Malware Analysis Report

2025-01-22 20:31

Sample ID 241019-2n3mjawaml
Target 2024-10-19_42de2729a8457deb93859902fccecf16_virlock
SHA256 d877d424e6836255f8c4ad38414f94e74de49d270f0c6d6dd49b4f0e3a0aff0d
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d877d424e6836255f8c4ad38414f94e74de49d270f0c6d6dd49b4f0e3a0aff0d

Threat Level: Known bad

The file 2024-10-19_42de2729a8457deb93859902fccecf16_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (84) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 22:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 22:44

Reported

2024-10-19 22:47

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (84) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\sCkgIgQc\waQQEQIo.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waQQEQIo.exe = "C:\\Users\\Admin\\sCkgIgQc\\waQQEQIo.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AgEAwMsc.exe = "C:\\ProgramData\\BYoMIwEY\\AgEAwMsc.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AgEAwMsc.exe = "C:\\ProgramData\\BYoMIwEY\\AgEAwMsc.exe" C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waQQEQIo.exe = "C:\\Users\\Admin\\sCkgIgQc\\waQQEQIo.exe" C:\Users\Admin\sCkgIgQc\waQQEQIo.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A
N/A N/A C:\ProgramData\BYoMIwEY\AgEAwMsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Users\Admin\sCkgIgQc\waQQEQIo.exe
PID 1176 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Users\Admin\sCkgIgQc\waQQEQIo.exe
PID 1176 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Users\Admin\sCkgIgQc\waQQEQIo.exe
PID 1176 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\ProgramData\BYoMIwEY\AgEAwMsc.exe
PID 1176 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\ProgramData\BYoMIwEY\AgEAwMsc.exe
PID 1176 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\ProgramData\BYoMIwEY\AgEAwMsc.exe
PID 1176 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 4960 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 4960 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 1176 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4304 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4304 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2264 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2680 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2680 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2264 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2324 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2324 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2196 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe"

C:\Users\Admin\sCkgIgQc\waQQEQIo.exe

"C:\Users\Admin\sCkgIgQc\waQQEQIo.exe"

C:\ProgramData\BYoMIwEY\AgEAwMsc.exe

"C:\ProgramData\BYoMIwEY\AgEAwMsc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMEYEcos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYIcsAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwgkEEIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMgsoAMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuoIUoow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCUEQMIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqgoogEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgkEgYME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkwYkgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XScwsIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWwcQcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkIUQYYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOQMkQkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMUUUAYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYgAUUAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EeYQAYoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEscEIwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQYgEMQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKUkIkcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqQAQwkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWYwAUcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KigEUwks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAIUQQkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIUEUkwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwkwQwwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkQQMssU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoMMUEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOUcMAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkAkIYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWQYQwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZswEcwUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owgIkEsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKYsMIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoscUUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOYYkMwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\logIIEos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWEgUIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkQQAwgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEQIoUwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGgQMQQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOMcMkcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKEsoAYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUMkMAYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsgIkMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEQscwsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEkEsIEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCQsgIUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUcQAIck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqAIkQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaQokYkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuEYEAkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeUMccYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUEYEYoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmAwcUMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KawswQYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAUAcUsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgIgQYws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faQEAwAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xygcwgEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EoIUQEIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GicEsMwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQkwsUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCgoQgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKYckYIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMcMQEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOYYoEgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAoEEooY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSUQwMsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCgQgcos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIoUoYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMoEMAgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zggkgAMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RekkoccY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqQcgUUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqogIgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AewkQAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fagowMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyAoEwcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuoAYIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGUIwAco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSMcYgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwwgAIUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iegYgAgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYkQYAwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUsYMYIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmgYgoMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKcMcsQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeocsUAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcwAkwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqMUkssg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeYwEsgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcAIQUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSgwwYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGcIkYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCwcsEUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv xqwxrUy0ykmwqD/z4I4eQw.0.2

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 172.217.169.46:80 google.com tcp
GB 172.217.169.46:80 google.com tcp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.117.19.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/1176-0-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/5060-7-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\sCkgIgQc\waQQEQIo.exe

MD5 2227b1dad1acc43bef49a1e43d16c9ed
SHA1 f86fb927058c34cd513e03c361d68511c124e642
SHA256 a5fb85d8b5676553f310af309274339ae5e4aeeac06f623e2efd125f94a5d40b
SHA512 39e6ffaebe03ddf637e43e6daf1b8cf2f2931eb5f86e7d8835d8dbd3ef3707538ca724dfe2fd8c9022307db009fe3daf3c51ff1d399ac7570ef46ad0b6ab399a

C:\ProgramData\BYoMIwEY\AgEAwMsc.exe

MD5 6c32ba3674ae8d797ff24d1cd76cd9b5
SHA1 e8ad7b79a42c11f3a82c89950006fcfe075e3bd5
SHA256 0bf672110e741ac05b4f2553f88e2656bc11abd21909a3eaba16c43021a82a04
SHA512 c0a663ff55b09adb6c7a38d9584d4c2f02f32686eb34ede430492d62facb3e0e38c135dd415fd98a4ceb9f4ea8266eb3687a4f6ba817b13006e086a5be87a35d

memory/4972-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1176-19-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eMEYEcos.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

MD5 8969288f4245120e7c3870287cce0ff3
SHA1 1b4605b0e20ceccf91aa278d10e81fad64e24e27
SHA256 ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73
SHA512 9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

memory/2196-27-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2264-31-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2196-41-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3264-43-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3264-54-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/5016-65-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2476-76-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3620-87-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2888-88-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2888-99-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2392-110-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2420-111-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2420-122-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4048-133-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4000-144-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/948-155-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4532-156-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4532-167-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2296-178-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4700-189-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3888-190-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3888-201-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2116-202-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2116-213-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2968-224-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2280-225-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2280-236-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4484-247-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/376-248-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/376-256-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4048-264-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3904-265-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3904-273-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2616-281-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3172-282-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3172-290-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2948-298-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1160-306-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3452-314-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4100-315-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4100-323-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4948-324-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4948-332-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2948-340-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3048-345-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4168-349-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3048-357-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4656-365-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2036-373-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2908-381-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3400-389-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4324-397-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2920-398-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2920-406-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3168-414-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/368-422-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3116-427-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/5000-431-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3116-439-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1936-447-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/312-455-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/5000-463-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4156-471-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3404-479-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3152-481-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OwQa.exe

