4234c3c568a69a16e7ff809bb87d7920ac5658dc63d9279bd8
SHA512 8fb59b90ff1234c9a1997f63af4a6d89942e45caddb6e29f6ba5219cb47610cbe10de7b29c8d5f7e8f866d24afc0a7eb433b509b401969779e432d2fc40c5688

C:\Users\Admin\AppData\Local\Temp\VMoE.exe

MD5 dcb02a88fb4a2dddb5e870ccc254fef3
SHA1 486e405f13ce5731f293654272477dc2f0e2bc76
SHA256 5d806daee84b4bd296934e045c4d41b439b345be512d8ca0282555b918fe05ef
SHA512 2e2fd1ca3ad8610c01dc20c52844222ec43fadebb0414602106e5f6f4e3aa61d7ae6d13605ca934e8bc9fc749eff761491b37051c8602f7f456436f03069f0c5

memory/2360-598-0x0000000000400000-0x000000000042A000-memory.dmp

memory/316-597-0x0000000000160000-0x000000000018A000-memory.dmp

memory/316-596-0x0000000000160000-0x000000000018A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tEIE.exe

MD5 d76eca2d74fdc6cefec5a01d10b7f51c
SHA1 573ceeb386e8f493795a7b0331ea03a395dbb63e
SHA256 80bff3ee5e710a33f2fd43e8ad526bee527ea53c98bf57088c0fc6b23fc8fd6b
SHA512 f93f1ae767d35412c0038c6a2b68167caf14529f02d16fc1939f4d09da53e851065c3b4d63129411173e12592832633344ce743640adc1ddf17630cbde276a20

C:\Users\Admin\AppData\Local\Temp\mUMU.exe

MD5 e5ec723322074fe5a58fc13c05a14dc3
SHA1 d8ed4d7222d49f7cb28c309e2256252326ebea83
SHA256 3d84f480611422ed733cea5faa2102006bef15641c717a1332fd86f4e7eb78f7
SHA512 6d552c2b80cb02e19fdeaf1eed14265331a3136f542be30a3fb4c2e206ee6d00a0a97ee9241e6e78adea6ea4d31a5cd66f844ad4b372955dc94f898b4e0e2a6d

memory/2340-633-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hIMs.exe

MD5 be6077e17dfd01139d624e922eb9db20
SHA1 66ad6061c0cf9f3a314bd877bd898e328a28951f
SHA256 93273384d7b006780b14655b9e3449461333e8aa533d3baad3c49240b436115f
SHA512 5ee3da21ea729037d8e58a5dd386c24baa669f6f039bc3213022968f405d3d1ab81abc87dd943afd185ad8c7fcb470191f556c63ec9b994961d403fd3625f123

C:\Users\Admin\AppData\Local\Temp\kYAG.exe

MD5 72b352e8363bcaff73d08a07e70ac2b7
SHA1 817fc190ffde33a394bfc2705bc6bbc509b6d84f
SHA256 bffae436b89f74e4d62dc2918bb4f9b9c66238de248b433a0cd3df547beaf08c
SHA512 67af100cb6dac102e8d375908997e27d218e5e847c8cb55916fe93a4273ddf9d19c058f563af1306e88c7e22cb72b5fd8571e2d4e6989f309b7592757df1d5fc

C:\Users\Admin\AppData\Local\Temp\SgAQ.exe

MD5 20a597da9f29211e06f843709adab752
SHA1 1de24dead481486be555552ac989a8deccdb78b4
SHA256 545b36ff4deb6a9c0164fb280695b24828520d165acec61cb8d1c5a09dfecb0b
SHA512 fe06eb3018021770a3053dc15a9ddc1b390791eec46246d08ae6e8a52a1817a80a5dc1bd79fc18bccaf952d438caf0abae0d99a2a2c483a64fe1c6c94408bbcd

C:\Users\Admin\AppData\Local\Temp\tcwa.exe

MD5 c027b71b972991995f0402fcd59054eb
SHA1 6085b5ea42cf6fd8e01bc6e31df41df97acacb23
SHA256 8ecf1dbde2ad73fb08b6d4b3cd80c752b1232e1a770142f9e9a031e7240aef3f
SHA512 208d92282bad8bca2a2d53f0b4b07ded7afca7bd8a34177aae006e711754be2a51b302ff8f8ec22c2f60c1c69ddb066c772066c2c4729578c0fb4d8803292792

C:\Users\Admin\AppData\Local\Temp\XIEq.exe

MD5 c317e6843de9a9181a873ed609f81b89
SHA1 87519d630ed1c5717d236750d305131d08f16ff0
SHA256 4503e4dc7875930ef81192730db2d6f64ead7dd72b1dffee76077c7a0eca6332
SHA512 aaab6f1ca9dfbe6ff9a3f3262f675dde7c37c9d1447dc01b00a89eb3f20b9988e042e91c417f754112c62af2b6c9de9ed4898cd8d97c764556f9c03e9d4b9b95

C:\Users\Admin\AppData\Local\Temp\oooY.exe

MD5 0757cf7da6067ed52a2308f1b330813c
SHA1 de5a4172abc1e96ec0d9c33a095cdc5e8db7e1d7
SHA256 b2c3a7f029fa8d472a15a7aeae0a40e463c4af85353da01085db068f509a4cd7
SHA512 552901dbe28e402819e991ecb802022c027937b0a4d7d0d3b4ee9812508926c3990320b3084444082763d22ac301f5be9a352466aaea1fa379a5fe310b88fffb

C:\Users\Admin\AppData\Local\Temp\pcMYckIw.bat

MD5 af1806552d6610a43c9eea7aaf292eb3
SHA1 535212735785dd4609865aff1bc80e0da7317967
SHA256 ee99ee39d67d9c7fb22aa297632741824b84d003786c561463f74fc36492584b
SHA512 bd733c242c56a6abcae584a023d4d2762316f9a77302646e4a9d5b985947f08c976bfb8c343f3a02f2845d72acd1797e5b16ef0f420facb20fc856ad1eb25e0b

C:\Users\Admin\AppData\Local\Temp\DMUM.exe

MD5 2eba728eabb9b54b5fc6980112e063ab
SHA1 4b15191f65652e91c2e6fe989338f0988f9aeba0
SHA256 24c56272142872d57a98eb74eb9e639fe43675c3a362513a12aa578e227eafb4
SHA512 40f5aec06c1a3b607446c6167eb030c84af2ba9e9146d4cba1c314efa2221a197bc015d42450dc176968ecf4a9129ada795b4f04d051fb4b62bf2bdcf93f26f2

memory/2224-734-0x0000000000290000-0x00000000002BA000-memory.dmp

memory/1320-735-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2360-757-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZQsU.exe

MD5 9c941ca48b79632b2151d9ed0d01d71f
SHA1 efec9b013379db10444f1b9670151f9c10c47588
SHA256 1b155a1c2ad53e34a9e9d1eda6f721ace37767bfa5dd4ed01ef37589ca7616d0
SHA512 d0c4432ab34af62fadde818c16f9305683c8093f2f8f010c9590d8c148fb716a23bfe6ab18a9a06c5d1a233d55cff74bc605adcac4df436d32b2a36ddf045297

C:\Users\Admin\AppData\Local\Temp\zMcu.exe

MD5 dbc6f38be4d862e16d14383748ea2f74
SHA1 fb0cfb1a1a555d354cabca854cb6926fc6a63f39
SHA256 5c18c1aeac6a2c137262a347c846ab4afdff9e2f3eeb915c1718271124377e25
SHA512 af51c8f507d88701ee6314fb97829511aecf21d16ff935010def1b3699f0fc56956ad1dec63646c235bcaff792cd17e1a4365ecfaea8dc7bcdf407a8f60b877b

C:\Users\Admin\AppData\Local\Temp\RgAg.exe

MD5 7d7ee451228c555f07b4e4e7c105c812
SHA1 64472fa1033d99ba5c64d07c971b2ba5608e78c0
SHA256 ba7d4cf1ecfe98e8a50b0d998130c29cb8d1d8c6c5a28a347b2b6b8e638f98a2
SHA512 8f93bdd0b568167a3e4ad3e99948eaffa3c0d33cc158e97437f2601b784a50142e52e2f2e522379e4dbf5b7568d9800084b1b84c42dd4dc287e0764e89539722

C:\Users\Admin\AppData\Local\Temp\nYIS.exe

MD5 278d36e15e6aba9f0f9a3b7698f138d3
SHA1 76dd19c566007e42bdcd5fe4eb219c49761e8ffc
SHA256 b5f45a4f4d0fb745d9b75222321716e510277540cf54908a75a15c2b5057b854
SHA512 0b2ae1be9d1f575992aaedfe243ecfb65c2ccb357c618257407342e98573a82e0b0c061b9750c0a240c618280729d1f83a12d06610dd692887d1275b3e0dac40

C:\Users\Admin\AppData\Local\Temp\IYsS.exe

MD5 e6f695670cc502749942bb926eee3db0
SHA1 42dbe62d0d6202d00463733054b07930049fcc66
SHA256 958f00c17c4b3ecc9b99187b234843bfd52fa1dd9af1beaf2b02230319b95455
SHA512 823a5fb1e89ecec2c402664bcdb32b7125067db8a6d20299957fcf7908fe613c096ae31e7f65ed38546de59f5eb58ffb9446dce96b9d13bfd7ac3f0d214116f9

C:\Users\Admin\AppData\Local\Temp\HQMIowIA.bat

MD5 9fe596ab41b0634c375079f5fcb038ab
SHA1 da3189df0ae907bbb324123f58f1a2a5ac52ca97
SHA256 57788e0302c85112fbeb35fc219455b25500f2ac602836692cc69ac59dcad16b
SHA512 4e30b905324d4756ecf6235023ff304b7810de20c7fd01be04c777fa008859578f2b37b1bfe99a6f9ecef41a7bb28a5f937c939f85737a72d29067fab1bfdf57

C:\Users\Admin\AppData\Local\Temp\bgUC.exe

MD5 6cf80555496a7a0dedbc0abb99c55c8e
SHA1 2e9a265b05f2d145ebb7f2b3b39056f95d75bfb6
SHA256 3352109d2efb36a006fdec01b4f76307c0310391c185eb757cdd53cf0b5ddf8d
SHA512 c2fc7ef3881d29161846a8b06c9261d46821884300af7f962d23738fbd80bc7aadad748ded51bbdb25a750dfa5f2b75cec699d0458ec14a0a667b9410a3f61e4

C:\Users\Admin\AppData\Local\Temp\jcgw.exe

MD5 cdcb88e9c001b7c316a749a056c4f304
SHA1 98b51138cf9c3d9191db6120185df8aa8313b4ae
SHA256 eec7bf71346213f0642e651243e5c2151131398d51db6d8f4ecbd4ed1ac73721
SHA512 777e2fe98dfb97ad5320fcc62f9fb2d33419e096b33c7bdd81a8535bfa42f8dcba5a9da4d5491dc224739b9d108cea54596ea44942b05df04d29a59a593114e7

memory/1636-845-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NEQE.exe

MD5 ec7ebbc660c922273439a544085dcb94
SHA1 e6e6a61905d2df018a2ade0e2671b499675e32ff
SHA256 65707cdc0c9d845b93c88adb2a6242d6b2be2027e3153219b00897834ac5fee8
SHA512 10e0fddb88d7617eda04db1e9075185ec72237d0ea9c81b4eeb6cca92445c9e440521a65005f61f100753d8069d33c53d8c1da70b919ff9e15ab786411c1c260

memory/1320-867-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\woUm.exe

MD5 f3fd5a87820d9b920a9896b5486183be
SHA1 791665fe1da7c4c4efc232d579a2c767d2f5a0e2
SHA256 fe0f9616412e84eaf24fc84f0d4aa349d1d5f571fe99a7a712fc11001865bc24
SHA512 2d129a9b7a5e1b3898f29aa67849a6dfeebc2ff7181ea2ca8b5728c7c05c75e040fa4cf9bd68c9518408f239483536dd3573d12bc39e8ece6fe552d5fcec62ef

C:\Users\Admin\AppData\Local\Temp\xcgy.exe

MD5 12aa25989f2283dcc7f0cfd608c83185
SHA1 cbcfcd0cd55ba0a0d89f62ad7f314110cac4cc84
SHA256 2a7976a30f6ac288a93333022aca4641dd7b9ac8c8444ee5c56f2b6329d333ad
SHA512 199893e9fde67ec0aa1ac41d08337a843a76ea1b2fb15455b0d69feaee115004070c6f67ea3d1e402d18f9301ffd6abf5211f08a941ea969da4e4ea94e7c239c

C:\Users\Admin\AppData\Local\Temp\kEQk.exe

MD5 988d27faee56631c7c0d7d6fc7a75b12
SHA1 032a14f315d2a03801783ccf4d406810d031fec4
SHA256 51f007efa84a3ad71b4caaa7b412b4791874f63304d0fcf2ecc49b3ddf59fc4c
SHA512 74c26ec2c411f0fbfb2372c0f62b0605af9c177c793f7a81a1576f0947f625c6193c2cbda9af2ff9ad6a6b26510f128d9422c9ab87e142905fa1ef354c9b148c

C:\Users\Admin\AppData\Local\Temp\tUwo.exe

MD5 e7d7177dc89dfd128d9e9e692f4e5bc2
SHA1 4e011d791ba9769da374127d06f3d2c4888ce289
SHA256 10b04613284b1fa76ed34dbaed098bb125bcb8ed2332f9190f32470fd060c40f
SHA512 0b3033826334a9693be65ed4dbc0009ebfaefcae0a58d02d7fa3bd79b830953ff51ed84b0f54de957329289f7bc893cc9514c0cc6b636314a54e4d1534a431b3

C:\Users\Admin\AppData\Local\Temp\cUos.exe

MD5 832e850a7baf86c6fe7e50692ea8ad9a
SHA1 9c8b96f57047ee39a4e04f9b8a6755d0d6edc326
SHA256 9958cb50fb6fd6cb19789aea843578b4e17163f2804b540d6d5cf40dcb196e63
SHA512 e7efea8e9f26944258f130875ac0baebb63764b0002d309171b5f58a45fb41ff3163bd44c3511f1ad990ac8c77acea7aef08dfffbfcc9371761be7a95ea3c1b9

C:\Users\Admin\AppData\Local\Temp\MMQO.exe

MD5 bb85556351d12f35ae65cf46593f6070
SHA1 5536763a83cda2c049f5a7f6a70073e5ec156a4f
SHA256 19ee5eb35d9dd9572e8efea32f0b06d829fb77702a835e2f81611fc1cc9b8054
SHA512 c282b12bf6e3f2a910e29d0a0c040c5066ffe0c3c141ac3ab4a76a57375dc57aedabb58e7938f455e6bdd97ebc7b54d2c2296c12636aa863065c19388395c931

C:\Users\Admin\AppData\Local\Temp\OEwEUAoM.bat

MD5 8d0f42258d9fad3a3fed33cc46fbe47b
SHA1 d148a2d94d7d2c050b379523f649f858b15e9670
SHA256 f99fdc1106fffadbff9f30d4e6c02edb4a8e4dd971be5f4a7964eeae4550c4a1
SHA512 0bf5a4e3e62f11e355cc9cd60e245613116e317ccb4758a6287b93d1ec333b7032d3e019c09ba077006ab2f602d77593d2ad62fdc46068fd9e84aae2bea0d5c1

C:\Users\Admin\AppData\Local\Temp\BwYW.exe

MD5 fd747c02947e511181a48f943ef61f01
SHA1 3dbb4075d4e2d3a170810189306adeb057dcd0f4
SHA256 15d4923a14c457652cfcb5f9a2f5a53995b956d3eee3f2bf00f9e68bde2b7af2
SHA512 b0cf1ea2b8199bafb0d475aedfa6061d70ccc1f9ba82d4d3beae7b790128ab703323b176a1e557c21ca75cc61180cf018683df2a635a68aabc25e4a5810be9a9

C:\Users\Admin\AppData\Local\Temp\MAsk.exe

MD5 aebff2e0d4d843bae4a4cbc42b8ec8e0
SHA1 97bcfd1d93489b48adbef0dac54c757c732aca5c
SHA256 cff0d3d03210f483e472ddf7aef09efaa6b5e841c06204168aaefcc9af0b7fb5
SHA512 42e92f9d1ed02d2c568ccf748a224be5bd5ba8cf3ff5ebba4eb540767fc6a5db8f42b639efdc27af5e64a85335c7866237e51ff4741cd2b8b6633906648d4634

memory/3000-978-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2308-977-0x0000000000170000-0x000000000019A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KkkM.exe

MD5 8c610b1269d53486e8adca2d996a09ba
SHA1 3007233b0314656fdeecced8926550bfb532fb74
SHA256 e228260948b6de004f0e27d1db02372b6017e70f75ac57d1062e590a17d58629
SHA512 9cc5448b063dceed069c5d24dab92ed4a2fe41cdf51b9f6eb635d6f42b7a107da827d9dc727b1f3089afea99835545db92399cc082f9cba7512eabd907bf8af9

memory/1604-991-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UEsC.exe

MD5 c38f516c9a89a5b9d63452832287ace6
SHA1 f82543253816e650ac2bec10477e264ab4454de4
SHA256 f4a23181c3694b57af8f6f6e40f69356b28263b5b33f685510f05151c4a20673
SHA512 846ad957e8b0f4af5516aca59e6e892338dbd002ff7177a1c8bb944c426a0c8a7cc43281fba539d177d244c6b748fdbd565f2aeb0cceccf908f04f76161b0f37

C:\Users\Admin\AppData\Local\Temp\gsQq.exe

MD5 cd5bb3e485d43bafe1e9a9314ca5b7e3
SHA1 b5c6fd5ba4a7e8dd54df6134fbc53391a4a6e075
SHA256 723585e1135e443cd96fabf1484864544e0822781f35bcd9affd5935fe684368
SHA512 32a5e2185f81dc9f35f8ed3f22d74be9e66e18593dcd086bc389af943a992ee0e45c0f288c69d0aea59dcca27393c02c9cca9bf377afb01e431aa6c0cebc9114