MD5 a86a0609dd77d3814790c0dfd3594847
SHA1 a4c5223f586824e1dc641729af1f95a07c0022e0
SHA256 18557bcf960f66910a639923b666c6332302bdd41e30ad174e7126a035f4a67f
SHA512 9346c30564f6f9f885bf12ab1fb3b88b56e9f066fb147b952bec464aa65b7a6ef9de3ed75a7ca6b93faf3b5c581828d0d6c8867c781ef8b191a240740a35c350

memory/3152-503-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YUkU.exe

MD5 7d6f05626fb9715ecc6e763dbd597d67
SHA1 cda0718bbb26f9e4db97f3e9d0eb912a93796bd7
SHA256 df7878ba9beac7e83498b56e6b734ff5892b2a47db227b35c8a48860e5bc8d8e
SHA512 f1be7dcdb6aec7f8500361a298ebf8f64dd210521260f34e246bec17962297f1ffb2d1ba93657955f71145cb55dedf7d47e0951c45960c0577aa19f1a28c8288

C:\Users\Admin\AppData\Local\Temp\aYgm.exe

MD5 2f15bd6246c6bff2fc282132d43288e6
SHA1 c599983cea472484ba4e91edf7eb769e4629f320
SHA256 aae20ccc9b9232a04d9d38f55f71a913fb237bdb5d499c3b73007be8678cd244
SHA512 dad389524047bb31a162b123be1cbb5466da515667406b546890d3317730054c9f8f88861c5e147c734c29b11b8050ea6f90287caa10ca671a2ccfd2816c8fd4

C:\Users\Admin\AppData\Local\Temp\QwUW.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\mQca.exe

MD5 8818c2a7c3faec7e5c34e9d69c4f220c
SHA1 fc8771917239ba74adfac8ab0f537e4c3e060f25
SHA256 7b2999a39c06410992a1d7ecfe337ee932d54787289b2600db9369d6d3299e81
SHA512 1ed33db3be168bffabac24dc0993c98906238bce5e3e6a14684970801f42ebcbd75cb371997b994040e70b5a221e3ed2eeb59b3fd9022b0a5077804655109bd6

C:\Users\Admin\AppData\Local\Temp\wUwS.exe

MD5 3e75425bd68d05744aca49faeee60c7e
SHA1 b20975871856256216b067374ea1cb6304661299
SHA256 d087fb1ef3b3655a7509e7dfef48a3fe48c722409bb63e92ae604f7594621739
SHA512 aa3f2b020d34146aa07ecc9f5c8e494d6fe688d0353bff04d5e03038c5c69e18db49b787313bd17c5580294ed8e90d44e2d5ad513b29a0f9c073fb3066a50e05

memory/4244-567-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/440-568-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CIME.exe

MD5 8384107e0bf27db07489f31737a9914e
SHA1 1c36db98ea4269fb755526e72b66c846b9df7f5f
SHA256 361157c9b8b7b2db5cec3a46e19f7958a2996fecc1663ed1803a6cac53a3b603
SHA512 e8a776ac2039d56280133b25ffc1a1a78ae5d0a47aad404d480102ccbeec0d19419ac40ea01aec89009374b0cc3e930bffb8a28037ad29ef71ec3a7975ee659d

C:\Users\Admin\AppData\Local\Temp\mUIG.exe

MD5 408e3486e386a2c490fbc0b53e94a7d1
SHA1 8a0d8dd8fbb3a44beae34e4d967c27b03db0579c
SHA256 d4a5576d00a207c4fbb0ef702419759d00242d45f87e8d16aaefbdea068a8677
SHA512 30a66174c69ed939f2793082ebcc0a8ab6e15225c91e6643ed51bcc910bb89c757497fd6d40acb9f5f9cfe48cf9272d55d8d71591420bef51a2333dd53339f0c

C:\Users\Admin\AppData\Local\Temp\Swoy.exe

MD5 07cb8f7cfbee71fb6960cc58899021a6
SHA1 4bc65537a3351c3ca27962ef349a0024bfb3b8eb
SHA256 e55a382b7da239a3c82d7f7c3fcd52c576acf5eff9e1b64c672f6dd25ccd01ea
SHA512 a59f57e2c4ee476ab02335293bd29537e9bdc978308fe20ce2cd1ea26635b4430615e6f7fd7863a34b05f3dc0104a9fafdfeb1cdd34c24ffc1d3bf44cabdfa5c

C:\Users\Admin\AppData\Local\Temp\iQAS.exe

MD5 6e6cb830865d2b04a6d41f3b9e3d6486
SHA1 1987229fad000a84909a951cec5dc6479c75493a
SHA256 da10311cb9a48406cd9890060811dfe6a755d2c17b7b430449ca7e5e3a4affe0
SHA512 8b9f672f4ef907f0140c9c390cff497492b14f1a5e499996b5399a1c228cba4fef51eb33020bc459ea8cccc5df5360170cbcc54a9bc72f6d118823636166b260

memory/4244-631-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iYsy.exe

MD5 e98ad13494843f687475b22f744a7005
SHA1 10d0e82078e8d9f7d3d25e2323eaac68ea599fb8
SHA256 521f654dfbb9469cab6995abf0226377a2981c2767a1494ed24e89d93d3a7179
SHA512 9d433829be923e6dbd59fb51539bb55930ceb126663952c6e275d4fee7149bbf029710d098133f3e5f9d1253b197d263f8690731510a86425e06fa4b599cc980

C:\Users\Admin\AppData\Local\Temp\gckQ.exe

MD5 ee5f3a8a7cfe2c3d0ab0555b3b1625e3
SHA1 107ad27cb0de0f40bd9cd1aa148ec07f91e8a20d
SHA256 a6194953a703f4f915067722ade4e9c2ca1fe5934b70e69017add8a793eebda8
SHA512 cff060e8b747a263584127e6f0a7cae5ab2d10871cb61445425d581672554938f4de966dd32bcdb55c69f37a20a2dc3554f542d4cced49ff6189891fb67ebebe

C:\Users\Admin\AppData\Local\Temp\EIgo.exe

MD5 b94522454fc4bcc66abb5283d6c8a9bc
SHA1 68f3cce8a92087e6b689a0f71379dfca1a724373
SHA256 9a1a3689cc9bd148c2ea99ace37cb50418f623a0ceb93c4e1be3652cb93f9c3d
SHA512 8490e168228922ebaf1035c10aaddcb536dc20278b8698954670b393e4c26462635a85c7cb173e498ee75c7e7b3bc461b1f858b3f912eeb2264ced84006eda81

C:\Users\Admin\AppData\Local\Temp\cIUG.exe

MD5 14c69dca47bca3dad0a668e541684313
SHA1 c61817cd6fb6884ecd87fda140038c820ffc2aef
SHA256 247f7239b869fcb383a3f4b54ef6e4c39aa4b36c8fbba7da8a4f82c3b1aee698
SHA512 e46133b920f0888e6d0dc34c0b3c9fe6ad24cff19ca798c67a750a87ec78775df186552fa02c409b3d2646ed14d9748a404e045a3dbd9e4ed5d0ee1fc881eb3d

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 24f511749d692d38178f2217f6ace9bc
SHA1 4e5cef3f63efeb2799a2714aa25f12cc1ed9ab0e
SHA256 bb9d577c3ba236c9af16dfe02bb66982360709dcbc419c05c7f3384514344ee8
SHA512 08f7034f2266d25d90c13537afa9d1e0e314a990c096f159fd724fb7827f0fc8a2a996c5e423589f53775aa833c769860f5bcf11ed220fd81eedfecedf4b5a62

C:\Users\Admin\AppData\Local\Temp\ccUk.exe

MD5 7a1d432d57311e7464fdaa3361875978
SHA1 48518b179ef09331a5e069758dbd014c11a797bb
SHA256 2b8434847ec38232ab78754a05b5b9036cbbbe39e45b175df0a81633e16d26df
SHA512 8d14eb30a7b619a85e33146c770bd54e495333cd389e6997dc36022c5a7c709eab2ff7c66c695b658eab3851b1eeaaefe470b70ccbf1c6474e9e7821b9a1f429

C:\Users\Admin\AppData\Local\Temp\AIAm.exe

MD5 8e0cc9996b57beba4a4930d6135ebd72
SHA1 6fa3839cc3245ae8d2d473dfb388e49a80ec8904
SHA256 7340b142e511c408e7160af5b64d339f3bc59a072344151cd4c0ab4ba8f408f7
SHA512 18094a06dfaa4af3eae3badf1a6422adc4e8f66e70261708510ed591a6ffac009e228a55044db249ad2fb2bff694376f6215e4b5522b217a230a6ce3f54c26be

C:\Users\Admin\AppData\Local\Temp\uggi.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\Aski.exe

MD5 d61321851e233dd54d2f199f8ee3b9c8
SHA1 d9f3112d176a0f3cc7dbf2ea7ef27e77c8bdafd9
SHA256 d54dafd8d636a999b6bd20fb3ba62bacbf5628e6c681b1d4a0ee431ffdc24254
SHA512 543d2b44a4b6e77254da60e2caa9ad44030720bb8ffd528c2c739e4954442cf00bf397a191723f1331d0dffc93f5e1de698a580ffbe2bebf2ac1bba80746412b

memory/3584-751-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eQwO.exe

MD5 6e1d25c7d76bc4a82b09df32c884daa4
SHA1 618135248e9bcdfacbd11d54ea35a32d78aa0a89
SHA256 290371be71608c0d01499ffcacfabf464cfe27241cd07017b4a99483c5b0c6c9
SHA512 64cb0b7d252a5de49b31abb691ec58d856ee9f90274bde3d2eb23cd8af9e8669eca828d3fcb1def1960effdb6d6922ab4feb078aa18dabb42082572ade2877cc

C:\Users\Admin\AppData\Local\Temp\oEYu.exe

MD5 a77e95aa4403ff3176e8c5a5456ec10d
SHA1 5695b55815716b7600b7e7e7ba2a90828ca1a88e
SHA256 d5157c201d2dc9b1be51ae640d7ea22d1a869dfc3ebb1195d4b427bf4cab3216
SHA512 8ef3dfb150e195db211f59f1d10c274d0c03a54e8a98b6e58d5091d754d37709b440a648464190de5de121d4221f03ed423787802b618caa655160a6f4a5a727

C:\Users\Admin\AppData\Local\Temp\kogE.exe

MD5 248671e811aeb88a18395dd23c6f1c76
SHA1 9b0c2d938db669634fb1553d054210111ae52fa1
SHA256 99efab61b2695573871374858d0767d233cf4506560eb6f6ac60cbaefe9609b1
SHA512 c479210857cf51d955d588cf1906523278bf30ebe405c2b78ab39d695802202c4244cf2c9577f6692ca9313721027e85061d7a21add0be0bc73c1838ccb97bf0

C:\Users\Admin\AppData\Local\Temp\KswY.exe

MD5 2e1544e3d9a264ec9742950c06f399d7
SHA1 4a1ef4f0bf24f471ba93991d91df4c8fad8d3455
SHA256 7a3a936720a50895ee14e7b00944d3a256858ebbe4a155f6617afe5146501097
SHA512 cfe873bb6055fde125fe54bb4ac50a1b8f5ee127fb45b418a0b9e1d95378eba59b2fc0490b694bb315a8d4df5e4dd13a006344f989966cbfc0e5f46a3a53fa90

memory/1332-815-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Kwsg.exe

MD5 7d86ed8958b0cb6e9fbdb6fc4591e88d
SHA1 59392135f967f311217ced537c0c99a186eded83
SHA256 ce1cd15cb961d195882898abfa19779196febeef3e62ee03ac5efbd3fbbb2a8d
SHA512 62ede90b991f962dcc3d5f091122593d1d9ee3cc140cab035870d6ee2ae3d2bd2940265bcdfe3421621e560b5f2fe2a0c0d21af492e0f6ed01fa97a617243fcf