C:\Users\Admin\AppData\Local\Temp\UYga.exe

MD5 aa5d48c0d50fe76b110839340edb12d6
SHA1 c639c9be14f3ee87709cefd76febbc0166dd343d
SHA256 2207141e46a7edd8a60fa8f57dd2b9d14e03bbefa136585cb2fb0a71215086ef
SHA512 0b33c9699065816489317720f91ca1d49ba64f3b7b7e51e46c0b19e44780a07034e15efaa87bd0896367d2c8da810d198c1782acc62e756c97902feeab84a329

C:\Users\Admin\AppData\Local\Temp\FooM.exe

MD5 cdb75c3158d8188982e85379510ededa
SHA1 a86921985a5df00923c1ff1c4e017fbbd7c436d5
SHA256 9dfa7ff1f9b29c381cc855aa145bc2935224cd1f46480c9dd60a1f0705c137ff
SHA512 b4c6b067e3698830d784519ee1dbbe509bec72d997f6b9863c67e2b74c1cf295fd0eb3b39d09c933f2214e2820261021e441f07983e341f3afad453b374e919b

C:\Users\Admin\AppData\Local\Temp\DsEoMgYw.bat

MD5 a6989178b4b34052d0fa7f70cc87247f
SHA1 efdd8df4062fea91041b8193c6ef09fa69b69990
SHA256 7f41d95e76aa7f9f2e0aa1e4b540415cd395b8b00d6d1194dc2e238a5fe1fa38
SHA512 2d97fb44c04cf8b9c98f78908a359cd326642bfa2e58e276fe153b6f365b99cc914a090e8e2d1ea207b1168efcb32aec73df80ed3e5589e163c222b96d04637c

C:\Users\Admin\AppData\Local\Temp\eEwI.exe

MD5 5e377c0dd61fbea7ad3b8b18e5556b43
SHA1 76ae5b795438134ce2d47c4835f7796ce56f8e93
SHA256 445fa0c3b228753ce3d0988fd3fe8f5f4deafbd2a632ef07b71aabe0502d86e7
SHA512 a29b36df0e3dd3df61db87f378ab50468f92497aa9229a9672a8a571c8edacd814a8b4ee004ac11cb50543c9fd3630339fc9419f144a3b589c7da0aea2bc91d1

C:\Users\Admin\AppData\Local\Temp\Loky.exe

MD5 52339a3e37ad0270aa535912c47b06da
SHA1 710719b571da973bc113cce0b06d76c22cf1044c
SHA256 2f06f82914fb3690ca098bf5a90f2b2089ab1520bd079e850b69a08d5726ff98
SHA512 35d57b71f605bc1a0e707d63e2661120c0383720e5c3cdf16c31c2d724c09539fe8ea4a1e231b92c8db1c0a73d4d344cec4a6603745038763b9fb59617aad9b9

C:\Users\Admin\AppData\Local\Temp\NIoG.exe

MD5 dfcbc9b1eb3f4e51d4b9dc79bf29f5c9
SHA1 679846a6e159a15b9f5f7bdff2559960876c6af8
SHA256 e92e3b30d91c9df5b22ea0f3216d936ac14c15599049ffcc8d39bced4ed84f8a
SHA512 47d488d8439d623e89aa956dbaf7e3220f2756499e6631cb626b6452f5863ce048f154311cb48b982eaca43db56eae906d2578f8784052d58c2641ac01da3c54

memory/3000-1113-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2400-1116-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kAAa.exe

MD5 7794241cf60fb52bbb8750d224026a40
SHA1 9e0f78bb8a90eee978b498ab8fd684b820ce1bda
SHA256 7a0d296d56f2efe10d2210101463b87a8dd1f8a33101b5e0963b9c3a64ca01dc
SHA512 2d881e4953dcd4fdac92c71d488057e110752cffc3b0a5999e33568fdd9e1e8dabccdc043f2e5e8bf42ab6a626b487870adbfcca469c7eb0652fe1459009e034

C:\Users\Admin\AppData\Local\Temp\sogU.exe

MD5 2dd1462cc0f6e874b6703ae325788983
SHA1 25f6c1e9d2484d8c5649ff76fd907b7f07529a70
SHA256 8cbf4e9a82c8e6ca5d76ca41acef33db9ca3b8d0103cd148e7f4421629b82917
SHA512 6f8c17fdd405dfe08f65b494036c4ec1f4d66b63c1bea0b926ee8e3d9414dae8199e0aa047000345988ef5dfd72891e8b0d326a2c05df131c9866fb41c6013dd

memory/772-1115-0x0000000002280000-0x00000000022AA000-memory.dmp

memory/772-1114-0x0000000002280000-0x00000000022AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LwAw.exe

MD5 76aced65db0b1e8146834802fa1c928f
SHA1 5c7d42647648472958587621f77f42a6022c49fe
SHA256 2d3cbfc435560f55ba0142a6e2f2b0ef2915ec4a7c250baf37caaa401c6727eb
SHA512 abf5bc28dff39d0342392d9009de90d59cac04093da76a25751ad0357e386d41adcf71cc300da700bf5d64c110f7c7deb855a9dedb29860d4d39b06615251b9b

C:\Users\Admin\AppData\Local\Temp\wwwo.exe

MD5 b6b117160fc7e4b7b8b5a68c2f4434ad
SHA1 d778a4842089a9ed937a3c7cbba69135bd1f6fed
SHA256 8d0cd700a7280ebe08ed383564c745aeae71f7abf8c45be148e9e31179cf4c26
SHA512 1893a240c217b11d10283fd8d1b1554ea10a5d5223e298c4114465c8878cf1fb6ca7a91a83fd6c39a481f66480a7c41d693e441fad219c739dc21a4b64c745e6

C:\Users\Admin\AppData\Local\Temp\dUgI.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\HIgI.exe

MD5 893aae0a648989ec5782e996ed948a39
SHA1 a21c83a2ac75292b34e3b48c1cd66b2c1e803db6
SHA256 200f3039f2cfa9d341be0fb54af14ef66f421e3efb02edece823f45a2ed73c81
SHA512 987f43d1ff682c347e1f42ef9ea8e37f4118f97afbfadc43e9cf3d186ef7a1fcfaa6d6eec20b29fb11202968bbc1dd9f0d7e610c3b633ea173875c2cbbf58c3b

C:\Users\Admin\AppData\Local\Temp\WIUMMEYw.bat

MD5 459aafcc0bdd5cae34e974761f5d4cf2
SHA1 695c16265906a69b094dc66328cb9a0a95b924d5
SHA256 0adf9af416681d68ff638ac3b4c4a05e86acab60c365de65765929e54560c855
SHA512 9c1ff7c3bac9d6c0225fabd73997587334227685da34798b5bb8f5697e4d25e4569f641d9b505b073e6441ef3c087a1b653f1d7d0a4fe8cba6a0ea8cf087d177

memory/2116-1193-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rIAe.exe

MD5 aadd9e433a88cbcb47be105b579ccc8a
SHA1 163b4a6f1ee1268e6ae156fd72aede47d56a2daf
SHA256 5ccd09c17c84f06bd7d565300f7eae009f4c24e05b689bd1a58889a29ffe8762
SHA512 ad3f57875d8102ddb480f9d26fce3c5bb4284caf2b1617cb34e9bad4f468bc2fff2b5e44558cb3a87d84d1de58d774abefe41a638dfa3c185f77836b6f40f572

memory/1960-1192-0x0000000000120000-0x000000000014A000-memory.dmp

memory/1960-1191-0x0000000000120000-0x000000000014A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ssog.exe

MD5 264545ee5e8fbe4a56825e4f80f46781
SHA1 6f964df11bc47c1ad7b68367c69b718657028361
SHA256 fbabd2774063403f7581910c6b35db6bb10a607249ef214cca2735409511d35f
SHA512 1c2ae2ed70b558ccaeadef2e2b1316dba931108d040119cd15422f4fe7e1e4c170fde4d9922d726da256b63d2ba2c5d3098d3de1fe9ff3dfcb8241d105c24cc4

memory/2400-1215-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sUkS.exe

MD5 1a4bf1937b00ccfc5c7cd350388d4b9a
SHA1 c436b974fb31cf30d70975496996cb9f72050c26
SHA256 018edef025337e16dcc5324b5bfbfb4fac43472c934c2b185417edad36af710c
SHA512 12c2efb45bbcffc206903bc3a3b9df50b77857e38eb49176d43b3e8120b3a9ba56534d1c55d21bf5f1bea24e66a4676f9eb74a6147aac7695e6e2bd50ed08580

C:\Users\Admin\AppData\Local\Temp\KacAYwAI.bat

MD5 429a2b4d178a80fb94d4ce5dfcd9a0fb
SHA1 c7bf20dc75a465f93ee5d71503afe992d901e598
SHA256 4dc9f2be8190ef319aa848450a950cdbb323e09ec38023d27b3a5d4ec4ea8ede
SHA512 62fb46c0f2ae48aa8e9454ab6ce70b52036d50837d8ecb6c2aed8bcfe1140027ef62b4d8511d1ab8e2a28d8399a9a58d288a1b09ba99ef4847e38a5527c06964

C:\Users\Admin\AppData\Local\Temp\PQUA.exe

MD5 2f84852f37db1ec33d8c9afcd886726f
SHA1 237f5d53bd7cf895b8029d41616da34ecfe12998
SHA256 5ca4c4ee688d8366913b2578309577b9f35520daf5058377056c6196321a2ceb
SHA512 2cbf92f6c6b21e02bb7613359737cc7bb7968ac9241557aaf89694b6f866242fb31ab177dc1ad993ed237b17782713f57972731ee699767b6a816ef724c74ba1

C:\Users\Admin\AppData\Local\Temp\HkMK.exe

MD5 f5feff36c543d62bb0c91b9dd74b6efd
SHA1 309c085598318cfe5bca413b323012ee49ad0c81
SHA256 78713f198e92e9afcdf712eb1e98a1fe0676b8c02ddd1be88a52dc5d362b2b75
SHA512 9d7921fe35e4ba6183af593da0fc40cc29d59f92a74ecfd5d476d7e0bf006798d4f686474cbb7ff5f97d3466e2ec8b11cf9ee11c7c298a5046ccb5f6c039a944

memory/2060-1287-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cQgE.exe

MD5 82d8921b633468cc9ffae686b4f7afe7
SHA1 bcbc2d0bfb8e19de467db200d769d98103eed17a
SHA256 180757e34e128ee9abc3f169d419f772935982f50bac49e4a2bda9166d900b1a
SHA512 3d68c35dbc03f8f1a88e59841415050f59d664337925b1d7b793b86ac15ee4197801c4f99e18c578dd1c81fdc8394d88418cf9e88a4e502d0b077ad5a157ecbe

memory/1780-1286-0x0000000000160000-0x000000000018A000-memory.dmp

memory/2116-1285-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SEMi.exe

MD5 ee7613172ae93dafbbbf93ce45de29cf
SHA1 6ac81e7596e61f24c1d689f2ed6fb397be15e32d
SHA256 95ffbd04943c0270cde39bd4f9b60f4459350a858f7026b0226aae959d47267d
SHA512 badff1410e4536969fcfc02b08e3a0018328654b4bc0fe6a73686209ecdcfbff25bdf8797f0743c354380558e4e0255527e9eaedd7c7295d8f60fca2c6f1a7dc

C:\Users\Admin\AppData\Local\Temp\OIkm.exe

MD5 945da243ed8aab82ca191c5e78137dd9
SHA1 066dd2078060677bdabef79b967194ca5ef2ec91
SHA256 ee02bcd3b170c7e775c38b9de920fdd69de851d4bff42f83e65b24c643cea54a
SHA512 22a07a66ce48e8faf83e2fdc502503717cdefa1ae9931e2e8912f419590b307d26999e187b4df2b61ba4e97f0c35c7c8b80fa15cec01986f7593c7d075a9a22e

C:\Users\Admin\AppData\Local\Temp\rwMy.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\OQQS.exe

MD5 78cd9cc35d09e8e63712aaf2de4165ef
SHA1 6777164a9a166dd76c97f373cd4a9bb7e3f4ae86
SHA256 d2118e117bc4877e9886c862e1df26fbc60689bf7a9caf2c1be3bfd55bf750cf
SHA512 a5707b1d66e1ee8269de9ac02584a0f2322b8ef0afb44be02d19f77acaa9d7ba7d7409628c2f04f21ef1c0c304930bfcbc0784b7fd2f77d2ffd97e238312e6a3

C:\Users\Admin\AppData\Local\Temp\HgUssYEw.bat

MD5 faf90a3a82b01fcf6d1ac2243466253e
SHA1 ce9059c68daa197ae6939d3c7e1d118556c54ef5
SHA256 b89a38f797b619b8a905160ea5080d2b3b273b293dd63237e80ad47e127efaa4
SHA512 af98f36561c014047547797588288fa96d727e8ce384b2c747a8b56942b5ef52abc168db4d61a6450e1cb4ba444889e63025799655169b45cef1ff73d966d1e3

C:\Users\Admin\AppData\Local\Temp\tEMq.exe

MD5 64b0140b3dbe8abf2de1a076f32e571d
SHA1 3eeded7f2b3567661191ea6bdd8e58b9306f087b
SHA256 578325163b2861943eae4403b466e99e0151cf78d6d4f2b9029215afbcaa2ae3
SHA512 7411e463d826f648e64e558cd2b8498ad42fb01db3d6ac7f7277bf4371225ab02a907ea99ae80d246440f62bf2382439b705bc4a88d69c93f5c5ad5bd710b7ee

C:\Users\Admin\AppData\Local\Temp\ZgQm.exe

MD5 c802c26409300949cb85c1ff0aa387e6
SHA1 959981ea2d55ee9c0f94ba3d137598100eab0be9
SHA256 c8ae828fff000f5b8f95d632938d673f3b229e5accce754033307b32110f9e19
SHA512 763ab67680661887ba2d492f7897a408be59c911bb4cff20070167f614af624e694930345bf35e7e7ec1ace9370cd0cd789c1a6d1c3ff5f9bc262601883926ad

memory/2060-1383-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2020-1398-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1948-1397-0x0000000000270000-0x000000000029A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NwwW.exe

MD5 f930ade0df1ea5543cfcbe44d709eff2
SHA1 a1b2c168d63c631aea482000eb010942bd327d09
SHA256 870e87ef2289c204e83362e0b6f931ff7a31e5a6398ea1e40228f35910642a0c
SHA512 a445116e1a4d98d52f95c98253c1eea0192d8660e53a74510793ebe905e5cc5a6efc2f02f758f65e582c4c23606f784a503cfd361ab16aeeae3e093e647c9efe

C:\Users\Admin\AppData\Local\Temp\soAu.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\eYkq.exe

MD5 9224f98af10a0816c6f8b7705515e01e
SHA1 7fdcc7aa0882c05f0c82ea5668d206e1e4dbf6f4
SHA256 b0d6d6a6f87a80d6fec6474b1a7e35d6bb5b60bcf56070c2b6172106fdb4d3df
SHA512 cc19849aa9ef94716dcc992d8e109eb78a959afb93f2def5e1a16e50c6c64839f8cbcef6609880705c79010ad03d2647afafb28a2920243ea3e85e5821497020

C:\Users\Admin\AppData\Local\Temp\cEIa.exe

MD5 e78aa1acfe882b9864f449dd1efb907d
SHA1 f7f93bdf2c7f0d59feba283d1f048e3b2ae2d268
SHA256 670076294f2963170d8364747c16f5edf1e96f0dbd788f60ce203c78c1932bc6
SHA512 9244634e00648b2886d757ce57f916b57984f8d76864c21690497dcca81dcab081efe559e74608dc1c12a2192fd6cdc10e112fdf60d7ff92dd7b2d1e765ff060

C:\Users\Admin\AppData\Local\Temp\oAME.exe

MD5 b1cdcfd0829517d4b1820e84e5ab9856
SHA1 9ecbca2c7f2164916360b819d702bea2a1ac8c56
SHA256 f0c2057e2b0ca957faac4399255405b9a471b6d1e1ad5076916dd7e4b31c57ce
SHA512 0ef25321cfe754be9320d579707c907cb71dac6edc7be967007aca50509ee86cc2d2b92f007f87d9d20fe7beb59768cf8d551c4ac921b0c39113e2a0b6ece575

C:\Users\Admin\AppData\Local\Temp\DEQMsgEc.bat

MD5 32542e920d03c06fec50fe5064036c17
SHA1 7de8166091f1072e57fd84e8ade0c5a395f01b52
SHA256 85c906b231ccb5faca2f3ada71f8e46900e8f118c97fbc1db84eed6808ad66ee
SHA512 ce7f2ec8d1d8a970768d4038d6421cb69cc882348cc2293bed2d2dbad19884239669e807f6553555fea5455ef689142a85a729d55cb7a9476551142f6358c6db

C:\Users\Admin\AppData\Local\Temp\WkQQ.exe

MD5 94b96fd884b2eb6ca0b1ede5f3828857
SHA1 7a0d4c8ce088fff0af8928741df2ec84b3207620
SHA256 6a3938d171d9abdfc1742ab7afea1895a1f0837401817df6152b145ff454784c
SHA512 3073457a089d30ab10f67c5a4b786f5332839dd38d42156bf6d34436434e2905ac7d26c68583d3eb26bd8e0d7c6d87be197c8b263fe93dae8a9e1da69d9130b6

memory/1636-1465-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2964-1467-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1636-1464-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2020-1474-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wgAG.exe

MD5 3fc003938a5235a7ebca2af19003f34f
SHA1 71c3c6632e74979cc7fe86f77b41b2c1a02df6c6
SHA256 34eae06c0e056c8ea481d8f9ae9d84b2e06345b795cd6ab53ea8b3eef3a73e2d
SHA512 9fed42bac915749c3a5b0fd83ef43a63277280c65260055dae6c6d04586d8e670e9b39b4483fe7c73e635f6d4e3969719cfe02b1df1d238e22102b535e0f9517

C:\Users\Admin\AppData\Local\Temp\UwYa.exe

MD5 492270ca99cb3591435880cefed80ab4
SHA1 4dd7d00117e1eea4db83b9dc339f3724926e510f
SHA256 0599281fb889be5d3fe3dcc7f11255c99f2498582b45c1d974064c20af081857
SHA512 76a280b2c3ac861200ccf3262bfbc328fc6bb19d650afc7c997021e6829585fa29f9e6831594135002a4316deb3cd87c35b3462a88c3497c0678c5d40c45abc2