C:\Users\Admin\AppData\Local\Temp\EQIo.exe

MD5 24e2e040fb50019ff53ee183bfde6de1
SHA1 8fbc963d21c1e8f908299cafb3a7de06619b3f4c
SHA256 c4d0fa1662bf489cabd9a2992a1ce60c3e09c2c7c162607878fd36defa7cdc9f
SHA512 4a846abd8c9fad6633ad4637ccb622c62f59dcb615beb0d07e6131209cdbe42fb44d647b42f1b1973b5f986b7ba417870d4a0b23560cf925a061ad047c3ffd2c

memory/3664-836-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\usgk.exe

MD5 0da8cad301ba9a11e1bc83c2c6550635
SHA1 f7e07b83bdcd943e9f8567de4d535b38a339d416
SHA256 a4cb3d67c229b5db7ccca9933fe65392294c1315aa75443d792f5ef5992c8aba
SHA512 51d6a3000deae3ab3032d1d4abca8c7a45546054d316d3db41d9703b17ff9d6691b3529fca882d984367f9b3b0f7fce4679b5b572848791ed52b610c6a3382bf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\128.png.exe

MD5 8361f045c9148ec62f8d4e552d0be2bf
SHA1 5a661c214b6973497827fc002a78184e74cad6c0
SHA256 431eda1bdb87c34a5baea81213d8ddb0e0bd06265860c8ed4f1ee7c86f144042
SHA512 c305b8574ffbd3bf73f9370013cd5eba597ba44affa94d7197f72ef13b5e049214b1d8ec7b4af4dd6ccc789e99d6fdb2864a6bdc405cbac2a36cd462ebc67377

memory/3664-880-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UYwg.exe

MD5 ef21c5e93d218df7d401a9c82f95ea82
SHA1 65e2c245768cc968a50777536df1f2f64bfadab5
SHA256 bb699ad98b99f4c990e728f0ba907f3335dc51615837cdf26f1ed0dcace88dbe
SHA512 b22baf97b7519246734ca550fbfbbc177a81e1a8bac971423a116aa594d51bb87880a99d327e8f4325b5541f5ae5e4d2cce55e5d4d52c67fb0add8fb99259e41

memory/1860-895-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IUoO.exe

MD5 750570f5efa1d68b5db1ae1e6d6e3937
SHA1 c53f5f73a4db98176d40313b41ce2716896e05a1
SHA256 22769259a386da7d5a764db2ca9e0c210748b24a62fbab91a549bf5f0a29e8d3
SHA512 1fee307df633ac8ef4b5eca12b0628b172a2fb56016843e8ff9b5226217cde63c7a157c601af5f532340608d0075a28c5db9758e8eea7cac7687147597ef92be

C:\Users\Admin\AppData\Local\Temp\OEwe.exe

MD5 03a53d7541ccc12f4af195c4ff755da3
SHA1 0f02481bb8c427674c6b912999b4d5e934e3ecfe
SHA256 a6e6649e796502bba3880bc56e8711a48330287b98fa9969bd6105c3f5a26090
SHA512 2fb6d9da4129547ba74ef488a29cab6a87c6445ac6a159e98c28750cab396c507aca0ad291d99c27d9fe40dbc1c09cf6633a926a98092e20b4f78335ce7047cc

memory/1552-933-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MQog.exe

MD5 67969fa819369e3d32e93b9572620755
SHA1 e1d16b1bb36b1f8e019daeec3ff2b7c9a62d6a5e
SHA256 e577cdf49f9ef615e496c9f63eb2de6a474d4c6420b4535a23dfc2eedd2f64e3
SHA512 11f6e369174047475615e68fb23a84b57f6f62ac90afb709190f052472ad153d127409e40e4283df0cc3f9d6cecee4ac430a2c446ca831a8a83ff6f2f4fac778

memory/1860-946-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WUYk.exe

MD5 daf49f4ddcf4f94d6a2dbcc3abc6b8fb
SHA1 3511d8ca05a1ff6b120a48bdbed19f54bd120463
SHA256 e128913225ca66b8d25471122edcb87153cdac4d9f9dce032553a1925ac76c6a
SHA512 99c9e86e805c02234bac67d6c0a61eb41b05d8c05b48f986fcfa6485926e5619d858fbb2997aede40a3eaaad34ecde79a995ae82922abcbe37ccfa1704d4b4fe

C:\Users\Admin\AppData\Local\Temp\cYIC.exe

MD5 a1fce766fab642cab8f1a5bf91c54339
SHA1 5ccaaf02c036df99ca4e2c9fba36b36ba97193cb
SHA256 7ba828f7434a71c0bed626054ff9ba5c0b2b2133ead06f4583f8fb0170549873
SHA512 1fede765589d8aa52115e2829db30911530cdf292e93dc9b1f6a1c5229a9d54114834484f86fced2fbc6ccd0c29fac1b02cf5f02e192de6ecb13bd640b867dda

C:\Users\Admin\AppData\Local\Temp\oksa.exe

MD5 aeb25844281bdf4fd4afa3e1c7f7bfef
SHA1 e7de26d784a2f7370678e8c9b13a0155d7a8bfe7
SHA256 e98c31af4cd2dc12033bf7578f46a8d2ffd19023da47f8794712551f758d099c
SHA512 67c5e8c00be7d6f2803f1194c726c8e9c059ff3343298dc9bfb470c8efd75dfd22d63c054639b4f2e8563858f2c7a41b903b44cfd651ec2daf58d0c866667c82

memory/1552-996-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2456-997-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OoYI.exe

MD5 d6ffbe44ac8cff420a0623c8d7a581dd
SHA1 48442a7d9510175492d12a9a877d42baaa40e024
SHA256 e5f3587703e9d02699510747952574970a7a5fbc6474668f65b402b1358f3bde
SHA512 81663a6c6a06b2ad003bf9a896cb12b19eda1d57189929f1da2598cc3852f51b80c46cbbfe2eafede5468cdffefe3b69f815845c9a7183c1c42d7e7a60ee10ff

C:\Users\Admin\AppData\Local\Temp\Occk.exe

MD5 47d062a4b9096c047f103b7b306055e5
SHA1 f988f32e6e7a4335a8dd79ad06adb9882da8e669
SHA256 c98aa2d43839fc25cfcf6afc1d45e89df984d4ae6c3e25cc1e477fcdee2332ca
SHA512 834d4a19c92c4347f8e7cbec660485e0d30a8b9e40f9ab3902fc9ca88d3bee7e3a7a53c29c9f81725124bc0460509a8cc15843fd756cb322995710c649b3b0b9

C:\Users\Admin\AppData\Local\Temp\Mcoe.exe

MD5 29a115d50d5e43aa29f6d8c12392e3d9
SHA1 93a03e1e96e8654bfb1728eafab988dde280333d
SHA256 93e3308c1922b77d96314450aa588ad533ba81db0bb1dc9e4ec6216e5e46f0e1
SHA512 ba9cfab804bb113d6f4e7c12240fd1a28fd0cd9abb1699960aafcfb2b2088a68d555077ba3e576c66f1e84df102458f6e22b6b3f2d0987accecf7f7c5b447be2

memory/2456-1047-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\akoA.exe

MD5 6aeb71e2a54f2ba4b9bd17c643a2270b
SHA1 8acd6048d63228a4cb8594468c378d243e651cef
SHA256 e89c319e0ad36c420313fe3379f53cfacbbee615c65725969edb5551540e6a1e
SHA512 b442414dc1e3a835dc9930ce0c99334613fc487a893268d89a45a585d894157caf932ec7346186b034502780e057fd061843b243ac2110cb2857352de659b79b

C:\Users\Admin\AppData\Local\Temp\eoYi.exe

MD5 9bc0c284db3f1a71643a868f502baf1b
SHA1 ecfeb878d9901f133a1444056c7c035c87576bc7
SHA256 fac44d046e3e173104a7c172be0c6d1b51bdb4c5aedcedb18f31ad25866136e1
SHA512 79e96c17ae81dd799798bb1fe367dec3bb68a43fb6a8a20e4938f1768aa815f90949d752bf4ec2bf41e6fdc23c2449999403b1ba5977b210690560e56a5c80cd

C:\Users\Admin\AppData\Local\Temp\QgUY.exe

MD5 8a09da336a18e1f7f198f263e3ca79fb
SHA1 5f36c2f82ff1c8c8618aa33c15ecce16529c33ad
SHA256 57168e1008394aee04c682c67fd45a4a469651d8ab5be3e2a76fa245a6f5069c
SHA512 44b4181272e6c2a3a31e8139209e642ffc9ceed35d0663f5166f113f3edd91672c5f4f2524873dc3d238c08cdcd861060c307bd54f70d8125855daec04219d31

C:\Users\Admin\AppData\Local\Temp\mEkW.exe

MD5 d948001843c10ece61d9b496f3541b04
SHA1 f7844f6938c1f1ec0cea09ccd97a5747705dc401
SHA256 7ddcc4dea924a5c6824fa214df1ad3834b9ebd7e23e222674af18f2c64f4b18e
SHA512 058fa51752c429ae7b02393174c8cf0ea40cbd24022853455c30bd22b787940a34b302efd2b9487b55f8cd1678ca583af579f8b97b174cfb9e07a225fcc0ac2a

memory/4668-1110-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kgMK.exe

MD5 9c34e835a1b40d80e1adcd47252f47a8
SHA1 67f2e6d2ed5e16afd2f0c9240e1e2d39b0a4a971
SHA256 772f6e3dafbc6df280f2d196b4ec8b91e190e8b491e76b343e9626d1e6aa99f0
SHA512 dd4a1c27e7b2f64d38c90b79aa152bf7deec93a3552777ac42263523229962e62074a8e75dcca2a0e3786dd65e77080cb6c04523d3ede1e3d63ff517f76523e3

C:\Users\Admin\AppData\Local\Temp\KYcc.exe

MD5 ba4bcfb49c9258a55ec60472b7fd6984
SHA1 1c36f62c881c6b998202ba69f152d49fc8e8b8f8
SHA256 5ae74cae5c00088206f6177845a7630cd60cf82ef9eaef0e2e92bf1658bb05d3
SHA512 6c005bf91d1e964bbc347678ed8156283db8846b3e0d7a975c08ed16f6621be65abf2d289e6cc2de7a2766d0af37d77a74cbdc95a6d9e7220ca4236f6699e3ad

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

MD5 216d7fa2aa3088c04974577c02a2a68a
SHA1 b280d9476fd1c4d81dc7e4466ac0d002dc30d3df
SHA256 0cd1b4e4e6827f44ae56b6540f2fb3938fc46e63cf1e0f8246b76db4015157dd
SHA512 7d9953c9096cfe768a3139984bec7fe7809565f70ab8b3632cf427e98d81c13eced7a3f034c41af3746f8d9cb41f429351ec8c59b185994ce437f55cffdf4c0d

C:\Users\Admin\AppData\Local\Temp\EwEM.exe

MD5 d04c11574feeb21cf9811fe53f6c348f
SHA1 12378e25f8856a6f29bf596c92edfbeef53ab2c9
SHA256 476700979bdcce0d340d5ad4501d56982cea0e02fb060800f3699ad60fa7a445
SHA512 858a830bc12f5e4d59cffba562901912a5fddfa09482af739f1a6f331d22c1c012fba9f5ecfb813ade0e8b31871efd5bf364a36f5e01ca0cd8f27354badbcb9b

memory/3036-1173-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oUIE.exe

MD5 b9fa92500d7eb3c5017c3f41977a4517
SHA1 c0c7411b9ee1f5d39a753ff93767f3d9a9ca127d
SHA256 0ceb3084959652fcc1b538a4b49f2bf3a7d0b52e081aef46ee1ea75a8f125992
SHA512 e946b9c47ef38d24af9b899ceea295c23aeafefcd2fd78ba0e97ed723a521d221d959fc2fd50217a31ba64f8dda1e4d2a491969bf3e072374fca1f01538bbba4

C:\Users\Admin\AppData\Local\Temp\qYAg.exe

MD5 9ed215c6d356e0209036b70db5238faf
SHA1 b097395aad7c53379122f7eef0d84455daf3934b
SHA256 4c7699cf6231e6e0ec2bfde41e8aefefd459a401105ccb9b3b324bcce3874177
SHA512 e2f2a6a8aed4e1189afc496a98fed59f013b8681f6ba9287b63d96babb4a9bab31badf205d0a5d8c9082d44fdd86ba6f828e19cf693b4a476aa4e4d9148eba73