C:\Users\Admin\AppData\Local\Temp\bEUa.exe

MD5 f022689022dfe3c9e8f2c2de7d2b31dc
SHA1 a1412330bbae3d08bb9acbc42497e7bc489aa1db
SHA256 c9d30d0399e08fd83dd64631d293ee7c51b9879ae658608ad5dff9100cb89f4a
SHA512 b2936c999e1ccfaf944b1cd4aaf7d35fd510471c3f5621c922174b146fc40f54a034c8c7843d4c912db95f76ab643077816c6312dd7222665698213d587d1e84

C:\Users\Admin\AppData\Local\Temp\OAocYAQY.bat

MD5 53706e458c8990b1c743ec834b1939c8
SHA1 90b38adf2cfa74d5e8c8092bc3af077060e76773
SHA256 1c3f05fd59c155c6875dc5aa81b15cd14704e8921a23cc011cfd09cfc6a1eb28
SHA512 8f66c1505b3a8b0ea9d11de5c36cb0fbae268688481b3a41dfc4cfce0828d02941989e741edb104e4524c6810b7f9faaed2d917c80347dea1fbccd433bb8d47d

memory/2448-1532-0x0000000000340000-0x000000000036A000-memory.dmp

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 7c5b758e13e92e52be581b5cb09580d1
SHA1 4133c86b76b6fe103c783debf57053877fafb704
SHA256 6ca05a63b8ceb3fc34cdc2e4d129c7cf1d532c87c16a11d124ef4823291451e2
SHA512 e957b2a035f302c5cb0cdb20aa40b3138ce96abb7f633c343e15a26699a0e20cb01787ec75bb309c21cb5d635f1ec2de8f47cea4a29b656f292924fe097aacf9

memory/2964-1548-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JkUq.exe

MD5 8e9b27489b68d37e948a3b849deca894
SHA1 c2b058cec3a112d571e092f881c5b837e910f9fb
SHA256 5a9306ef62bf31a561755863f21fddfb34f9c0ce5d44d3aa23b4a2b48322ee1a
SHA512 41641c6328d0f3bc5ce82367029144e3fce1f7870b7028bf6ecaa49a4f851dedb86a8c6f0dac9f43aaa6ca20b13a308f1a9cfdc33f4c3532a7fdbf1521af1681

C:\Users\Admin\AppData\Local\Temp\HYsc.exe

MD5 ba3bca8d979d43f5ac7ab5a2874158a6
SHA1 415aefaff782068b17df894f8d620239fd1ba2a9
SHA256 a6d4ed22da6e507c3ff743c68834655a1fadab76a4298b2f3ce42a0b7ac4a711
SHA512 7ac14ca4f393696fbf8d282a5abf180bb9d17de2d308e07da41c794394c64aefb4c0b1f70c214edcd45f351942aa99214a77de9784ac22acfd992e32e6273051

C:\Users\Admin\AppData\Local\Temp\IkkUMYUc.bat

MD5 8d30b0e6a87075208c3c4be6519086d3
SHA1 96d0fe951ad1165da9849fc5b3005c7cc4957dbe
SHA256 878fcac4183bacfa1618d1e4d90914140a90b1956ac5f976a18d88e03cd93306
SHA512 6554f76966e4ac84b21be45cf0881ea4c3c06200bdc920db1d26add2778d30e61340145b344783eba5a73b57daaab4b73c90120d9ab923d336d5d190ba65244c

memory/2444-1601-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eMQK.exe

MD5 6a7592568d0eb1be3bd28fd0db483f0d
SHA1 e9b8e4f30029bc2eaaf97c7cb73729c07cc04ce3
SHA256 20983f3d5a67d8bf6f486e308816414accc94f59807c18db23b32c9b9181f594
SHA512 cc7c4969b021026cbd8954afabb8f3969b52cb555be671f26ac813d499a88b0e63129b9538592e936cd811660290ca07845e6c179ba5d57c6f524926d0ccc233

memory/2336-1599-0x00000000002B0000-0x00000000002DA000-memory.dmp

memory/2336-1598-0x00000000002B0000-0x00000000002DA000-memory.dmp

memory/2508-1622-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kosY.exe

MD5 1ffe2f725891dc865e8e06d0d61b5e9e
SHA1 21738dd85786367ae85e8ab08b09781d17c0f2e9
SHA256 2230499bce4e7f37c77fafab3f8bd24169bea85ad10253be40f266608ae889ea
SHA512 5738d1574d1d4de83b507ddd7b4dc02bd9be2c39b77a11105de7d0a4239d48be1b7fd69bcbd9004c96ef1f976c78703bebdcd7f7fdd0950d7ae7a62a2aa958f6

C:\Users\Admin\AppData\Local\Temp\GwoG.exe

MD5 896a63af3ba20f46cc9e770ad96276d8
SHA1 faf95a2bfd016831fd4e73ad42a61b6848ae93db
SHA256 2ee361ffa1f8d1e47da0fe5bdb5c43a4f26ea4a6c89700b7272a77dcdb993932
SHA512 c6fc8428c455def5476ecdd7991ee59562271b5b66009b2e4ff2cd1a336ef8a2225bbaceef215cd2508a95f5e4a9c5e7dc12f68e9e55bca61ce4ba9bcaa8f024

C:\Users\Admin\AppData\Local\Temp\wkUQ.exe

MD5 5c9b8cb271c4c363e04b858c3413d823
SHA1 cea3f113d7a383e7de3e1eee7761c0194dd493bb
SHA256 6dd3216f300d0bd274e10cc4b8840a477efe8cc3bdd51fe9667418bf9697186a
SHA512 de9d3c397bdfc66387b4bd265be99b767e4bad3a42a38768c33c35c9f44e0e5f37fdff1d403651585948e7f12252288a7cd74e0b014588e1e8c4ca3c4cb5ec06

C:\Users\Admin\AppData\Local\Temp\iGAMUQMI.bat

MD5 58694ba59727b286458de82acf595f2b
SHA1 ae3bb5dac66f9fb8bd178d8b8669845ffac70451
SHA256 837e07c45bcf9237aa708a85853d214548b4753fdf984581a4710e3ae0490700
SHA512 5bc662f36475122b25911fb152f1e086fb62762503b938234b6271b3b7d8e2c496f387e911b4b678dfe829856f2277bd5960e06cb1d8046a33a2494b0020b786

C:\Users\Admin\AppData\Local\Temp\posg.exe

MD5 4bb82c4464f8e6862ba9065995f09fb1
SHA1 bb70c0f691e8762fba91e601be0e568ce8b96b6f
SHA256 1b53c97fc032281a7374f7c456c3987e76e07c64cd4206d57a3dc749dca064c9
SHA512 c0e1005724cf5d0f0d906eda02e2e0ad2861da76dfe16a7eea15d0845f9d2bb063e26b2d003b92a38bde6ba27dbfd7469f4e3e86d9e235c95a65f978b7d5b08f

C:\Users\Admin\AppData\Local\Temp\AsAg.exe

MD5 0db1457857463347a1005cb96cb1c174
SHA1 062ad38a4305776a9a80fb4d9514f7ca355a61ce
SHA256 abe9f2ed13c67951b615f5579540fffccaf7681a7f33a6c77247b269e859054f
SHA512 4c32e10d11faf95913ce00bfe644ae74f161b0bf1ac475e819d8cb5de9ccaba2ca16616495bc7b489bb36e8ed990a5cb4d14370b801d3addc1befac24e34b9fb

C:\Users\Admin\AppData\Local\Temp\rEcc.exe

MD5 a944009a4dcd24a3a445e3c7c681c074
SHA1 71311b7d187c556332638d5a38c2f4a5b75d0ea6
SHA256 4da48db0140289a1d1852008a6560ac7372b6e74738ee9af28feca3457125a79
SHA512 a34d6780b797cb99e60c3212688794cd5a622a3523f8ff26b8a303d151a5899004be3fbc84a5197286febab4e8c0ce87ffabf22a92e49b96579d6ba77d847cdd

C:\Users\Admin\AppData\Local\Temp\QKQosEwE.bat

MD5 fbd5529b7398599088754cc1dfdf4639
SHA1 a200082f8469cdf3f569f8d0f3ce7f761545388d
SHA256 9b5acec8ae6eba4c35a687c3680cb0c9c02a62a3355c999ac05ce41b1c9d7370
SHA512 a839180a924c45bc38ef9157c63ffffcd53bd890621dc659227a0eac582975f27fd17c3064348ab671d6bdc72c0cf61f3083e4dada4ffcae090ae7e94e09b67b

C:\Users\Admin\AppData\Local\Temp\BkwW.exe

MD5 9342ae4fceb6015483309ae491e71192
SHA1 004c79cd3ecc3ef64be839a59a077eb7b02c485a
SHA256 9d314272aea883a2e33bd05c64c2cc5c0747c443acf5696757506a1c37338163
SHA512 a442edb2f466703db67b79740574f6147f94360168d95bf8c31ddf20c21dc53de49fef959d5db1b57711f0bcd028c7ebd39d5afd069cbc2433e8ac4ddc456fad

C:\Users\Admin\AppData\Local\Temp\KYUM.exe

MD5 772f6714db915116b9e9889af6de9d50
SHA1 12842699c8f9dbf8ac561fe83636c3655d9a9ad6
SHA256 dab7f321d8393b5ad877cf927cc91b101cdecfcbedfefd31864b291cf7cdca40
SHA512 022e8c380f55178d44bfa3d5e65c5ee8aacbad0e03af09ae311da6a08c765b00d034db92a882a0cb0150df46ca8a8395d91cf445cde87c1eeaac55d92dc4fcd5

C:\Users\Admin\AppData\Local\Temp\HQEa.exe

MD5 a0dea77825ef515829beef14b2d79f81
SHA1 b5076bf99b117275fdee294c643d7f6497454d89
SHA256 a541b057f68c15ff221edf5934e3484f413edc1402de7cd1574531e229739d90
SHA512 f9bbe57cfca840c92ff8f024be4e8e51c1e4cb1bc5586b963fc285c0d26ec4f907fbb3fa4bef7acf039247dd596498971f0413d58963914b1cb2263beb733f59

C:\Users\Admin\AppData\Local\Temp\wacMookI.bat

MD5 7f188de5832cce36a477c596d42ac636
SHA1 305f1ddc895dcd72b73d0c8739e33e8b4743b8fc
SHA256 80f1ccc6bb6f254d25a20aad75156f4aa47006ae2dc8853a043f6e3faa65430f
SHA512 19756a0fdbb77e9a594fb57cc954e1d79c7051d9c02c1faed3504f49ded5953dae5dddd774ff138e8324a9fea738ea26d75418ef4efe7ca308efdfbd49ceb001

C:\Users\Admin\AppData\Local\Temp\tIUk.exe

MD5 2c760924c6a20b0b1d00e586dc62b729
SHA1 0ea102dc2983ea3b3b8574a6667c7fab0acad843
SHA256 d2b3631a4f6396c8c72a933921337be7621bdbd933cc439f84d0573cd7eab28e
SHA512 fd1f619f88060044735c31720681de87eff3fc4724d8130dd8e1e0a582cc90f32058c719b87b5007a8b433a2d9dab0ce9ddc579a436436ac716851abc06b0678

C:\Users\Admin\AppData\Local\Temp\MwoK.exe

MD5 a1dea05602ebe246a5d1291c0cb15c53
SHA1 ba5430c5e070f58403159c2d1ed3bfbe6d1a9ae4
SHA256 55325f8e377a85c6fc13c1f8c22ed516d9179aaac143ab0b0d769f303d56b81a
SHA512 49a71865db42489b46f642fc4422dd8a7af5ffe24576a7e8dcd703ea8f7364696161697cc972fe215c9eada35788cde0f2da7ee02f331b561c4f7864f241a4d3

C:\Users\Admin\AppData\Local\Temp\NWkQMAwc.bat

MD5 4434f36a4507ecb30ad36829f52cffef
SHA1 5e3d787f6ab7d2c5dcf6715f939883cb6fe6336a
SHA256 b809c04e7a4849a6025730bb95f3bc05c4aa8dd603b88cc7da4e0c8be3f288a1
SHA512 ba55f7f4297837920f84e81b495dccee5c6d401dbc9cb7c40549a5a892d85036018ddecbf4e536e551abb2257c52265548715e394244ccd3a4830e045625edce

C:\Users\Admin\AppData\Local\Temp\LQcA.exe

MD5 7fa0ef24263517b1489648af3a36e65e
SHA1 71c981831c63b5a851ce0bca191b4b864c45f957
SHA256 efae8a0d36b64c807ed631987e357a30907143580ec0349096a1583a8f2a30fb
SHA512 a198e82b3b9af3abfcfcc03ec27488bb067ff44ea4d58da83efa6427e1f1ccd94bbabdc08a2a20b1b475a1ffc69ce4eebc24d72f1f0ee5fa5f26605f130ef86a

C:\Users\Admin\AppData\Local\Temp\jEcO.exe

MD5 a7d0a7efe038e5b6ec3b77f6f7c8790d
SHA1 507d5709b009856f2879c761f843001ab2fe877a
SHA256 aaa3ec7eca52400c1748c3fcf78c4128a4207a14a7669dd1f159c9a1029107be
SHA512 d186d4373919c6c84ba1e1dc1951afc744407d0f63e9c3d4e7a77b698d1918a7e80dd6cea5de409995eb7d49e36852e1847b91619eb8801a22a0f80a11fb61c3

C:\Users\Admin\AppData\Local\Temp\jEMu.exe

MD5 ce69428f364eeff84d4b61806419a015
SHA1 cc2e07e5d0b3148a65fd6767d746b3b066e46943
SHA256 1b9dc4056a6a5352a7b6498c4da9960514af0a64c53c1a0c9a3b5ea630721dcc
SHA512 6dfb520513875ecb6d0e55cf9a36508fd791d47ea1c9e30f0e6cfe1f1c04e34a2921bb5ed6b1fed952cd38683c788f211597aa7ebc89890a499842f56013abdd

C:\Users\Admin\AppData\Local\Temp\nEwgMksU.bat

MD5 138aa86b767b4739f059fe160f7dae9e
SHA1 02e2ad6061470828816ba834b450f0509c541f41
SHA256 3508b6c0d15ca9c7d32e3664efd1e9ffffd95be1e67f792bbfba47c30224e578
SHA512 4d664f5b9181161b73e0cae9b874a6dc1c83ce076cb78e8b4e60a509688e1b5b516b41389cb6c7015aa64674acfe3690ed4687bdbc9bc4e1a331125e2bc1aacd

C:\Users\Admin\AppData\Local\Temp\YckI.exe

MD5 e09a0f48f9ddead641d5f4fd39b6136b
SHA1 edd2232bb0c97250fb235afddc213a38713f2940
SHA256 bfe2a0cfabc23d2e6975b77d37205338bb5d98892961ba29ac6e27c3ce378378
SHA512 e1bd23bc7e081d991bd4de46e28f260249a573a78af332352ae198e75d24b05db8058747d7c49d282aaa1c4614a4b25870b14ce80d8472a006e1b57b5f2f90a5

C:\Users\Admin\AppData\Local\Temp\QYUo.exe

MD5 8e9c60c2ce5522fafe1f5c637866a484
SHA1 b21dab49210e433a5e530c15340b758ffab0e128
SHA256 5ed241240250d2d8c69c52d3f9bd69d5f1ec4a29c5dab309b7f1a15c4b75246b
SHA512 c88a244d00cd430736e7202748a7c4718e2445fdfdfe8b0255ba1a12bbab84c1fcf67a97f4207054d54acbbf732910ec4d783bc28b769592e511f2e5b049900f

C:\Users\Admin\AppData\Local\Temp\nEou.exe

MD5 1306ffc92aca112ca19a36445c1cc128
SHA1 ccb54e724a4065db23722d419ba20e34917c2f00
SHA256 8995b874a5adc5704fd8498ff9b243a7e14101263fd7a20ecd758fbf597d94db
SHA512 41d15e5f5c9f9f9accb6ca8669a13ac94505ddf5c0979c07aeff9db8d9c039cc7ae8707f91dcc5da1584aa048e075def7387649fc11c0c419e6f515897819c6c

C:\Users\Admin\AppData\Local\Temp\isQwkMIA.bat

MD5 7653e0dbe9d3a3c89954a33959578908
SHA1 1d4c0cb36fff147779f774bbac3cb3f3ba15da15
SHA256 358169596d84375e5bead2658aa5bc377dee10a0b5ede2f9e04137a4d70f7ddd
SHA512 02f7d39a9249a8f646ac50c35ea3fe88861b73be93e2ba4762092d1b8e68fdab8f6f08fb6f42dc92da8d8082e00d4a87acc9cd156399eb5b51b0575d93b97b7d

C:\Users\Admin\AppData\Local\Temp\aoEw.exe

MD5 6f3178eba53e3a722363c278a3ba7bc0
SHA1 60fe6faa965bb8c9da58a7d4de27ef0163a2de42
SHA256 8d819653acc1465be91647b90e5f22c5b6dd624c8537705739bd41624bfb2780
SHA512 e4b34023a8ceba0206371eac2eb924b9b7d301ad57e87f17da7a0dff14c09c4371bdb85c00d04a189a639625eec7daad11dde956dcd91abd3a29104990b42257

C:\Users\Admin\AppData\Local\Temp\mEwA.exe

MD5 47f1626d56279d81abe016a81e3b4fa0
SHA1 03bd07299ac7f8a79f03d3361f32256fe1f448cc
SHA256 30eb2f9e441aaa7a46910bd157e5bae9d83f2546075c86a14f97ce266da4c6c4
SHA512 b3878d297cf74489e6ba0a214351a9db6e4e6be02369b6034c312416666bbff75eced1909a7d4c7707d4f36d813b0e1c30e8fc3a88853c356629d2b021afcf0d

C:\Users\Admin\AppData\Local\Temp\iogK.exe

MD5 876d1fb104dbfa1cec94a2a831293d59
SHA1 bbaa7cad1f6cc2d9a141147585f830bd7c98d061
SHA256 00311ba7316133600c66e3ee8239b9794bb292c78273a1e468ea26f1f7f67dc7
SHA512 a426a9a1a69d917f9901e958d3905fb5cfb50f347ebd4875c5fa9165e64e3181033daf17d703b477aae582bc5d2e2bcb90f836071b530a831fb3181754d7419d

C:\Users\Admin\AppData\Local\Temp\QqUIMQgI.bat

MD5 9a3f2e5b20790c0e462e9f10c0af2321
SHA1 703e90c12ae65661d15caddabf445dec23adfd34
SHA256 22ce64792902dc11c3f4f0fbf322c3590d80c2b39c16b7f7e0c88d6de798e6f6
SHA512 a6cdaf861a059ec09f59cef0564265bb77f1f3e7b19321736fdad76d0ca4be5bd2dabc576cafa122f43f667a539dfa4c54be7257ab37200269b233efe27d7ae8

C:\Users\Admin\AppData\Local\Temp\WgUA.exe

MD5 af9ede30bd8142c6c0c9cf3e83a31319
SHA1 e034f1c6167c065e845b6da895a9e8229b15e1ba
SHA256 b508e25d3f942075ac0d9234a05a130d8240fc0eac3d3ccd7080bd4f3c0e8c94
SHA512 2ad2b9441e31fdc6ee6b57b24571bb776b9db0c6635f61a3157c17f72c796241de07b7c011642dc3a1e7b75d1076ed6ac13e39d7bc4ff0e8bc10d3ff8cfa26ca

C:\Users\Admin\AppData\Local\Temp\HsAq.exe

MD5 fbbecf4f4b9a727629a0f989910e271f
SHA1 784cfd65e921e26ce1c345439c0fea3f1bacaf46
SHA256 f5c19412b4591d50c478db800538ec20b14bb32f1d738929bc88cc17193bf348
SHA512 555a27f4450ca71b0abf298df7dd4d0a99b2494fe31eb251666947fbd6e8cbb35c2647ea0e9d24627d07654773873ffadd16c7783c0396d4ababa3740812cb58

C:\Users\Admin\AppData\Local\Temp\mMUG.exe

MD5 6110b163842016057c10ff89d981bbe8
SHA1 9f32f30720e9ef975b659804fad59d52dd1fb161
SHA256 c74967ee122c5e267ae2836f488d46a0febbde17a7fdc37e8d8a9d0b471a34f4
SHA512 83e36a170dad681d273075065b0ad0a5b950731b64f241875e6820f637108ef40c44ffcf9b180eb1d77daf216f62812faeb4d9a2bb4323b286e8986c9f8b917b

C:\Users\Admin\AppData\Local\Temp\eSwUUksM.bat

MD5 826db50e50340dfcaf2e47a19db3448c
SHA1 2f6e232e26c054633e9314e311592093d3e74090
SHA256 06f57d8033c880c62484ad6429fd83eaae88fca9efe511b1bfe82676a8ed8962
SHA512 5c1b63b3a0cb40020bd6c97f4f71224b85dd27ca943b48d69fcd90773ab65056f44500be3ed26824a50d2c16a9cbd55fc45975e9148a51f6ee6818bceeaf423c

C:\Users\Admin\AppData\Local\Temp\kkom.exe

MD5 708d036ebbf545ddc199f2d6850ed18a
SHA1 274e01cf6ee828140dbaecfa8116f35a6ca1e9e3
SHA256 3792ea4359797d332b7a8c0bb0771f16d3566137f2b9ea1a4c294ae59178b15f
SHA512 03e14d1426c05a646155983b776eb56928517b64a5a24bcc897da0d1b68ff7f218b926497bc3fc5027bfb47b2ad2ff9c7fb75a3f60ab37cc59050701e59c89a9

C:\Users\Admin\AppData\Local\Temp\ZMIC.exe

MD5 a70f811cb1671c928efe08bda8210bf3
SHA1 16adff2bab374b29a6b684c969ed9220a5a9220c
SHA256 4a1aed66f6a2114e234e4a199cf7714dfce6be5621dc1dddbc994e6da3bc390e
SHA512 05dd8cf022ca5f3dca40d490aa270ebfe9a581d7517074bb136657f1146c0bfe35e6ca6efd847e0ec0d7687ffc89e1660682648c96eea3cb9ef6f8d70475c13c

C:\Users\Admin\AppData\Local\Temp\dUIc.exe

MD5 d6b49d9c3fb4c969de0035a73ae84ab7
SHA1 4f0fb54f7882f5d496c70e10b3d2ccc7a0a1d7b8
SHA256 d64d581b0df2a76e327b09bf62df368321aa18878157834f5898eb24ad72daba
SHA512 f9cf64f425cbf20b52da9c50adb318d36b0bb6ad5058f66c071822f90a88e1468ab9077a5fe6215c5db75ba7c5333c0cc67b02d727dcfc8bba6550a65d80ad6c

C:\Users\Admin\AppData\Local\Temp\uOwMYsMk.bat

MD5 e2be59bd2af9c2505c3ae49920265377
SHA1 2c996cd233723c60746b9d2fdd585e52e951d3fd
SHA256 78df05aece1da8b9bf2483320c997a72f95bb1b8949449c5dc4b490f42982f02
SHA512 e3063078288fbb5c54484cf0719b7eafe672b055b4f4ca90ff6a881e0f1e088c77bb5f794d953f6f2504788b988da27d519c2be651c4da52a29076a395d67abb

C:\Users\Admin\AppData\Local\Temp\noUI.exe

MD5 eaebde258a5df7208187e4684477c45f
SHA1 bb533ad6d8650a2c8d74335d5eb98227b89d7fbc
SHA256 37511dae71b308934b75cc9ef17590d009473841cd2ae0b3575fa30f74e40515
SHA512 843c590f1827418c11e6bbf0dac4ead37befba8bdd981a45b716fd7ebc732d08bafe7ba02affebffd7d156d74a6bed23ffc7260e241a5e610c09873100bbe5ff

C:\Users\Admin\AppData\Local\Temp\BkUI.exe

MD5 26c39179c0b66e08bdb10926623e714a
SHA1 791baaec4d847eecd8416795990931bdec3752b4
SHA256 f47408a4a9a946e22b1731eb2e7e4dbe8064d2f6580988e8e9064aacf7ceb186
SHA512 74cb03360a48e21f56ad42289eeeb6988b8cc726d078d395bac59d410a4ed86b2a98d626c829810f5350c077cd345d1000e4a1e57c1df722eb6986ed3bba5d1f

C:\Users\Admin\AppData\Local\Temp\lEsA.exe

MD5 6a9399a1e3a47d61daa54427a676afe4
SHA1 63f40e93a23dbba12ecab68f98955ddd2b017915
SHA256 83c257ed5007cbf6fd7af7db0e8b1422ef2db882e9cbea6ade9e1933199f6332
SHA512 a9d506b2e06a29a915d8287b684a0db2a654b847f6b80b9a43db6a789fefbafc844ab5cff5cf69858a9b60a8eaafb795a3edf886654b1eec48b276a7d765e885

C:\Users\Admin\AppData\Local\Temp\pAYE.exe

MD5 2889e1a16c0231681a34a927b1429fef
SHA1 b8fe17dce02b6c5db88ff6b60b554fbb71db83a7
SHA256 7282c02e43f08859c329b41c344a58cdf34a1ac9c0817ef7f769920aa53f11a4
SHA512 631d9e5e8e454a27a0c16c42652446372e5997cacae587f793e2a37134e16a0fd5be5830e5198f4a29507416eb24712bd88f6454665adfb2b0b9bd7e61098c43

C:\Users\Admin\AppData\Local\Temp\QygEkAYs.bat

MD5 8a80f4fc9fef5e4e1011adfd64f2b100
SHA1 489969c01511a3442acff127b0223f05752a3d80
SHA256 5c1c80dfac9d54a992371fe6ee9445a5380fa09b4fc7213768428c5a7201d417
SHA512 c8ac945534c7304fbd4b9540e4cd1829ea8ce94d5001ef09b97afce48311144f3ef914dfc9be6629fdf6b71de8757f629c240c6df555965cc428f2820357b4fb

C:\Users\Admin\AppData\Local\Temp\ykUA.exe

MD5 d1bc3df2a34542d1286f680874fdd0d7
SHA1 6e8aba61815133a0296c3e86d710499a6e0e1ac1
SHA256 b15285c427757103d46f79f918f9953f644e0d96520c2d014c0cd1e536f4d376
SHA512 fbfb5a5f5c9f6a7fb116b2596a2db55e14431389d46e8c5183ec7a745f46da8a70f12db0e8fc8a56511e9ccc8bdbed8fad38177040b761c0dc79789baef5cac4

C:\Users\Admin\AppData\Local\Temp\kAwQ.exe

MD5 2e2b3bbcb2ce20372f0f14f9a5a16b31
SHA1 3954f3b62f81c4951ddc0c2ac04b8a046af4efa8
SHA256 ad3ab8caa6aa8ac1fcbbdba628104e365088ad468396062876af890bd2ae7432
SHA512 49e8dea4a34f372177b0c5b038f1d35bfeaadd0fb4c94ab2cf51ccf91fab3b6379660d22d4efd8ee3f920bf3976b76788e93012557bac0156d7c780e567ed91a

C:\Users\Admin\AppData\Local\Temp\AEos.exe

MD5 0f6f0f0d2d986d38f1712df49d4ca507
SHA1 8a6c3917c93de131f3acd8455c0e614a22284714
SHA256 3e2ff083a99cba17733279e948f5c522df280434015e4ce1ae11db35a306b26e
SHA512 5297bfe720f8ca2b641730947855dbea097a716eb682f89269129b20adcd19c005b044e682a7a3414505e015b1787d8f705dba0e51a888ed4783d641a4de39b6

C:\Users\Admin\AppData\Local\Temp\nCMQsccc.bat

MD5 02d767e73bb3735d3fed83d8c6d4c563
SHA1 bd1cafc42111abe9d46f0556aa5583c0541fc0b7
SHA256 14b6bc3774fa6b08812388c08024f8b6b8b4cc438e5b2d8947d70a3894c93bce
SHA512 ec6499a84e22edc699f3e55ac06aa919d492cafcbf93580a1e60c866c2dd9134e4f32eb429815ae4c6642060e287c94d61996be016946471d2b9adab26227666

C:\Users\Admin\AppData\Local\Temp\VOcAQEMc.bat

MD5 c07462663c46ee72d05c86c5cfabd3a1
SHA1 b5e84a0d82380874e043d23ce8b5adda66106050
SHA256 f581b8cf745edc9db38663152e839a1039c0bd4714c56382428a30d8d1f8b2ac
SHA512 2f33f6ee7940c88624caf91dfb0a140b11f649dfb6ef9725751510fe65082ba8cba0f903e3afbd5bc111d3bd91e0e63e40260b4da0a76ade292fdfab0e7aff87

C:\Users\Admin\AppData\Local\Temp\nUsA.exe

MD5 15d944f2c1bf658a474deea00ba4e1ba
SHA1 32fb755acec99aa2bb9c9779fbf879dad330e30e
SHA256 f1e9b176d6547c26236a7daea2ea03bf5c4c80101397348de46e808a21ba5f81
SHA512 b468dc49de705d1b1912bb93a920b94c9cdcb2c4682036a103d064ce82f740e407c2e591708babe55f042ec166d8eb66e973ab179419f7483d97469cd9140477

C:\Users\Admin\AppData\Local\Temp\QIAk.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\dYEu.exe

MD5 274374c039882d80a404bfd7e0256716
SHA1 42532c54ee436e20a1a07d194750eb5798cf5822
SHA256 6865ad50bab53199ac6892c9e4781e23960e1e1d74a86239f2c1ffebd1d5e2c9
SHA512 7d0992f12a7d660ec435e38fe35e29b62a0cdbd344c18b6375d9f31d2abc674483a1be589b3aeea196fb9f3de6ee0dba9b9f96600192ef8b31e3180aec8cf5e7

C:\Users\Admin\AppData\Local\Temp\IqAMoMIk.bat

MD5 3e7a76f1559fd028e9d90e6fe00c56ce
SHA1 af3cc87f73bb5c3cb3d1d6e3726112c282c96828
SHA256 8316d685cb003bebc14b887a63163eddea7336a12b54f30bbc0334921a532aef
SHA512 30cd323c88d29f5b3c34dcfd2264a41f2ef670ff2a8ff8fb95c76549e77181d73bb9c5e680037932bb3113de42e3e13cae44d9d67c9693f534964f26ecfe113b

C:\Users\Admin\AppData\Local\Temp\isUm.exe

MD5 b34f0003cb5114bc0bf7f70389ee7b63
SHA1 75a035f4e0cc1a7f3ff7f63424912237614b6b2b
SHA256 3192f892869749119b2c30c08a79faba4010189919a3996d4f8d6b531aeb00f4
SHA512 66db0e4d7a1b81207bfc9f58440e45be3a3f526c52fb7e45807c18073a9c3175e488f66eb3aa830599e062fc5d428fffabaddc5fb17f777af2bcde6dbd9e52b5

C:\Users\Admin\AppData\Local\Temp\MksA.exe

MD5 373b533076d72fde88ac2cc3431f4f94
SHA1 299b403edd831411eeb8040c21295d67e6987ac3
SHA256 750e97362b3f5503c2eceb595524ec948afb55866623e65f1efc8e6f4c84e046
SHA512 a168091ba1b512d7848ce08ca37d0baa64103695f5caa1b46274373260dbbde47ce2bf09de36ee4e03b766c0c2a960fa4a0016fb74eb7e436fdc5977883a2eec

C:\Users\Admin\AppData\Local\Temp\cAMU.exe

MD5 7fc22846a0cdfa161c344ac1839a56c2
SHA1 d5a0906865a77eea359616d83e3bf10bcbcaa998
SHA256 a753f4c603b1458151368cb5d50d8d7ed778a47f8709600150be87e1407eb755
SHA512 2ee3d529af5e8afc479523379627b3e16d8d9c8755f17c23aa90480445385d024c154a6e3d5c41d14c4f7fd33303ec727609b1f64054b864fd941f042207c6db

C:\Users\Admin\AppData\Local\Temp\mMAsAgAY.bat

MD5 b7b57c732d5437ac16996399d590f733
SHA1 2c46b8f9da8641e70a539199e8aa3bcb591e9263
SHA256 c4dd8573edf76cdedaf4fdc8a89a533b5ec7caa2dbd8afb9701c23c182bfd93e
SHA512 919b030e670a7322fc1b79f86f493c9661ac78b21627f1f87c1bca7d1bdf9f0c46d944ba54b0e1049e722e7b950bfeeb83ad589ff091ec2e190b422432e5a566

C:\Users\Admin\AppData\Local\Temp\wsQO.exe

MD5 c6bfde25b78656d45be935b6261f2732
SHA1 17daadeb03fc7f2ef532de0c58f9784994eb5890
SHA256 cde3399bf7d7427928c6125dec51397f3c0ae5b1ac842b79be257a438378be46
SHA512 41b86d8a1d6b4dc1df2dfaa164ea5eebe1602a640ac5d36cc2a9dff09a444729fbcae54d2b501eaec5c48046497bd49437fe490a5dcc29131ba90d03add0c1ac

C:\Users\Admin\AppData\Local\Temp\mcEU.exe

MD5 65dbd5b6d6ff2ef4d5fc88b100805408
SHA1 03902016dc5b63c2ecc36f0d674bb45d6c1d6ef6
SHA256 0e47475993da2010305eec6a6f03fc34c9146ab184630727132dc3f8b352a57b
SHA512 edf4404ba691b8ebeee1def6fa95aeb0c825995b979192c19653d102488adb4276429ccc89bc50713c59620604c1ba4de2fa776b18adebb56328fa28e4398f62

C:\Users\Admin\AppData\Local\Temp\CQcc.exe

MD5 0d793c51c2da60910f4bbdbb36697beb
SHA1 ffe602e3df185e3996c72a6d0ff8e591ea82139a
SHA256 a594704371452356b05e3197edb397101cfcd3b4277eca738e7c03f1460aaf5d
SHA512 c78291a94d5ea978ad129080bdb837c39d9fe67a10a861021f47f826e0a4d2c87020a9e9aa43f5eb1f6d808b3afe3a6003384e62e1211a50c7c452f81e134f7c

C:\Users\Admin\AppData\Local\Temp\AQMs.exe

MD5 99695d3696fced82dd2c90e09cc9a2db
SHA1 b54fbe67d0ec0a01e3ed3779cca676e9d93a0120
SHA256 5016c748790fcf43ab8fd3b76fdfd4d54180747da97cb84f473c506a5120d367
SHA512 dc3471dc7da6484b762aae2c5b96d9e1d7051205443cd83323e5fbfe0ece904d17d8d0df03a0cc500982246b311a5ca38a6fddef3f978bf1f4e77660a4f98462

C:\Users\Admin\AppData\Local\Temp\CEoS.exe

MD5 534d2513ccce746f8ed74a783f749360
SHA1 98b57b351c2173f3fee7d079f1369c75aa11b856
SHA256 847062d53efaa43b1d96d238a62655cb2611343a5a3738f118a5887a649a90be
SHA512 e2ad803bb7e37ca45b28efa3e91e06409485c8383fdc8b69e0e1dce502182d63a1781d049600c07b815cf253697af715d222206bec4bf0905603b54fa1132d41

C:\Users\Admin\AppData\Local\Temp\hIkU.exe

MD5 5c941526c2eb7d3bea4d1b857980008f
SHA1 1d1bcf957eb992cec77dbaed26aa06a30d76adc5
SHA256 d67018845793f61be27de9e48b3e75dec467d82d6bbbc5bda05e012ed9615baf
SHA512 839986b28cd56738b55679048a25ed0e4c01e1703a17fccb111155523cf99313be9d78aeeea4de272dfe19b71adad665aead9b0bd87ad065ad48000aec507e2d

C:\Users\Admin\AppData\Local\Temp\tmEQMgos.bat

MD5 ed858be67fa419ca12b033313c373ce1
SHA1 eff4e140ec49b6aad8f423eb8117e0564133ba18
SHA256 08bb194621c3d86840cf450cb67e0fdc111ab661cf9cc1d90259c8f39474e155
SHA512 a78803d34b8c0ad9114061c52b1cc25bfaac91553afa7dfb5d63a9d3fcabe64e49d324d80625da77dd695730300c61321774b6775d58e3ac47cc98368a383513