C:\Users\Admin\AppData\Local\Temp\QwAA.exe

MD5 b3facfb0bf92bf61645ef78fbb49a2eb
SHA1 f3f26e5845e8fc6d17bc7cf8b886a8ab2c6dc926
SHA256 9c772012675443c3c407d999e6f2de6d82b8efcef2d377a43dbe0afd59913552
SHA512 b10ec6b7c5d5d1ef48db64abcb3f6ee6d0aa3eca74dfb40f0ba9667cb3b92171fb7ff14ab128da9f98d8e12348df301f15991aa9400d1dd3a3a3dec5e17a8849

C:\Users\Admin\AppData\Local\Temp\uMIk.exe

MD5 e2155a6ac26950cefeb394ed83ff49d5
SHA1 bc4ec2fe8708b0668fe698b6406393fbcc82356c
SHA256 3d2feb703b95e67019ae3048a1c1328a8b973d0af288a917816041d676691ddb
SHA512 bc88bb6804b2a00f78a83324b449f2ec7a2883c69d9d9c88579f28976b66de4ec71ed7d4315971315169114afd6241add892efb6bf9b9b3fac2b909b4c91ecc5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

MD5 8f3d6a7e934ba9d5ced473091e778764
SHA1 a92ed9288ac4ede4652fc1a44069343a8b467f40
SHA256 0981dcec9a51e440f213dca48c1bdb31bf4d8c6be58a4271dba30f4bd5e87440
SHA512 4c8639827cf2f528720ad965633631d551dc3b1ccfaef13ae5b03e6b3951b4bb9f209039dadf29e107d426b75915aeb88bdb659e57260a9d9b9db84775a572db

C:\Users\Admin\AppData\Local\Temp\iQcE.exe

MD5 83669ea72ac016e50e650e310fc841cf
SHA1 5247182999e3b12113499ec98ae6c2e557d934b3
SHA256 295f379206eec8af5988c495d0005d0a50fcf93336ff062bb608406b965e93ac
SHA512 0963ae3c7be0c8c2e4e5c88e2dc64134b1abe8e5f328befd32f944068179bfdb173bcb21e09c2436cf3cc5a04e702defcdf2583d061da090e6b44c600748018f

memory/3476-1261-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1996-1265-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SQMg.exe

MD5 25bfed6d23af6a6c6c873490b111444d
SHA1 14c0156024b1ea20ccac142db815c1da09f286e7
SHA256 e8e4fac377b02782e055f1f529cb673554d99925a8936cb21e78a8b23bb7caab
SHA512 d132c49c0202d91e8f8f869a7b1dc381029e82e370afe2d98583036d78de83812376981b5abb3ba498c70393ab66e5d7993bdafc469a079e5f2715c193a304ab

C:\Users\Admin\AppData\Local\Temp\MIce.exe

MD5 8d233a18fe046cb3d16a7778fbbeb1fc
SHA1 ea116db9886d32f1bdf7359a88dd38ef601e0f37
SHA256 15d01e75a2c172a84bfc1203312552997a82c653bbb96df6007169cc9bb8b002
SHA512 55db5b889bb53fd355ed53e91f6e82cac199b43bf96c6a4d6d6eb8b38189eb9bcc26d0e3c970a0a20a922fd9d2e152885315ed595fb7e6e10e4a3e599be6c9cf

C:\Users\Admin\AppData\Local\Temp\ywEK.exe

MD5 846b1e1df48b670227a65d6997a344ad
SHA1 76ea6dfcff99f2bc15686de8eabf64256c8b21e7
SHA256 70e63d852611144a96fc283ab0fb7821061e0e10166a79bf7186d86b2150ad64
SHA512 d97a15cc94415ee3a6a0269cf1d052e1b3069a68672500af1e102849a2a5dfb41e8e2077f2331701de175ad4bb8a003fbe594cc839ff568263a2f2b4658b76f1

memory/3476-1325-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YYoK.exe

MD5 d8b5282fce78610c8a1f05080823ccff
SHA1 45fd7117b1d716b2f3b9c5e6d5b6098f316caddb
SHA256 036f41032ae7cf606163c21694ed1b7300943227d16e3b50f62662c9651116da
SHA512 fb339bd86d98df9d2bf05f56a643e9902d0d8ce9e28083490e6847a253f347f9c082157dd65569bae61e107ec973da48a567b88bedd498882fa114af735a9aaa

C:\Users\Admin\AppData\Local\Temp\sgMg.exe

MD5 9406ffafe8396285d0885f897cb391e5
SHA1 debae73231a34a50c7a408c24fe06d0068f4eaa7
SHA256 4a02fa0bd7d804f418ad79bc4ea270e9770c120e0befa7c145074221862d1b97
SHA512 57b843c41007a1fd38514fc923f13bee1e849ad25419aaaafff441ed7027bd7ed415e938976ebb59ba65ef3d54ab250513ff2737ddd898387e17841cbc3ae380

C:\Users\Admin\AppData\Local\Temp\yMQi.exe

MD5 fa13ec5f2f1b06f955962b4300ba5711
SHA1 6593f137e5a56145ce782d3c3d2fa1ebd7642a04
SHA256 a5a5c8419130f3fd80c2b4e4f622c00523af34b12b64453ef70b2b601163214f
SHA512 d14428becc9c55745019fe0e81e67ea1285f94796607c72fa867fea419fd8446d5e0a543c5984e22eabe5b093121e7f0dfa1c84347f469b5b86bf42f68bdca9b

C:\Users\Admin\AppData\Local\Temp\iwEM.exe

MD5 023093c3a03540bee268fd25b6f62b13
SHA1 b0bcf5707434303b5c41664cf0eaefb4d8ea4e86
SHA256 3b7ee6f29b72e0bff35c88941d711608d91433f8c524d47187702e171e9c383a
SHA512 09355565fce86d6333e673281db8618a79eafae6b0ede1c1ccb49dca38258ef20c3f4f2a07d694e991df44bf7e2bf000f30856b08b51df497ec79de1ce103cd7

C:\Users\Admin\AppData\Local\Temp\eIkE.exe

MD5 d1bfb835fdb84064c4e6a1c67f154768
SHA1 2d304457439f8dff90d282618cb24fb5b7ea4057
SHA256 9eceaed668e5738e3b786d96cb007775842e4c4d8382a9ab2cc9957830db49bd
SHA512 537ca25f522ea07c1678d4bd3d35b6ed4e57bbf649f107711d6aef52738c78168fc486b711aa39db78a93110ce06fa5aa014c80036820feb6e3ada6e186c5137

memory/4156-1392-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4144-1393-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ooIS.exe

MD5 627d2c74782ec57249f659ec12febf62
SHA1 9b07af56ce6508f738e5b1942bf4786fa0d83c74
SHA256 4a49c9e786e897f4d3ae5e998eec6f2bfb4f15533fbf24a7c7cfdfde4c6e6660
SHA512 a9c254ba491e6b35033a2f1c3a73c57257cbf5a7db42ef5273416d468358c8e8204c57f63d63065f2f2229a3f6e29c1ef20fd1a50a9ce2ed1aeded31626730ce

C:\Users\Admin\AppData\Local\Temp\eMMI.exe

MD5 c3efc4c885dc45c65a40f597c54c5223
SHA1 af96d9cd83c6ffa49976f1aca0a75db85e9ad8ce
SHA256 3d30f24ca949e499f6eeef47edf8015c32c012f7d1a6c7eca3b76dc9c82d4dd0
SHA512 eb443568d6f65a8602486124ea7fb582f9b691af65b05c2436f650daa639b2c0b5a85f26885ee68a543e68a284ed2963a571d61a7b06d94d70d6671731611966

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 0c18c489e362f5fb3647430dae6f27d4
SHA1 9149c4e2498a64768c9532013ff06fb10cca111e
SHA256 8449f6e2daf8d3c11e5d785dbec032bb16f7d25da0e40db3e0e4a21a4ed14d7a
SHA512 b18e059d13b302fc01a6511fbaced21874249d97687b915861c8736034cb3dc671abb5efc6f2ff41e74d3e0e4041981d26387b2383e3cbd649780e795d141cd8

C:\Users\Admin\AppData\Local\Temp\uUwI.exe

MD5 1354b1086d464e27fd63a51831f93994
SHA1 0e1135fca56aad8f4345c2d057dfa22f8f36cd8b
SHA256 14ac3209d5c8dba475aa37b6fdeb51d560236eb0078f7bea71acd242fcf79f89
SHA512 df9a7157f2725b82da276f4421191ba6cd8dbb05558f98edc900e8daff0c1273f165bed356d8e2cf51fdc4aa53d61dc4c1735e50da8aaa3f0c98c13da0d3a3c8

C:\Users\Admin\AppData\Local\Temp\awwo.exe

MD5 1c48cb2d2aefe65953a97aab9a832fd9
SHA1 76f5304ca0d200f1faa744c29a53da93a0afcba8
SHA256 9b1c6f6a95d6e97ddb19e0c014f0df2f3adfc8aac9b4489c2f92832fe74c9cf1
SHA512 ee4692e4e41e9d4d912a8315be957c6ce81ad6e94c1669c183d9d59daa8c7b72b92b7422ce94a019ab430fcf96afcf9f45b890148570f33d9af15254bb3f4cb6

memory/4144-1471-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AMYA.exe

MD5 12e024f21f47c999c558ee35c2253085
SHA1 06d5affb1ca41b336489eaf20e0eb743aa8e575b
SHA256 bd2afb8dce74f0efa049bb8052429452b0977898725d691061dab0581a3fa05e
SHA512 0ace88e89c3d2da115e64ff56e11fb17ddaf4684a1e1b2e0ba9cc0fb77aa95e7c96ff171febd9cefad51c3505ee277edee5ad943affe28da56c033159fa583cf

C:\Users\Admin\AppData\Local\Temp\Yswk.exe

MD5 7f6ce05c3ca0afcb9ee291cafac61103
SHA1 aa5e421f286aa5837aa775015c366ddd16237816
SHA256 e65c844e01635ae1f3b1cebb670a4d5071f6ee937b44826a69b74a2d07d4d1ae
SHA512 9f676ea04b2a6244c4c54131c4fa33b43349b814d565bc2e92f9a4cc3595a68db61a349bfa723e654b9822f78d4cf22d314020532feb928c8d5222c2f83b2388

C:\Users\Admin\AppData\Local\Temp\IQoI.exe

MD5 ed09b1dec4be44049325a724aea6fca0
SHA1 c18d75e199e7fdf755004077f81332bf16029c88
SHA256 4b0be36fac9f66323a66080b23496ab16fbc80c5b558d7b61d2365a494e72708
SHA512 271e03e975cf8778e025b86b07f1d71f751302e47be709b1835ac890b8cc3d47be35641f8e0e0b75098b0c4c8b048bc098ea3cefc29ba679fe61e7ae5f17a8c6

C:\Users\Admin\AppData\Local\Temp\YQQK.exe

MD5 857435086faceb66a5665b6534988301
SHA1 13d803d3f54ecf6fce6662299f639b472603b236
SHA256 5f2a503f42c2914836857131652c146b63fb3e5f911b9cf025119941942a4dd0
SHA512 33e85e20938820b592c9f47fc8e33c9125db73f121931b1232572e66d17a91346aecfb963461a802d9080889af5bc64d6b299a62fa266216fb9c959e78ae79ef

C:\Users\Admin\AppData\Local\Temp\mwUK.exe

MD5 977647e67b85c4e7054b4f45d3802123
SHA1 d3c638fe91479fd67be63a5b2a526e88903721f1
SHA256 64b51616bb5c1b9f599176289adf77df2057d992aa29eedf5cbd982079d8e0a2
SHA512 18e46b0472920349627b2805be0b0ff30bd520d525beac63fab3ce9f90ad751665cc6ce6c3be3b76c38b630fdf3c433f0847d6db4106a3ef53a676a89036ddd2

memory/5068-1549-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OEwI.exe

MD5 6a9e9863016d615fe90fe9657253cf31
SHA1 1ea94e9f648e4134ab7b3de42adb620dbef819dc
SHA256 7bc18fbc8ce593377ef4d87ab8946b599e598400a99fba43612ec9b44e8887e0
SHA512 6a05b74765408911536885be37c42b9815814ce17d196f89660a8e602c38be5e12b59e0cbb8329829eec2145dede1a820e41574b8900d55966686f9e0680251c