C:\Users\Admin\AppData\Local\Temp\jOcQYUso.bat

MD5 7655d4fe0632617bd860c1358df94d92
SHA1 acb1ebd87bba5e263f36247057bed08cbad45dc6
SHA256 6a2b4dc3df7a1277235e5028b09b56fbc414f4cf06f53a4817d668781a7ef175
SHA512 227f0a79087e609ed86e8abf4ff96927eceab25314e6cc41bd7f4e5c340c577f5e61c9f202bcb512efcb083244fd3b8de792187bd14217f20c9b437dcec19759

C:\Users\Admin\AppData\Local\Temp\CQMgkgkk.bat

MD5 6d4c165d7115fa64d623b613bdf08690
SHA1 ea774e20bbc32a451da5c06ead9d48aa6ace568f
SHA256 15092c6074c3502cdaf773f2c7f88fbf709a39521601a3bac946a7fe0452fbfb
SHA512 739022a81f877838422405bb4b498837349558445d1829f337b432c4c936e3571173b8b4fc79a46d81368ecd4fc0d900aa1b79431bbdd7c5bc55f1215f046ed7

C:\Users\Admin\AppData\Local\Temp\uCQUIkws.bat

MD5 6265e9d06fcf420c8634ba1538e06ca0
SHA1 cc8af5002d167311a323e2d3b6713029dff3af92
SHA256 3772c0abcc7fcc4bf53b29cdece1323f442dd33be72c4b091a582c6bea84efd2
SHA512 0cb8069d25503253b3b1a5e6c7eae76a4c70db4cf0c0487d24b42451b401c4d7ad3d940ad69e6b6430d2b566a9fa3d96698a0f058c281521b7ad63134f872b77

C:\Users\Admin\AppData\Local\Temp\akgoAkAo.bat

MD5 e5ba3bd8a580f1a276621866f23bf58f
SHA1 c85c917847246440bb78fbf316f45473013dc4d4
SHA256 3a1400a7ad28d02aa03914d704dd878d15e5af760130b0fb20ded8a37bc77975
SHA512 7c49de856d8caf57fd8d341d24072dd4e341666af87608efe05a7261e1e4af2f83999970a9278be4d94180ef870764bb4ef304adf1e51008ce074687490e363b

C:\Users\Admin\AppData\Local\Temp\QQowQgIE.bat

MD5 e4cedaf7077f623038659e08ea122e91
SHA1 e2f1d6e71bc99026801de8ce4c49c4e8fafc3b24
SHA256 929f15e29dff37e59be10aada0697df6f6eb0223d5c449e1c955f09f1ca4a8b8
SHA512 9956349fa85894c19d4ee805de399af12730eebb952a77f9a36e04a7367e65010896b257e87491229830f7fe57b3a7313bea0a2b94c0cafd32cdd9f6db5caee2

C:\Users\Admin\AppData\Local\Temp\BuYwUQIo.bat

MD5 de21f703fe230fec78486358628379fd
SHA1 510f7ff9dd426740a64e22fc35ab4fde10d3d48f
SHA256 4ab7d3eb8736c5d6a106a0ebf76ef68375a836a8b3983a686ee30c7f2f72349a
SHA512 55bd128420d70461fa5f2f880cde7da55fe8b3624e65849edb36754ee3e0146f552a20a062a77458a9abc43cf7dad4db340e7de1d3ff9f312e24bb6389056dab

C:\Users\Admin\AppData\Local\Temp\PmkMkscQ.bat

MD5 0044e3382de048e47c55399778571df3
SHA1 bfe4fc0b7f15f42a500a0c3aa5268b60b5e79630
SHA256 a72701e5fe3afa869c8a9517e5a7b2575f14825a70d288bb025983f74ec8c5d0
SHA512 a65dd8bc328684e31e8a952a7c1ec1286f72b1cd7d3ccbb761dd355116341c3b10ff2d1e5746acdf51cc1b3111c464eccf6b623d3aa88089262036cb9e0c25d6

C:\Users\Admin\AppData\Local\Temp\QeQgwAEc.bat

MD5 d0e45b2e20e81a54f7cdfe1c2995f96e
SHA1 3c24acae7f523a1859fb0ebcd814f2b8501efd80
SHA256 c9f26749a1e34d4d55f5d78ba9016998b19261b1d7016996d48c0205b9719429
SHA512 36c3887f5be73dc0d24537770e2353cef0c419935a057d44db7a35076edaf7ed9a9fb4f6bfd280428bfa08fc369e6367016eba086a507abb86f91d651625dafd

C:\Users\Admin\AppData\Local\Temp\vicggkMI.bat

MD5 7c38b344de45959c288997c572aceed6
SHA1 a7f9339479d22ab3b75bfca2dad27cd564a3899d
SHA256 f3df1852fd7f9e6ab3eead85609964ebc7aa0960bf45570ff353954e48081277
SHA512 fb904620349eff4de6e55985776adfc3bb521b8a7f6bcef20b142bebdcbae9e519711dcd0de9a80142697bac332b652959458993693a25e45a7c54a20626a09a

C:\Users\Admin\AppData\Local\Temp\HKAssIQE.bat

MD5 483f16b0e632e4495556177917c7b7dd
SHA1 def00342246c2e2ab99fca91b00b9dc0a0c762fc
SHA256 4752798bd22317edc21894691e51af226a94b9afe20990e8bba11be8fa18ed77
SHA512 3e7ff51802487456288990c6338b961205618e6400d4695259354fd828b0e17a84e0daec94405c2f55658901f8086985cec82c167089227a3d2e7ec87a06b67a

C:\Users\Admin\AppData\Local\Temp\WqIQMMgw.bat

MD5 0fe97000683c6a1046d353b8ac288e45
SHA1 a49eb33e5de4e03cf02e7d42d6fc0244d93494f1
SHA256 83c24a6886f1016c00bd3f241f6b733fab99f4566174dfe79af591faffd54475
SHA512 21bd2b6a33f60d4b35f0629ee4ac363f283dbb351e5c10cd26a3441424f000bb4c23845059879fe7c6046884285c382bb2175cfff570691a193a38d3c26585f2

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:01

Reported

2024-10-18 02:04

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (86) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\ProgramData\hYEYkkkU\EEwIcwcA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bakYMEUU.exe = "C:\\Users\\Admin\\CCYEoIoo\\bakYMEUU.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EEwIcwcA.exe = "C:\\ProgramData\\hYEYkkkU\\EEwIcwcA.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bakYMEUU.exe = "C:\\Users\\Admin\\CCYEoIoo\\bakYMEUU.exe" C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EEwIcwcA.exe = "C:\\ProgramData\\hYEYkkkU\\EEwIcwcA.exe" C:\ProgramData\hYEYkkkU\EEwIcwcA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GuUUsMMU.exe = "C:\\Users\\Admin\\FIkcAwsM\\GuUUsMMU.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aoEsQswU.exe = "C:\\ProgramData\\BqowMcYg\\aoEsQswU.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\BqowMcYg\aoEsQswU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A
N/A N/A C:\Users\Admin\CCYEoIoo\bakYMEUU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Users\Admin\CCYEoIoo\bakYMEUU.exe
PID 2884 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Users\Admin\CCYEoIoo\bakYMEUU.exe
PID 2884 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Users\Admin\CCYEoIoo\bakYMEUU.exe
PID 2884 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\ProgramData\hYEYkkkU\EEwIcwcA.exe
PID 2884 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\ProgramData\hYEYkkkU\EEwIcwcA.exe
PID 2884 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\ProgramData\hYEYkkkU\EEwIcwcA.exe
PID 2884 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 3908 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 3908 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 892 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 892 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 892 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 868 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 3588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 4620 wrote to memory of 3588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 4620 wrote to memory of 3588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 868 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 868 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 868 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 868 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 868 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 868 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 868 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 868 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 868 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 868 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1176 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1176 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3588 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 1700 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 1700 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
PID 3588 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3588 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3588 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3588 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3588 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3588 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3588 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3588 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3588 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3588 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe"

C:\Users\Admin\CCYEoIoo\bakYMEUU.exe

"C:\Users\Admin\CCYEoIoo\bakYMEUU.exe"

C:\ProgramData\hYEYkkkU\EEwIcwcA.exe

"C:\ProgramData\hYEYkkkU\EEwIcwcA.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMYEIUgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOoEgcwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWEkIwEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaMUQMII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYIIAwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGEoskUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQoUYAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSQEQwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOUMkUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOIMkEYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe c34f4226b77e91cb46f990f28417cc51 BeW3/KVSSUC2vbP2A/sSHQ.0.1.0.0.0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCAQEIMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecYgowUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cooIIYcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeIAsUQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oooEkQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSwUgIkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwwQssAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nscUgIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\FIkcAwsM\GuUUsMMU.exe

"C:\Users\Admin\FIkcAwsM\GuUUsMMU.exe"

C:\ProgramData\BqowMcYg\aoEsQswU.exe

"C:\ProgramData\BqowMcYg\aoEsQswU.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1068 -ip 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4744 -ip 4744

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYkMEkEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 224

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOcUgMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMwIMgwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGIUAUEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcoQAQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCYMksgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIQwIYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caoAYEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWIcAsUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiMcYMkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xsQQIMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwAYAckA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiYUEkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bggYAgQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKcUwQYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoogogMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueIYQowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQYIwcMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwYcUEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIckscsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiwQscwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMoMAMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOQcIsIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aycQYUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYkkoMUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkEkAkks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zmwkgkss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkAMQYgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCwcgMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciYwYgYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewwIQkIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMYogkgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmIUAoUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TisAcEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUkQkUcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raMosUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuIwgYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaUAYoIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AScAwsco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOoMQwUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMUUUUsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWIgcIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCYMIgMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqYEYoAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecoswEMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyMEcwQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VocYsggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkUIMwIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMQcMYII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqMgEYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKcQYooE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiwAwkss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoUsQcIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSUsAIsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWEcsMkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FecEUUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIUMAYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCQkowQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkwIQAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skgwIcoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqgIQcEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAAoAQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vysYAQgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAwMcYgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgYccAsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUQwIEYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOcEYcUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saEIwAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYIsIAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOowgEAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buswwkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwkIMEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYEcYMAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMMkwIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYkEYkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEwcccQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuwoUEME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rokcAAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcAMkAYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiQcgcww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYwwAIkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 172.217.169.78:80 google.com tcp
GB 172.217.169.78:80 google.com tcp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2884-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\CCYEoIoo\bakYMEUU.exe

MD5 4aaa628ddb2438ee63baa60966fff2f0
SHA1 423a5d5ac66f1b39f9576c85d5dbe50cd3615885
SHA256 8a708e2c7aef0a9950779b87a505c147387f4a1675a985022274ba370d9c1070
SHA512 bdf6a93b526538b4fcb2e43368e3cba011d1b69da5c8d6878088243cae6a82786ff69e3892c637488d88b425e3215056a8eeff09bc19cf44eeede009c3e3a1ae

memory/1940-5-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\hYEYkkkU\EEwIcwcA.exe

MD5 fcfde0c7e86a28d30cae365a0c782d23
SHA1 bfafcc880a07a964027e39257c383a7cb8e6227a
SHA256 bd66434ed09e33445fb338c97cc4e5bdd07bf353e1a2745075c2673efad7e9c8
SHA512 1347163619b8412c7c17c20fde13b5790a383e7725ba403b26eab9d6211a2b543c6fc1fe6fe622ef8e616b4d51722119b53856be3f850fd616c65d37989b918c

memory/4948-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2884-19-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zMYEIUgU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock

MD5 01756f45662d7cff811ff986e2fd4e66
SHA1 fd67e79512c5386dda615835a40dfe5f286437bc
SHA256 1732b081443d1e292dd1a4477ecd8be81fa350cf3b3ce6dd222567b7585a8895
SHA512 c78311075d33ff2a253dcb86911355ed76ab349fc2f83bc6ab042dcea56d5d092af8abb2598372cd988210549376d023f6c34e92cb8816f4736d91dad606c2e1

memory/868-31-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3588-30-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3588-42-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4652-53-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1756-64-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4284-75-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1720-86-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4256-97-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4644-98-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4644-109-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2320-120-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2992-131-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3668-142-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1104-153-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3940-164-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1868-175-0x0000000000400000-0x000000000042A000-memory.dmp

memory/32-186-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1460-197-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3756-208-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4744-212-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1068-213-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2916-214-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1588-224-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1068-225-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4744-226-0x0000000000400000-0x000000000041D000-memory.dmp

memory/744-237-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4876-247-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4892-255-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4916-260-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1588-264-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4916-272-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3972-280-0x0000000000400000-0x000000000042A000-memory.dmp

memory/780-288-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4844-296-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4952-304-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1368-312-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4892-320-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4528-328-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4440-336-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1764-344-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2576-352-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4136-360-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4884-368-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2056-376-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1328-384-0x0000000000400000-0x000000000042A000-memory.dmp

memory/744-392-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4092-400-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4916-408-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2924-416-0x0000000000400000-0x000000000042A000-memory.dmp

memory/8-424-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3588-425-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3588-433-0x0000000000400000-0x000000000042A000-memory.dmp

memory/368-441-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4276-443-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4276-450-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3960-456-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3664-459-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3960-467-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2708-475-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1556-483-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3476-485-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3016-490-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Kksc.exe

MD5 a3c0a6bec05a6742f9943349483da87d
SHA1 19e7dfac79e3b0d8db7603db1a37a9cf0abad8e4
SHA256 0ca17b804c5987be09879291415cfcec4df429c05647ed9d4fc1e82826a393b6
SHA512 e763cc78b60ef199ccdf7c582d113dd439ebeb547b510cad46c8869a96ec0ecd7cdcda60b975daa9b627b3d7fc66a874048cf2a14ef131037572579c8f9e3a58

memory/3476-508-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3016-521-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gwsa.exe

MD5 17e002f001eedbd1f8d970422d0271a5
SHA1 ac0a5b6d16993be5854284eccf0b9e104193312a
SHA256 d63b226c9e6c338fe885bc11c656da0b272e91da7614d6c583215123fdad0f8b
SHA512 aa99388e9044813ccc84c60349b86272787ad19d805c2bc08f8bb62ab37db4d3010db18957efa5c74326de5206580ca7ded8e04c0683a4187b702c1898f26328

C:\Users\Admin\AppData\Local\Temp\aEow.exe

MD5 eb79cfebd61464cc69a4d124ad8c3dfa
SHA1 677383340d46abaff2442b444e771b2c673ecc7e
SHA256 d574865fcb1c944df9e9e180f5ee460bde9b80335f0f948f32e93167fb2cdfdd
SHA512 3260af3fd5c0d60db5e48730ac992cebed2fbf77e7fc3a2f9acf03e741d3cb74cd54c40ec18d3f44bc3b98e86639730f87d2a46a6af7ded4f6ef88cdd2c905a9

C:\Users\Admin\AppData\Local\Temp\mwcI.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\WIUO.exe

MD5 be37189179c6239033b76a50a6bed3b7
SHA1 91f711d379856b3acdb8b3b0067a05313c26e608
SHA256 449d095b8e813109e14dad6b584b2cdc694e24f4b1b93dd9eaec62cf7c598abe
SHA512 c2d6d0f67d8fcf1e0b208570e88084c4927add51dd2aaaea552d0ee64c01fb5a8ee10529837e54a31e2400108438c5e189b453d90db52ec1fce05ce3b9daed72

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 33bfd5779c538c1097c5abb9c810a0a8
SHA1 2e5d2f5184f98451baa5bf6c24f34360e85dff37
SHA256 698f173b98893ac426ba1e089390e00ac3b5457773e0031d0d26932bc9af84ab
SHA512 8435452208d00bd60527a3c4bb042ce6d4c924661946f376c0d08da74888035c622176db7371b18337da8eeb1dfec8d54899177715dc1ae0187eae4c96c44acb

C:\Users\Admin\AppData\Local\Temp\gAQE.exe

MD5 d4a3ea28413ff48517f306b54f966415
SHA1 0ae9e7944e9b7b11a94f8331aca5213c968250a9
SHA256 a9027e8032513a0cd18b50a4c2b4d20f71478dcee34a9165db2dc7de6de36299
SHA512 d01e639ff343b5255f2a143e0c8870e757e02c150a45cd3d6ef2b27fadd93f37b7e7a8d3b132463264efc53644fb6dcac1f9eda01e2648843a93087c12167a17

C:\Users\Admin\AppData\Local\Temp\kAwC.exe

MD5 7ea72467193cba34e2ceb58b0729c9dd
SHA1 5c71c2e31332c1b71894281b531aff2949b2bbd0
SHA256 acdb76470ef8fcc9d060b8de88513e4fbd109afeb29b0f0d469520cc8da11f4e
SHA512 941ed7e114389e21215b9562cbb5b2d1cfe87d7e9b5437c8ae153fadbb2e69bb7a754826100063f60a37d544f292d6e06c6dcd68b30b957f2d4a3b79e129473c

memory/3144-599-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mIkc.exe

MD5 675ed7d56764aa3ff4ae81d28a0e1811
SHA1 2a1ba0568c7bd6428b0e899f37d6db98c5544f70
SHA256 0b350dd5c437a1b175cb36578ec0c921e0b4a74982b79d25d1a35a0697ae03f2
SHA512 16234dcb31f74317c223de9bf6d19a963247de633e655cd590b5433fe32ca7830a19d1da19a6994303d02f09797fed5f00ba939d4228c71d24ccce3e143b12d6

C:\Users\Admin\AppData\Local\Temp\yAUS.exe

MD5 f93a6b5816277864cc69c95dd9e9d32b
SHA1 2656be153989878a5dfa16fcba884ae4022f625f
SHA256 041fc1dc4a22d64a2416adc7754f4011dc09373fd5c2fa278f424fc68fb2138c
SHA512 270fb0aa88b499030c9eb4a8eb6399362273bf86f4d366101d9964062815c6661625c2b268e72e0c62470044d1a0b9ac827831438a4cff44811232d8320935ee

C:\Users\Admin\AppData\Local\Temp\mcoW.exe

MD5 a8a94d61a24c2c17a3ed3693d8384ca3
SHA1 37bf13d87bf6cd94add7affb1458e9feda17f473
SHA256 29d95e423bc4b6071287aeaf24eda5658cf77e5ddd899dbc1607bda6a5c7c144
SHA512 4a3efcb31b245d6678cb64c2160f3fd9faa7190a7bc80bec321df33db9262924c4c1a43f7f3d93c63fd5805b69bd0b5b5405280ab464b0f497877bedbd6eb44a

C:\Users\Admin\AppData\Local\Temp\sIQw.exe

MD5 1a08f00d662746e3c14d653cc294d323
SHA1 4df2cc0fb897cba31925c19bd62469c55da5ca0a
SHA256 b6e20df3bea6de5c146e2457637d371f4b6a57d3108c65f442b1403fc8830243
SHA512 1d52d3f86b05033f38cf7115fad6a5ac8798223467db2bbf098737e61e23d6e8941f2b1d335835960309fea7f68b99448b87927bbe03af425b3f48c46e4858da

memory/1712-672-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wIcY.exe

MD5 451bd514e016209dbadec94d961a5db2
SHA1 b7dc88967f11c5d63440f400afe9d550fb9ed4ec
SHA256 945c012232f53ad85acdac55336bfc4a165113ad8596aaed4267aeec5a7b8698
SHA512 68baf0a773001e82085a60b6c56bea931e2376aec1478047c94f640d25e4435d3c1cda3bec5eb8ce89e97eb0bcc7cbbbf341519127b190aa3bcf8ee62c6cb633

C:\Users\Admin\AppData\Local\Temp\gsUm.exe

MD5 10051abba6fff77feb163748e2b24c9c
SHA1 f870443e296663a9ef5596f8e634074fc3dbab25
SHA256 ba8cfebf3b5118a0703dea684d91f69c5303a7cd8870905e7f3f2ff0dc762e5c
SHA512 42050dfb36e03e3dbcd4ee7dc52d37824adc8cfeac6f7533479113e37e5585f858215d6e2ac199c4e9f92d9fe932f60bde7aecbe6eefc4c48422dd7345e89c62

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 81d886efcd3a3bdc123e21a62df7269e
SHA1 ba2d94f2149a05e188bad7c770ddefe9af9fb793
SHA256 cc83c821f8e7d76baf763592b2d97bbf8b9735bc980e86b81268e298175863fb
SHA512 03a5a13716ec2bc7a46773c11c8b27b6f98d6ccf341ba9a9b4be6f10dc956f8ea1f6f4565022494bd59e5a40d11121cd67d34fc491f07cb14973019205ec620b

C:\Users\Admin\AppData\Local\Temp\cgMK.exe

MD5 42d524b09395e6e310cfe1affc483ba1
SHA1 06d2d22a51cc92d415d462d615c7a262f482c99b
SHA256 736fb085137e85eb1fcda83048713822ff7492b75771026d00e0d3f84624b530
SHA512 939db92c930d884a0a342c66ee1a339375cb8aea64df77ca6fe32cefd3d85751604c081cd2a0aa9a6b25fd93e5e8f44286595928bea8543fa7c93d5a118fe0f8

C:\Users\Admin\AppData\Local\Temp\KEsi.exe

MD5 03db3b9d7d658873a7092c96278dca13
SHA1 1a7147c8863663233a6aea1e2900c597ab2778c8
SHA256 032c2a785be2622adac526bce6f05a35bb9f471d07eeb3e7d9f1f386c5794510
SHA512 2415c31bde086634c68b4d59b13879335c864215af38a46af2362d2ac663f0a7db1be44df0972313161dcb7e71e81d7a5894ed4dd0cd55ebc1c246518b5433ed

C:\Users\Admin\AppData\Local\Temp\cEYm.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\OAgO.exe

MD5 ac5d9ddd8649fecfab072b0ee492eb88
SHA1 872d4d43bfbd971c87f4c9b03649db029ec2c78a
SHA256 1b9ca658a46233d6a30dc1bafd96274725cbff84af2f058d81f17e2612c6bb11
SHA512 afe68c19aeab778b949960e9aa6075ae052c09708c2e0ff146c846b19f05297621ff28aaf2c63040c19d2eb2cdbf6338a3e3b0c0b75ee488bf9040a2ab04a79d

memory/3024-764-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\egAK.exe

MD5 3714315920771ae1dc915583d347a8b1
SHA1 de7f79cc3b1dc81acc03aa8c1d760cdd33626453
SHA256 3ce717d043a5703861f903bdb798e75e83035fbb8ed8c4cc461e51bf2a1d565c
SHA512 86e51ab3125671c2c6db1e7b160126ba0be62678cf0754ab4ccefb971a45f9021dbc06b55fd886740c683886d43e7d8b181ab178c3c9a9f8972c5bb12acd59b9

memory/5056-770-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Mkwo.exe

MD5 e8afc065e097c6f16e9411149d62e225
SHA1 69f83d89d13c888da858d697b0f5bcf214d1229b
SHA256 fd25020e196fcd0c7a9ef4adc1206031ecc3678fd0936e29df08bcb30973e2ec
SHA512 cc70f61772398312f2d016f991c991be6102bf554798cc199f51c6c18c5bbd822be896daae42b444d80249a9bc3145ad6d06025afc9f6118087a17cdaa902367

C:\Users\Admin\AppData\Local\Temp\EAIC.exe

MD5 9bc1f99a99e33b155586adf609c89744
SHA1 b6f42904f716edb3356b993da23ff32b33b3f091
SHA256 4865186ed71183cbfc77ccc9267603c524f9a5f22512bd9171862e9f1b1c2611
SHA512 90d98568908752551c6c16f95499a896a5dd2d8feec75c5b51ee7d60819673294682470b09ca2c44d36120ae585c73fcaf5b3f840305ac715459493cb60829b4

C:\Users\Admin\AppData\Local\Temp\UwQI.exe

MD5 8277c39e9ffd74f86e46734640ab56b2
SHA1 ac562937a4cbfb7de4ad1d3875d953cd42fafe1e
SHA256 d0f5a49b6232f5afd6e12e6345bd8442b9c9b5ff1707435d629616ca4730c140
SHA512 9e77a56b27161f884a7a0d19a24342c312a4235a21bc4cb722f1e0e5795906175aeed6132e859604a8d0d85bec26cc492ee978ee8a43f8e53254da6f32f2bdfb

C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe

MD5 67f67c3799b8d5386d274b4df0a44766
SHA1 9fd17e139cd1fcbf1044d5752a2b57eb86d9448a
SHA256 0a70f349de6e4768972e09cdfc5988987b727ebb257bf8219737147d5042a7d1
SHA512 c33ddd8014ddc9c63b3d37724e24b06bda4a577c7a5d0e697d86e45ebe645bae00c69b17a673f09d0a9244e0a048e55f1977036fa810f95709dbc1853f1d7040

C:\Users\Admin\AppData\Local\Temp\wcAE.exe

MD5 55b74a6aa48352276720110b120e962e
SHA1 7202161087aa3b0cc3ab460f0a45930547e59a15
SHA256 4a97066dde71fce482989b47e86f825a1f0dde79ff0603728917fbb1e2563eae
SHA512 5571e1a8697f002bcf5aa35572f0eb2716c88e5baaa793fcd7f41ec9791d39857a33056f6c1ea8d392bb7c56746fa3e171cfd397164a997bd274641238f51ebf

memory/5056-857-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oQUy.exe

MD5 24dfa51586dc2c1629bfb17fcd7494d4
SHA1 6639c0df7cd493c56ebda2596b6292f6aa79c02c
SHA256 94a71fe22811c91f8f7d364cd3d00b5983a9bc66372ead8a1891930cb5f0bc4b
SHA512 89bcc767ee91bc09baff941838a23ade1b6014407553f7ea125aa2556dd556e9fab5c72a4f1db2c7236e94e3ba64a8b27f1901ae12e56c6e8a3bdda7412ebbc4

C:\Users\Admin\AppData\Local\Temp\socc.exe

MD5 7caf10e1984bd93d6843d6d9588bd427
SHA1 5253a002200214a0474d7d54771047830c75a2cc
SHA256 98aeb02d5bda30780d9f96f622f3dc88412237148b82507ec0fd011a512af36e
SHA512 c861124fd8de6f8dad3fe1c04cc924bb5e8c2b2d6fbad41bdf38df5b9573c61a3e54a2ee94d3ba73cfdadab9f3693b77d71cf426f217ceaae00bf51bc025dc85

C:\Users\Admin\AppData\Local\Temp\QYYY.exe

MD5 c664c09fe9a36bda8fc7aa50f9c4c17f
SHA1 2425d3e199db911826fb757a0ceae40ed105ddc4
SHA256 b0a071f977ecfa5382441427528e3bce3ddf292da3942956e7eed77db113e474
SHA512 ebbf20d9817995f341e7de6b3a752a3b889cd4b1eba290912ff954756c7aa28fa178472362cf836a4496d95ba6aa1c305bf9bc9181871cde4c9dfda0ca845145

C:\Users\Admin\AppData\Local\Temp\OAoc.exe

MD5 e6b7a00465b909473f97c7ec0e88d145
SHA1 be92cd6b2f905c90c0f1ab0a785169e1d048f50a
SHA256 13f0bc95d7470e51d4f366e50a13fcfd56fd84c1bfe17989f5c3d6590eeff69b
SHA512 81d1447bbaae5337c0e129b29e4c1b6caefe8b6fa2888ce1433cfd75632bfc619ec6140c32a83207bad62428d1817ee24aee5a9631420ef233fba83442d80800

memory/5064-921-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iMkg.exe

MD5 cf55ac3dcd38772d2a4214188273678e
SHA1 084c348ad520da04e2210dea0c0461c585b569f4
SHA256 bfbedce3bf2d9c3d6dd81825fbacc6c1fdc7c147c7f8d1e5497804d75d5d5795
SHA512 c74f47ecad513e1ee0767ae221916c278f10f8b4717d4d8bc7ffe6a529cafc273f36d5066e83d64616a4b476f662e70da21581109dddc765cad2064111bcc877

C:\Users\Admin\AppData\Local\Temp\CcAK.exe

MD5 3e4a140450cbeb6641f2ddd3a025fb28
SHA1 43c53def5226a9e2d632128d900098a8cd02aa64
SHA256 0bfb31e75f7b12b6740a20b154562658086e92cba4eaaca8348ea47dea2790ba
SHA512 9c2be9b1b53040ecbafaf7416603decadfa6b0f7373c0df04dbcdcb61f2f4736a9cf81d1a5ca5c65dad623870e93006d0a4367ab1eb1715f3844270ee2c61454

C:\Users\Admin\AppData\Local\Temp\SwAy.exe

MD5 cb4d331b57c115c2e4c9747c326d9692
SHA1 c7eafb5644a42315936bdfdbeb3853cd81368add
SHA256 34fab833cd3e2f3fd2b487d1a640a4120a368fd1faf129c96fabe197af35fe34
SHA512 ec03b48ca976ec5c060120787d794c74660df1681a2e1e4843cb123b572bff74b994e1c5cd89b64a6d9c506d367e285f5d9a7e9e2699f69072e52fe84a53fc24

C:\Users\Admin\AppData\Local\Temp\OMoq.exe

MD5 3ef1d4d6fc2376bd8324fa9d88106316
SHA1 51db16f9e348cc2fbb434ed67c87f6e7dcd807cc
SHA256 725954be6e0de6a84bb04e994c31be96d665691ffdfa0a82738d13a0ebdbb0bc
SHA512 42911040978d15a7fd8a227b2661e00d211b3b4f6528a9f075bacd4c47f373f3156fcffeb6633e3d4b1a936ae5cb81ab36baf997891002ba2eb8993179409eea

memory/2356-985-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ugka.exe

MD5 92a57f5900f7eaef4f1836a9aad1c16a
SHA1 2c28314b4c5f8b239cece2311c00b7b495902e4f
SHA256 a65404861f64ee5c091bd2b4e464b4de1f842aa50997f2571bc813e31dfed513
SHA512 b43cc6871dd257875a7d40ed8d724123ae83a53173952a736bfa9e124ce766ca9971d4127499ed413f1ad336e2f415313d15544cafe220219d3a837a3626f7e4

C:\Users\Admin\AppData\Local\Temp\mswG.exe

MD5 1bc5ea38e086fef8e873e7974d1724db
SHA1 2959ede22b87e483e8de408ab891d6255d4bb25c
SHA256 becabab50c86db037f9621d941718eaede122126e4cd11ff8310e77d4a3d84f6
SHA512 6f954e239ecd912ff063ec7c071782922fb96b73aa5b7feee37807d2b15f1124af5b880fac7f61284e89927c64e1b51dbeff036b0ba4b13ec364ca0bb6f9f481

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 a7ef2b736bd83c4878378e53ba51d3ab
SHA1 3ff4c96b27b80e0352297be432ff5bb2872977f0
SHA256 6f33ee12d7f98dcb198e04c0fc576590c7dcd6b2aab5007afffed5aa0004452d
SHA512 b0c885a1f1f330af32b0ac074ecc45a339308fef76e9801926d92bff0e2acf08147c8517d84b21c3f57fe9b178c4ee571d8c055b2b48b131976554959b092e32

C:\Users\Admin\AppData\Local\Temp\wAoo.exe

MD5 81a3abd6e34cc9fe47b198b88b87479c
SHA1 f0533e5bf99de19812ba23216c13c0fc4508efcb
SHA256 852dc22da3c64730c70baab369a8d50ed142e99b30debc18c27d6f1fc1fc5ee8
SHA512 d4bd83631eda37939e84680dcfb9eca446e35a6eab49c4c6a2555bfbd62af40108f49e31c1b40ebdc8615c8178c8f81dfdbee16b47801ffba83b727f9837be16

memory/4768-1049-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\isMI.exe

MD5 78094e4f9c70e3fde982a1681189bcc7
SHA1 406d69496de5f544cbcbbd552b69bff317252a07
SHA256 c18836053e74743eb304ed2803b390d5a529e7fa0ed43c19806b578e02e359c8
SHA512 24546b8676ecec8f9fc0c82ddec621516146840cf3c748da516c5f2a9a2c52dd7616dfca089e9baec2539b4f6ac9bfffd6cb30d0072bf97e5d004fc57de924cd

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 a5d30857b02e296d49e7858aff219ae2
SHA1 f4c67a9fbfb753fdd92e46b29d6e84fe72d18c10
SHA256 ba55ef47d9f0e6e2121f11ac84f2010bb76f19ec3e63fe9f311603ddbc944df5
SHA512 a4ce12d59e46f6b8e7beb8682372e4ad1f6766e9161134558c38f255d10c578794cdda938c754ff2778b4934afe747ea5686173bdf91fc568202b3180d97f6aa

C:\Users\Admin\AppData\Local\Temp\gIEq.exe

MD5 02413ccd6e608a097f110aca73a0d368
SHA1 7e05a1e37cf149fd1560a5b8a55ed4c6df445fb2
SHA256 6766d89848c08126d606b78f0ab6953bf6e50747a6cd76319518872fda122246
SHA512 4def3b25aa2f6cca4906fb0a72c8b25c97511ee45086920e38363d498731c60dd7a88b8ad9670619e921be2e8dd29269910a03170032f72f8ea0c460c0e02652

C:\Users\Admin\AppData\Local\Temp\cAUq.exe

MD5 bbe08ce4cfbc3200b29178ceb478f5c8
SHA1 04bd7053aa53985816f5ded8b26e0466defb0fe1
SHA256 6b073d190a2036a2befe7dd6d038b7a328b048650384d68290761bea1b30155d
SHA512 6fef01317e7963214c375e112d9d5a04edf49043e7bbb8c7578c9203853ecc96e3b3e9fc3cdaa637e4f1765982a4a17ee0e726f0fa085bccfd1048f1bd2879dd

C:\Users\Admin\AppData\Local\Temp\aAYM.exe

MD5 53102eed2509aec1633f562197daa382
SHA1 f8e0100cd886c902b902c204276b677997e6eb45
SHA256 576c2cee23f1ab01b03cad4bab42764ccdaadaf37e215e26e99558a9db40772a
SHA512 8630c2a5fe60ba17abeb83fa0254dffcef0884c951c1d4a7284ef28681d6af02b9125568e49433246cfd252c6c2ae6c744b2192f3997f32ede2f031391053317

memory/3188-1125-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mgIu.exe

MD5 a8c2b80e927ef7b825993320bdccd770
SHA1 5c4637c66388d2657339fd684abdea77f1a1505b
SHA256 43877baf658766b336cbf88e8c079b98cf828dd9484de6d69d840e9957d58f1c
SHA512 a32d3270d95238a8f5d60f0c16a8e484ce6644253e37a33d04e623a9c3d01d118b2f4dc84b601b52895a56f797daa5cb9a41045653ac6cfa43aa69e63d1c3e55

C:\Users\Admin\AppData\Local\Temp\Ykcg.exe

MD5 4c0ab1f06939241c80682795f193bb22
SHA1 a2392aad6fb1b64816ecdd739a9b7c55174071a2
SHA256 c63913089d87a59e740a5c5e7a19eb2f1e5ee83efada96a5a80c40497d223315
SHA512 a34bb50c2e7560a614075fa6870fe5003a78bf3580a75782a5508d780dde3ae83e8d9185e5a646358c97383e710c5a2200e941658c954f625aaddc2fd364de62

memory/888-1175-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Qgky.exe

MD5 d9d1e44bddda5ab319ab3184c694f505
SHA1 a9b499856906a9591dd8948d2f903cc45f3533fa
SHA256 6901b0ac1479e4a42894c11534aca045d95f4785445bf3e29389995a6026edd7
SHA512 e95f5d5c2fc39eca21d2844d9ce37492a3b8bb7b81d4ab781649575466dbd667b2557199e87d71da098663762f7d781c2dfed6e95f3958f7d2a35e13b02a6592

C:\Users\Admin\AppData\Local\Temp\moYi.exe

MD5 3dd1a51f9cb3a40b9bebc10d3ba0699f
SHA1 a4f2f71f4e0cf228bc8bc79d9054810bdec6b9bb
SHA256 4f7e77b733051ea82bf789458ecd0003c74fa7aaa7cbe2c0c854d4dd19afbaed
SHA512 52a19788b991940c18687bf1e94ccc9430d4cb7648f33fefb0f4cdd3abd7d3a39f8ee7819417e5e14a11d65e5580fb5c046cbfab9a48a3d20ab0385a604cd475

C:\Users\Admin\AppData\Local\Temp\Ckwq.exe

MD5 c2a491235c2c8189e23cef7f4be2e9f8
SHA1 340200b873e9d9cde06a84df1c8012ee21e60789
SHA256 7205011bf0d7d18f2870dc8285b0c17b5e757b10794cf23d60c39382843b74a8
SHA512 7fe00fa2fc8c8b15b8fbda275a7e287437b6eac1ca137ef5d02afd55afddda061d166338e1d6d1b597d6792c62eb3caa767d8efbc59557810accbd3a8cd7be21

C:\Users\Admin\AppData\Local\Temp\owEG.exe

MD5 cd9fc923aaabf9867457d13bb730d0d7
SHA1 d21c00fffddaac5ca8e776b869b13019d7474a2c
SHA256 775be9c0b3bc11492f69590ef92e8a5eecd86f249df33102c9bdc2df5ec71594
SHA512 e562a4ac8f9405105c13f5d7c38f2155314c7659603965302550eb7258b6d538105000e3e8bdcd493c3e2103dc51f451467f1072941e4b046df75d5bca623b36

memory/4988-1224-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2756-1225-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SogK.exe

MD5 da1a31fe616d8118fa51730c5c412700
SHA1 f74f54c8da196eccd25f1710e8f9c6cc53916573
SHA256 ee362dc8e331d336bcdaf34ec8278016f9fa92a9642798b01121715abb61dcc4
SHA512 186eea26b95e3e5a3d8b0bba944279b02f97815cfc7c4e76aa11fc0b360faa3f05d44f9a7b3484500a912a849505d00a95ab6cad7b8c3b66442539ccec93e712

C:\Users\Admin\AppData\Local\Temp\sUoa.exe

MD5 363a4bd323836bee9c460899112246f9
SHA1 1a68edc47bb94595e1e7106151d87f5e71c41eb2
SHA256 6147024258610f756dc8afea302578a87bdb9dc972d03240304b4b6d256378a4
SHA512 3af91dbcef7692c6d62f771d4d979a348cf22f446c28c62ac011bc56307cc22680be46b51bf0719ffb20ae72559723960d49b9734a91185fff61fa15f8c9e1a1

C:\Users\Admin\AppData\Local\Temp\yQsW.exe

MD5 21992c6d8ed721a518a438e70f876dfe
SHA1 7a3556b66ced4518fe56c1d9f8282be425848e21
SHA256 9759b9a0ae2e44c617f45f1730771bd09681af66fbaa8f3051175475ce694b70
SHA512 2af62c593aa82eb7709338655cf380d7d5d867a7e55f384c618cda05138b3af1bb129ef4fad8b2a2e5a7927c4f6ce1f32c183976eff9f26cc043a5dae48fb557

C:\Users\Admin\AppData\Local\Temp\CIsk.exe

MD5 486f5cd4c1b12d6a1e46e748f4bebb9f
SHA1 4d0f0afb3b7998e44ee86775aa59a66275b42518
SHA256 815c14f33dc6880efbbb80a43b41f42b756c8ce17b30d275d6cb89b9fbd11cd7
SHA512 a40e746d8932280e2e50f88cc8155cadc8a4cae758bcd75ebd5079cb682278f40bfb329e7ecf20675a399df62ba2214f9dc22f00cd1b5e53dc94021a4cab3bb2

memory/644-1277-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4988-1290-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MkoE.exe

MD5 745eeca3476e228266da6bad89c06303
SHA1 90399b2b3f65bd2086a3685f3eb03c4fe55af481
SHA256 ae32caced67a95128aefe83c8a3417bd4e6a8277fe466397157b20ce2bb67ce5
SHA512 67ca4980517d46ccfd3a02d53e8bd344b02e0b3fd562ceabffc4a42fe39f8147d5d2fa1baee77f60b9e531a37b2a0357769d6c8e9984a36d8b7555e2046daefa

C:\Users\Admin\AppData\Local\Temp\wwES.exe

MD5 abb3176d4b1825f49df85035b865268e
SHA1 c465d34c165df2769605d221afb52ad7cf6ba593
SHA256 2709d930427343f385bc65a9da0db559052a51dbbadac14aaca4e3616076ab21
SHA512 ba609ffebd66466c73235564a2c4352ececcd6f632b5f210a2bf7fcab3918ec2339c3d1ea73d3fcedbd2442137e1e72a83ca2107e306b7ea567a0a9970bdce6e

C:\Users\Admin\AppData\Local\Temp\YsQK.exe

MD5 1d5002f006b33d3534dbe76454928766
SHA1 26de9277373ea042b3abd5f25ff316275929234b
SHA256 4929bd1ecae656bc7d2d83f6af7cd670f4b04b93bb2f6fdac6751c42034f4304
SHA512 5b5bc6a83f220c8ac6464512c0c2afd94b37353dad6fe5e7a87c9eeb9a7f180b4b6304d5d83cdaed563638306ec1fdfeab6007c73728f0e733d173e9b227f02b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe

MD5 587e9422633937eb343bee73a60b997e
SHA1 cb93b1960cfe942b742f5116e81c4520622139bf
SHA256 d4bd5ecf611a070344ea3cb1cdd33578be252573ad87d64eb13a7a786c0aaf5b
SHA512 088a6b13c992a58df2348c8afc456e91f8755bfe6d0b7f3bdf251f48f831a11207393f0894cdccd01a0760e67b5e4b5ae5b1c8ae14f53d661b71d17462cce8bf

C:\Users\Admin\AppData\Local\Temp\AoMg.exe

MD5 ec12daf2967c95d404b898fc76bc921c
SHA1 bb170dd91e7fa3416c8b6bed6f9f14bc7eca1748
SHA256 67fcc35d85f169d7056a7a23ea1e1728a1d5b9f3b11091b1cf213d91dc3d6f67
SHA512 ea5163682aac3a1ce59741d79d0b7b32b3f917a11e7d09b2164404c6cfd97ffd32f60557b7389648d47bd93eb46bde8ffb099c10718b266437fe5cfbf07280f7

memory/644-1382-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oMww.exe

MD5 86c97e97ad42496d914c44bcd179a419
SHA1 7392ee364b76e7dc7828a1d0ac49146df46582a7
SHA256 f3f7e12fc986ad79baf61aeda25a5f4f0ad0b3f372d47ae9e47a2d5c28ede3cd
SHA512 fd708620db7bb30b795500576b97fa251629215adb910e27dea1ad5068522b0221c8f062ab32dbfc65434757e304beb0471ae4c5b84a9a1258dfbe0b408bd084

C:\Users\Admin\AppData\Local\Temp\mcQu.exe

MD5 9db4d00aeb103a3453f24afa4d728125
SHA1 de2af8350a5eaf3d986f299fc57dcf09ec5fe6a9
SHA256 fa2e551703108e381afd16d3e719de98a474eb6d27ce4fe5adb0dd4e6c166c0d
SHA512 4d5cdf6829021d01cd632dc6e18902389045d00ce317d3ab91ceb8b79624016c2e5ab371e32987ea84f0662b368716d26ee593304f1a12f4f23e12bf01fe2911

C:\Users\Admin\AppData\Local\Temp\cwom.exe

MD5 8579811f29b8282a167526ef36192591
SHA1 326c7b7243979872514b7b3815fb87305174b0f8
SHA256 97cf8dd76acf7db57026661f591ee3fb4cfa3924040708d5345d18edebcdc9dc
SHA512 29ab6cd3c50b32122f3dba7af52f0714f1f118b66cfd175dfe0590b8f30d3a1a02fa0fff1fdfc78dabdd0f3837e2537d7ca3ce7e2c9f6915c0c1ed6dd74b0cda

C:\Users\Admin\AppData\Local\Temp\sccQ.exe

MD5 8ba40f5a2c3b1de3c527565fbadf7e2c
SHA1 35476ec7f98f6c12ec1bc827ffa946a55cef22a7
SHA256 ddd848ecf009d6a3bc46d8554b4a5f103a68d12ff89b7d88d3e19756d66daaa8
SHA512 63a25ed2f154acff39ea865e1e5c307d2dec70d2948ca37a7c764f42a7507fea3d4f2868029d5f93551b98c98aa4ae2ad594a468983f32fefd6986e32d901ea1

C:\Users\Admin\AppData\Local\Temp\QoQQ.exe

MD5 29bdf205834fbf79811a69d75a0dc420
SHA1 e48d90e87efdd205abd5aef47d6d6a56a474b67d
SHA256 67ce297126412d05471f1ff0203648d0459bca0ee1da0b84a3c71e4fa41d1bd1
SHA512 848c288421dc46651b7ae8a024685134010206016637071f3e62f5159db7d76e79b3834fe889c06ae2b1954cfc7cd458bc5eb07320d99962e7853d3bf684f249

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

MD5 bc42ea6d9914e0826b11a452142942f9
SHA1 ffd3f76ff995f6a51de1961e5fc464ebcb746f2a
SHA256 904ec5bf21018c52d8622a7c07e0d8537a4693c9184cfb9deec63666dd7ba652
SHA512 721d39f5f8809571e514c22f3c70111148931b2b3258bcb9507fa74a4893478a32a8698a4ec67f005e392e5f77ea070e388b0097d731bb609e79eaa0fb3852da

memory/1568-1459-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oEEi.exe

MD5 4d80740ffc97404e3e0587b42e0d0436
SHA1 420d563d7b2193cba5374ca686fec381fc626988
SHA256 76b662c4110cfa63ed3b8fe789046f0d2a587291692db4f3691074b109ecda5e
SHA512 384a8b65ac3b9df818105774f6429f9ff56a8fbaa378b84bbece84a84dc7834adeef187a899a001c8014ac30fcc7b2c4fb12fafe2e214d0d113a35e2b45e1462

C:\Users\Admin\AppData\Local\Temp\mQMs.exe

MD5 e53d34752a3835640e0d027a9bb12b1f
SHA1 f5419ade1f940fdddf1da691e7b51de3a5a8c39b
SHA256 025817a80ad64842fc13ad5df52174a75d8ba4b2941c1658ea9602cf4e3c157f
SHA512 6a638152f70a1f4d0c2356bb725b5cfc4207d886ef9e4ed77b42cfaa75a4a03a28dabd949b7dd2aebb865b7ff697819f0e507953e1f10ec926dc64bcbecad5d8

C:\Users\Admin\AppData\Local\Temp\iYgC.exe

MD5 834871371126eeb0750dd4256a671122
SHA1 447ff2caf04748276d363240632d79d2f7dd7939
SHA256 c916cdb4986623f6c3639762002ec084f1fe81a00ea082e7d35707ad17f72610
SHA512 1a3779673e7273be53fc0d6e50c39bb2fd6d53a6e94736169ebe5575d8c1699f8fde77fefa46e29f806fcd01857c2eaa8462411150705f29ad5a22bb81bae548

C:\Users\Admin\AppData\Local\Temp\CocC.exe

MD5 5bf61a07e7747bca9e6ecb4d9a91c4f4
SHA1 33fd551a0476d8541e090015ccff57e583c74ec8
SHA256 a158775055413a931b4a14a1c8759d091c0f59789e954a60145d91cf95803f3d
SHA512 155187a65e404574355a6777d5835da43212d77fd384f9bc1f75fe5053d4477069d5a0d9315762997cb5196d73b2d4353c414c26912d4ebb84c5b7feca50dcd3

memory/2520-1523-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qIsE.exe

MD5 1b41c4180b7f370f84bbf9748137c76c
SHA1 0b40ceeab7b6e33a460de4a18225af5762ff4b41
SHA256 d167c201179429e00c235416526a4c6bc061ceb64835967a1d8ced1da1fa3871
SHA512 87bcdf73027d1dbf7bcdf6ddcb191453edf47ee311b749b7bf5e02a4a6cefdb36d633957d6e0ec482fea3cbf98652105a36d2c3a0f5b4e346a971dc0c37bcaa8

C:\Users\Admin\AppData\Local\Temp\cgEs.exe

MD5 365e7dd0ea3569d264882c92268b03ec
SHA1 5792fd33b69847e851f01b0dcd3e0efec3f96b18
SHA256 c64ace960179923013f2ec782c59ecf9a0c197113c3f8dc7729f5bcba245126f
SHA512 b6b46e9b8c18a257259f339aabac1a76af0ebdf13c08493f174271ca3e3fe6d907acce8c172bac8b2aeb3d911c5769c1803034ed47bf6ab53ad2424cef79e5e5

C:\Users\Admin\AppData\Local\Temp\UYEM.exe

MD5 028fcd38adab4eae2fa958d5dddc188c
SHA1 ada20bea52e84edc3ec4b800e85dbdbde236ef64
SHA256 6ae030b481cbf2d1f4631e6b441365530c78d65d91f7a30bc5a85bec904f7ef5
SHA512 3891b157ce153c8cd876429436c7b613e2e4044ee2b5e87b2f94292509c8cac500e631117c321c25bf127ebd489a92bad8505cb7262a2652d4496d083e4a4995

C:\Users\Admin\AppData\Local\Temp\gkgc.exe

MD5 eb80285a27f8d0827856b6018a81d6b6
SHA1 9682093146ad3680f569566467389bd5b1b00c97
SHA256 919dba24c076cd7e9f32f9ac82f7ba061f4495225419fee2baa5825969bf801d
SHA512 31e2b8f9be91b1e4e5a13fc7102e7ed4f51166459c13a537782fae1ac9a212ba305ed3ce447f66a2bd78bcb8f9c737d8c5dab03462c21d93a044e13a8a1d0a6d

C:\Users\Admin\AppData\Local\Temp\wosw.exe

MD5 94b7f96f5ee846b73afdee6203727886
SHA1 009b3f684e86680f52f31f8dc032ebb7169df068
SHA256 529269e62f7dc209d7e118b9d5e60a2eee69a9f9781a11dfb3f54eb2770df5cd
SHA512 f4ed3cd4fabb3654542148a2fd74df85a7bdc6515c952d2685dec3b067f9c167db6cafd88b56758303540bf38cb0c7738debadf43df55b1ff93bc55c5b59df3c

memory/5028-1601-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gwIG.exe

MD5 090ea9dfe984e286070dd3a76a7d029e
SHA1 c151b999a8885ca90a3015e2393e3d87004a202d
SHA256 edaeaf588e875934036d33c122d5ea728c726f1647a10432e0841ba181d78f33
SHA512 2422180182aa18ece09573d43dc2058da49c3a1cb2bcd6b6313daa3a9f09146dbddb458a9086bdbc1709b7ec6ae4e600502f77181e7d100b3fd2444286ff5d07

C:\Users\Admin\AppData\Local\Temp\wEkg.exe

MD5 80980ecd836a30d99f3f1594d47fc3e5
SHA1 8f401836066c9a9cb9569bf0532b04d6b634244f
SHA256 8ccd53db3ad89eec727e61c9cbcb6b8cd9389ab7e8e9a52a860a315487699f47
SHA512 7885a4e8f162e26625f2bd553b34f1c311148f68862b94612debbbaff88ceab937e5efcddf38cb580e5ff4d582f47d7a6c48b3ed447afff7c6d57fe5a540f282

C:\Users\Admin\AppData\Local\Temp\EAwW.exe

MD5 f01b6f6a811c57fd8ab2bbed5228e373
SHA1 f32328f3dbe15bc8964de60ffbae5a57cc753893
SHA256 4a684e056753f39eff7066cbd8548ac512ef9836433d98b2fb0e5d6b0ac7eb25
SHA512 97aed9104a669dca0eb6c65e2c1e6758edccc01467cf8c066219ae478f90523aab4ef9c842c7987d30f95c97f2cba2a597cb9e18188c532a0e843fd8d659b52f

C:\Users\Admin\AppData\Local\Temp\gIIk.exe

MD5 0211ae46973d577f2728c9b6c97bb450
SHA1 f3c904b16f7eeae54490d1b2f2efaf6c013405a0
SHA256 7159f3f8ee6fa56309406aaefcbc56e2f7e6c11e8a66b825f3de3f3fc57e3bdc
SHA512 1a0fba899f27f8b5888dc1e4ca0ecc79630e75f4aa7e763288add6a3beeab044fb697130d59175e89efa32e03ef32068b6ff86327f9ba152cc6ee18fa2d762a6

memory/3956-1665-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aQos.exe

MD5 416e6334885dfee05f8202d0ad629283
SHA1 654c983ea0b832952d39ce514147ddd13cc5b0ae
SHA256 10726c75b3dc028d77903bf90da7dcca4fae69456700da313d587d31d40fe357
SHA512 8b94ae2a45687a93b69ff614740b61441d4844f25b2f6a60c6a8519ca893faf0e4d5d6b62488cf54ec4ebc6aac12678673e0bf0b8ae3e41195983aa5b096a2be

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 abce14c04e1c3113e042b19f799ff267
SHA1 89bbeb2504efcb09f1872152833dd30426f9ff52
SHA256 f57fd5afa6b7c009fbc396b2d7c3fbd22695c0e68aa09ebb85ab340962cbc39d
SHA512 9075ca467f6fb93bb7376c0ed2dc99610fc4bddd6e470395cad1652b950700a6a7348ba5e1f6eeb821448bacd57c416b7f1c2524df636404a6694da85e171bf6

memory/4164-1701-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kwsG.exe

MD5 8d5444ac7215932657999280ce29dff1
SHA1 388441f832d9fb48ac2e75e614a9b5dba64feca9
SHA256 3aed4e3f4cac85ea1c132e6e08167c936ce02998752ca07b9644adb80f264683
SHA512 d600b9b771cbd603f7b616d8eaa24ff344c04917e21c180f41478d4acf08bf1e416d73251f0871a77ac897376db22ebc54c58568cf4b5d3f8f9ec9ac99256c80

C:\Users\Admin\AppData\Local\Temp\cgIK.exe

MD5 f191f3682689c85378447c96c14af122
SHA1 fc03339faaecd777391182159edcd3bc66f9b077
SHA256 3ff89d4f8fea15077d324851d0dcd5647280ae7a81a6437406fa6637fae9a2d2
SHA512 26efac31fd513f520360d661c7a55a9c14a95e2a6a3da0f9af4d11a29c3ba3cd161d6757649a7da17dbc2b87b9d378925a5140e9b5c490faa4a55b40763cf7be

C:\Users\Admin\AppData\Local\Temp\IwsC.exe

MD5 1dca32412223c64968733f1fa6c20683
SHA1 95c3887bda21a883fc6add935ee3343c887e67e0
SHA256 7221666ad95975fc3867aab7040fdb9c89b973ae7795fb586573f76bfa680ed0
SHA512 51ab45e300bc3840cce52fcc3579a7dda5d9201dc9a8571509c3bf5707c5168cb0a122c9b77770ca80365ef99b564751a333b8c346c746ef747c89f3b54522b4

memory/1236-1756-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qYEA.exe

MD5 9eeb76d71b5954143f17478274d4a5eb
SHA1 5daa97f24c82734bf56ba40f583977393f3406b5
SHA256 0a7a995d980168f90305b65134141d18ae9ca80da6dd954554d2fe6e944b6402
SHA512 c0c8edded22b9f334205271d11b672ca3a951ec88a87c61a07797020936cf65383a419623c08209b7e14afa41522d0142556fdeeb355edfdd3ec2554cbf302b6

C:\Users\Admin\AppData\Local\Temp\EQQA.exe

MD5 d190ffecb84d5200b842d9aeb1f56b92
SHA1 cba329cbfecea5ac50b3853880a04fd7db636bfa
SHA256 964c57b56a552337ceb97f393f70f76efd5130d70022925665629a6111eef09d
SHA512 0b42c222395693b608a1987095cd6a431f62f9b9e9900d452b627afe62ecb17ec10cafece2994e789b74e82b49cfb8e9b64760ab8bdea47d8c2313b7117f1a35

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe

MD5 1d7349fd0f3f0fe1d43bf9c14dccc6ce
SHA1 86eb484a93be30451b4aa84ccedb4ea36ee457a0
SHA256 1456bd9384780e7a6147446662294b55b889713d3d54bb0965653a6660790c6e
SHA512 5a1998132b22053e14ce4973720fe32169819ee6fd6d551c2130befda532aaa73293c284c4282093e3b0aea9ff9ed4259073975b05175f48004e9107af1bb1bc

C:\Users\Admin\AppData\Local\Temp\OIks.exe

MD5 4094a58f94832525ccc3ea269d63023e
SHA1 3bcfd53831f91819131708028dddb88fe729cb10
SHA256 5e0498e2cc81618fb8f857dbc90e636da94d1a2c97304ab6be14bd0cc57a6b71
SHA512 8864d75c325365ff2fe7600e294a93e7216993057d48b14126ba998c13b3561b2df8d6fd9005af3a38116386a183a58a780407ecd3522d8679ae70d694497e53

C:\Users\Admin\AppData\Local\Temp\iEoS.exe

MD5 5ad6719f8f82f79cb1f1a9877a472fc1
SHA1 3c679bf029b1c11769f9be7dda5bd7b50dfa111d
SHA256 e33f6a93d688c48952789b9f3665f11231084fa4edf1425607b5df5004826c4b
SHA512 1e2f82caad70a78cb38a3354d1a4771cf24735de1db2900437668472c88f56d865a57121d836e4e7af1fa159ef9c95baacb6040f4fbe0923e357cfb186dc3535

memory/1408-1829-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CcMC.exe

MD5 002042a8d107091f04efb0c27209c61a
SHA1 b48c7e2836c9af89c7e7e81ae4cab648ac68bed8
SHA256 e8b1eebf2f5c021a1193a3c3a9e8f9776962232db854b9c0dde2d5155c5e3f96
SHA512 72a24b91a8e893e94be1c20b9de028a0f7ea45a5fd089203c1c1bf7eabfc3737eae53cd7993f2635e47a6ae4e67ea19c6a24f5054c9e119f709b4a740a60ac8a

C:\Users\Admin\AppData\Roaming\EditHide.mpg.exe

MD5 e2d24d652fc72b6da374083c8bcb07b9
SHA1 40cc2a52d1d803992789b7d51b015a8649a15cfd
SHA256 cf9ad883789e34da46308d095a2422278844cab6414ec0fab2cb70bce26a5388
SHA512 76916a7eb4ab44801791e24a3ac893c44996377e74d31d9a21eb74157c175e4d91c928587ea1487f1bb17498dbe7da30a559df55d5b30136caeaf2b24b946342

memory/3376-1866-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1376-1862-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qwsc.exe

MD5 3a13a81f3361aed84446566575cea242
SHA1 842a4054d6e4cee3d097872a8c7e77cb92d8547c
SHA256 e98d086d2ec18aa241337ba89290a236c912dac37776b9df3d823da0487d2357
SHA512 c1d26d6c9a5742338c43df32f035f341d7134a06f91828212da4ecdb7e092626d525886dccebaab5310892d5e3ae63f15dd3b6e7aaf9f8751be613397a42aceb

C:\Users\Admin\AppData\Local\Temp\wcUi.exe

MD5 67583457b826d8bf7908d73e6de8b0fa
SHA1 412c32fe0130171a1f9d8af959faa1fe4821456c
SHA256 e48655f4e1948a44720c9ef27b4ba277fef2176fc61fee28b58ddfb39c37f4e9
SHA512 3af3435e4d694b10bbf65b8214c5f2cf6f964850d693aeaa9c34aa79382d44fb680946e4846c25aa8c12ba0908f836277c2ef966a839db87f67c9a76d4afcb0b

C:\Users\Admin\AppData\Local\Temp\mUUI.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

memory/1376-1902-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1860-1918-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EUcY.exe

MD5 2c6908efa8f41e0b5186afbc584597a1
SHA1 5dd4c62c847c5ac0c1732d254fe092c92407b37b
SHA256 e36ea249a0fa1a918c0f738aaab7997478f720c71d596c39e7f68a6929f537bd
SHA512 3c4b2ae2924f593efb513518f34fe7d5fefe80ccb7273d34f8453bb25a6b4bd317bdd0cf488cb5f71cda5e080eaf4a1a1a4793fb710cadbb7802b0cd1616e436

C:\Users\Admin\AppData\Local\Temp\CcUu.exe

MD5 f6ae53507dc6141603e651deb24dd4ff
SHA1 b538798257c79650fc28f70bc17bde437b5bceb6
SHA256 0c5d484b4e36907655c565bef6bd122a590169967cac5b7de06a0f7ca3ab8495
SHA512 5b5cb513b1a415ca21f4ffc1f7867d2142b4052ced0796b1087ddde8bf39426e2bf3ab2eec555bf95fc1e78be1fa3bb617aea7aea3ef53dbd2ea46d846f840ac

C:\Users\Admin\AppData\Local\Temp\cIYY.exe

MD5 013a5383af407dcacb356b279d76ebe8
SHA1 cee735aa82f066c605ae6b6e70173f05f03bd29c
SHA256 cd0ed61ab8e9f34bac33442577124378f1057ef5a31edc8c74fb3cb0be40324f
SHA512 bde4613db245ea60d4c000eee43c5a149382475e9404dc56a22157847f1b2e360ac116d59814be3c833b203dbadd4edee288948f4c6c40c5dd76181681426db1

C:\Users\Admin\AppData\Local\Temp\yUMq.exe

MD5 a67be8326d71d77e0b80a3ee4289e22b
SHA1 d0e6f45f49f96527b836eb17a030ff3d2aa74502
SHA256 11a5e53664f09c98c8b20fcd830a6084fb86137904f558c294f6ce27b7599883
SHA512 2f4bec455a1045faa2e28ad0eff64114ba8345da8e184b82960582458a48e918baf5a42cc0901dfa679debc25173fba59f27e44a7286a191ec3d83aeea1700b3

memory/1860-1968-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4652-1967-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ycsO.exe

MD5 11d85b8389660f72d3ac965b713fab3d
SHA1 d4af3461b7895258472af03f2ff8c059cc48eefd
SHA256 2d19bbfc9f56fa73f72ded496dc13d1ff45bf94cbc21377637618ee7e9530a56
SHA512 a9262a090439574a924d105ca42f0893b33d3a93f596c1ff2d8645ab50f281312982eb6459226b62801c8c4b672759fc66df0a35410cb4e29953a2ebaf939144

C:\Users\Admin\AppData\Local\Temp\ckYy.exe

MD5 3771f1a7a73034ebafe2b369c26c0034
SHA1 414edb92b939440aba4ca4d4a662ec01ace1f3d5
SHA256 54ae1ce20ae707046bd77c7735937667c7d35f2d49fc4065d2d872359546a654
SHA512 f3f1d1a91fdd6377af0532fe8d3b63b89747b5ca278bab331f310a52101601287f69bd354090dae895d84a75b0df0aadbccaf2af90f504bcff6b8df6001385ec

C:\Users\Admin\AppData\Local\Temp\YMks.exe

MD5 35efc104130e785770dfe885cb24dedd
SHA1 7357c17be2c9f52066e202cedc0c4b97a37d86d0
SHA256 606b574cebe5f031958acea5e63fc1c41136b17567591bc23deef6a4d0f129aa
SHA512 9b10076567107116df381224bf5c78800f523a984877f1831b9d462d00daa25e30c083fea6c1c2a959d270638b16ebbca3ac8ab955966903e83ee0298ab019dd

C:\Users\Admin\AppData\Local\Temp\woUQ.exe

MD5 14ac46ace16eddb53f665892b273120b
SHA1 890b51308ac22a63354bc62d80cadd8dfae7caeb
SHA256 0eb3953cafd3df5c9f113c824d15e1ff787596f4bf46d842fb0067ef1dbf47a8
SHA512 e72e6aeea31015b0cd5f70a22f52e71b90aba37824c8419cea87d95744f448dce7760609f7eea97955ef69f8ab27eb933e008a11b5aa39cee793e05d4b7dd981

C:\Users\Admin\AppData\Local\Temp\ycAq.exe

MD5 0d42b09f70c7acfc6709faf3724f197e
SHA1 ddb4e077f1d7e590a1852908e19874d36b0ebdfb
SHA256 a6085565fe0a2d3c8c4f569d03ebe658b7d458644a23f34d885fb8009fff791b
SHA512 3629e29c1952615c9772f6f88a65960e8eb4debb5057011a6ecfda7dac28ffeacca44ca92cc95b0a4456b89bb46c73b903988fee917f965eab53f6faa1608197

C:\Users\Admin\AppData\Local\Temp\WMIc.exe

MD5 9ef1c6bf317235cad6e55f2ed4acd5f7
SHA1 68de1a17118dd568920f5018428cd917ccad0af3
SHA256 bd6aeff29176c7ef8058ba94ffb507b362500790cbfaba48446829e39ebcf447
SHA512 4ea5e859db0aec101b07025e2de711597978ebada44f37b0dec74bbd37c8ea21fa586986aeca719386798f6791d77ac7175dff4e104f0a041acfa3905d500cc6

C:\Users\Admin\AppData\Local\Temp\aYkU.exe

MD5 4e8d9e6964c05e24774aefca3a3176f0
SHA1 94829561a1d6141d0b40bc3f23c4de4a67ba7a9a
SHA256 207f24be707f32846f0b59e874c3e63b223671c37c170f2d496bb590140f0f1d
SHA512 58b9d3a177d90a91e4d031c42572912def8581eb1dfa1dc336dce2c764af72ef08fb55f5ce909da761932490e2c423362e9128ce55c6cc899e10ecbaab5df806

C:\Users\Admin\AppData\Local\Temp\IgUM.exe

MD5 bad64d6026c4b678e391cf34912a324c
SHA1 573a957d055098676eb8e090ca85f745e82f3679
SHA256 738eae3d54fde64d75d6f83e8dc0ae6fd4eb6a2ddc8fd593928b3255af470848
SHA512 7fcb9c9a37d6bd85799a95348d35373376219d96ee313ebabdd74526ca5d3368b96070ae61c34a60869aa878e207938d4ca41913150c7281d02115f3b76c9d1c

C:\Users\Admin\AppData\Local\Temp\sgkI.exe

MD5 79bbb44bef830a264425b4579d4bedd6
SHA1 19cd31bcccf6de4ec9d2cc373159684d75ef8cfb
SHA256 d0281b696a24c220d26dfbde2473c198396475454522381f36cac7938c5410b8
SHA512 924831e62d842e90cdf0490b246ca1504afe4d1fe6ad059302bddb6e7fd7fd9997dac748409df93a37427c7cec976fb011a8d31639d0b95428653899e2bc4422

C:\Users\Admin\AppData\Local\Temp\KsUS.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\KkIQ.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\qAAa.exe

MD5 75659bfc7b0bd74ac6dd0781d87c7db3
SHA1 563d70450ea174745b999e92f0483a50be08db29
SHA256 44bb10f6693ddea83469bb9c411ec4ce96290e731311acc4336c965bc8688290
SHA512 0b08f7f0db498ff38f05a69dcb82c9c6a98ee10a7f7e9dc53c16ebaaeb541bdf8fde35d4c30e7200ed75dc18241f7e43fdc404d44be47073fb0669c3da9dbdb7

C:\Users\Admin\AppData\Local\Temp\QIEy.exe

MD5 d3c389afccdc226ccf378770f19b1b8f
SHA1 1382c4b2ce9de8501eeea76a9191c232bf4c6d7d
SHA256 01092c718c6435f5607c3dc85c7132b7f5ae1385301f3359d489df35fc9d38cc
SHA512 b2d6387bd8d877af7762727bd2f3c18379c9243177e70e19c45efc986d4144fd27f6916b569d0ed76cbb5820af3bcc386bc5821a8ed5bf9ce25b2f9bb5897545

C:\Users\Admin\AppData\Local\Temp\CEMM.exe

MD5 fa7bf160f0f68aa17db8b6b0221ae0e5
SHA1 c45906f387782baf8f25acef83cbe058b7c2d676
SHA256 e864be2de585a7c2bf23496d7bc4d96552e1dd8edb24682696010e1d1ba28aa4
SHA512 520e3c04340d8b8f7d044d105e179eb03b420f490b49fcbc3544a28f3d36992ea86c49c5308fc5a928399c2d0e6fea54a11b7befbcbc95486cc3d1a70f0e0813

C:\Users\Admin\Pictures\UseSave.png.exe

MD5 b432533be40781a88aac00607233078f
SHA1 e4ea3aff641857a91534a24fb040936b91af10f8
SHA256 aceab3b09c3b0704cc0d491c2acdb6b2a2c5970717c45b965ded9397828c62b2
SHA512 1dc1389df98ad0940ee269627360c3aa91e2bfe3707ad767f561cdf4ed436135ea2d0f923be4935c532a2043b66acf7c8ebae5604c2a5f6767d134cd40192e8b

C:\Users\Admin\AppData\Local\Temp\MUcu.exe

MD5 c64d1f1d29452f37f2a22a694c9f87ec
SHA1 8cc73a9ba9c4d7bffc1e63c73dffb414035003f6
SHA256 bfd2d49afa1204e4b9276dda4099f62243303f1e65f1f624a00b478f985ee2af
SHA512 b896b4b75e6997cacbe0274e32313afe3aafc7b14f6e243ec62225d4a4e6da8f5dccc7821415c9d009080a186b241281c7cac15478bc4aabbe6c54dc0989fa6b

C:\Users\Admin\AppData\Local\Temp\EocG.exe

MD5 28c5f1c136b63c5a294661efc4900538
SHA1 aa68d305b36450f565dcbab59b5979ab5960763b
SHA256 daba5227370c6e099112cee59e0221f23a39436564feb43348c6894a3c162ce6
SHA512 d4ce0c4c27a37d713165e56a7240419d0920bc90f8534ed90325e37f1959d7821743e696f00225f0ff6b214143565f90d136aa30d531cef22b2c97126eacf725

C:\Users\Admin\AppData\Local\Temp\wsUi.exe

MD5 7fb2937f8cd3ba3d44126618bd7c1680
SHA1 6920a1d12b834209a01bc75104b29864b80e122a
SHA256 4cc4994f1d78842bfbed8e23ffbe83bb0d4ced21f5620ddf925adc165d2325e7
SHA512 cf86fb70c4c962c9b059187dbbecb3d027fb9369d7524b562b8f0fd61b5699dad2b9fccd72249ca002dab0c96ff277f449d30989a2e66f5c747337168360c49d

C:\Users\Admin\AppData\Local\Temp\OAge.exe

MD5 6f2cf5bd0b758d8cd7e072d1229f1854
SHA1 964c721198fc23a3f9b25e84d19035498ca7250a
SHA256 097abc9d6fa095b281628fe602dadbfe6a764f03d1b42a6bd7e5445499cf5bbb
SHA512 6ed05b906d490c4f2e168f629d22549d695f05b963061974118e3e905691f8f5a7abca410b49d1e5eae3d0404f1d390a09043b4e938f1accf3b7c2aba3cade0c

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 28a324f8965b2cfea87dc52718465c03
SHA1 8237326d5c9861dbf361a87fad7c5e5f306cdb6e
SHA256 26432fd3412c5a26fdfed4ed5d963f587b2d5dbba112f8cac6f01f01164ddb81
SHA512 f7d33a00298b90b638758c34ba3c92c1f84d0268e11bff68065336dae6da8f486e2456c64382dd8213875fa9b71f467681657dc0657599f3d82bd0525ee0bb4f

C:\Users\Admin\AppData\Local\Temp\KEAu.exe

MD5 cebfab08c0f3e113e63f79e92b2f1880
SHA1 db592a7b651a8cba6749602b24974090523f6a4e
SHA256 aa1f59d2f5452278ae51b7e499705e2e42e465a7624686559bc982c8220761a0
SHA512 0bb09f827c166c8b2a765e5352e6c6befb6f11f528f0c38a5c6856ade6b07d8f20c409098e83592d6d5fd3b00c725ecf1ca7edbca5da9c9b18fb9ff3a4c3bc22