C:\Users\Admin\AppData\Local\Temp\MAwI.exe

MD5 e5638872402d89a0dda941e8da002e72
SHA1 3539f1495cf5c16e47f8f05c2d7e6a6a3d57c9c6
SHA256 0e32f0ae6d85ece7b6d9f1f835925aae9b35d697d3929aca84146e6875a75d32
SHA512 537505891ee12367481b9e0a9067ff1d206099fdf5bb955b6c7e503f09b22e41c520b7b4d2d187d7db9baca9ee6d2aae90f3d84335c2fa00ed94abfa80aca8f7

C:\Users\Admin\AppData\Local\Temp\ewEk.exe

MD5 369e413aa927233597313a745f601042
SHA1 ed948bde356c8b13aa6c4c865fd304f564400608
SHA256 d4b1609dd2bc44e8b46617a77d294110e30954fc468935036e647a699f1a7942
SHA512 0da732917f7a5aff025fffb279d422ffb542bcbc51dfce25a6afc643fc5f26d2f8a00e74dba524d448ba63b9193ba405fbf74b14994742f09dba896640a1e8e8

C:\Users\Admin\AppData\Local\Temp\ukoY.exe

MD5 6b72e0462c15261cf79bf2b99074deaf
SHA1 a084c5653972b67a9214339244dfe19f2f1626ce
SHA256 cdc3292c06c4cbe13fcb4271cb463e656e873681f98a8ad7b8ecbeca3a0e24cb
SHA512 566060d517e4a01bbe2539ede1d8a4873edfbf53b98d31d959161279f419a66b4bb3b45bf91880cb46def6641a928b85298191ade4b3f80003120097eebab33a

C:\Users\Admin\AppData\Local\Temp\owUq.exe

MD5 111e86353ff2ccfa1152c28bb2e26fae
SHA1 51887d867276b20ab8102c55b333bfef720e6edf
SHA256 d7bea2ca5b475c4c64dc9d7a79cfd82579754a42bd11a6b578327a21ecd306b8
SHA512 1faf90957b8c0644606c0bd2c0023954e89da744c081e8c1455f7e14668c202e6c8ceeb34678efac7339ace857baa48bf24912a5416ce6c6113b3ef25726e80d

memory/3304-1627-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IgAu.exe

MD5 cd1bfd51c63d41165ccc953ed259f174
SHA1 9508570eeaad815d1153fa07aebbb8c8fbee0ebe
SHA256 04a3d67b2349590718606755e8a71af32a4b78f98e58a321bd37e52e9df40d65
SHA512 056e08b0104e552231d8a73db9d300b2474f12bd4178ca755d2d045b4b7dc77a3e3ba67ea8af486bbac030b3cbc89215dab86d1e284871a239b43d7f587823cc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png.exe

MD5 fd3df01386b414d40985625b7f50542e
SHA1 0260d5cb2c3d6096b4f1493e89cbf9186267176e
SHA256 3420962f64c57a613aad4273e14e721d57f3816452092ff43c607f7ab0f97656
SHA512 b6c56beba6199c5ac9cc9eb332a918b32ec2087515a1eaeba5f2a167dd0403e1c6a626e17c0ab67f89b85096a520aa6b586fc8d100076046b0b39ff7463f8ec6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 dd573cd9585b68a3bdab744c9d7c6363
SHA1 95cf72c8b799f3303c965827503aca11fbd3d01d
SHA256 19739c77e1a5d19541ef34cf3ae52d200c45ed91d64c86319979d609ecf01af5
SHA512 65be91c969c051bb830c6b288c6d2df97a6bea4132b8c85111c81ae96ad4d748fcf9a64fd4197144f68992f8179a5bf803e1ba18d70a1c0f1b85ee47436018fc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 32461543b0ea8799d8598ee64d288508
SHA1 71c3f39158633df35341a1eabfd67eaac24e3ff4
SHA256 473d9865487c7bc80f59494c3936e17cf38a8e61d4ff2e3f98697176166bc134
SHA512 cba896b6f212b1d46a08e90797e9a1d7c633b3fb6e0923f773436f6836a584c3bfe28337ae43aaff00e1f042f6136dca54e5352ea3941140d73fd7dbfacd325d

memory/5004-1691-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3780-1692-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cYMk.exe

MD5 32b126cdf9f15fbd7261ef5959de4d39
SHA1 f1e385aaa3d76900fb0d20cf893185b4b7a00640
SHA256 919139eea615aba2377d4884cc8c86305e0a928408b5dee5f6658619b74f4647
SHA512 e0385418d58b80611876f7f099aadd2654234bbf1ff65310b50605e077a15adb834fda4c1b4f80814a139f7ebb2b72ffdb1684bcf261c3608be7a0db178c4a79

C:\Users\Admin\AppData\Local\Temp\OkQq.exe

MD5 ca82af1a764aef733b19e8a4888061d0
SHA1 e798d6df1af0c89c66d45747d14736919b4c8cf1
SHA256 333f035c2bb4cb037bc472b35a6d7819eaab0a867d3b94a44d2d706ecac20278
SHA512 13521c223bc194e9b42cab950dabbbeb96d77b462dc4780ac796917e8f6fdf310c85ff70dad9ec880ad7dacc6c5446539194ff5f7e37ea6cdc513caabd50a5f9

C:\Users\Admin\AppData\Local\Temp\SgUQ.exe

MD5 51c9a57daf1fc940a0163607bb874831
SHA1 fc0307d41ee6b83b405d49525c10d90caead311f
SHA256 bab36078bbda539c036123244e3186e9c6acdbaca77d3e23c6d62e9d5e412a42
SHA512 98603c30f2063391f5c87b59385b4d784f01e6ff138ea2842608a9dab487df4cd3bda893d6f0b9a768c34a942d18eda6a36fb18c624d241a03fc9ec34c19acf6

memory/3780-1743-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msAm.exe

MD5 e0555086e3e9fe77d942a482887c6063
SHA1 9032ea1bd1cd49fcfc95aa46be94e20938f73d33
SHA256 26bee786e37b0b732f8fe616136d2013e686b170f25ebc91a921be1c1387c2b1
SHA512 7f7edba0af2a2f970ed998b007d7e8e5bb9e40153c1b096b1bbd9781eab0f4b6441b9cff4541c7e546d9937fef79f698573d3148ec9bb06ab6b18ec24d171347

C:\Users\Admin\AppData\Local\Temp\sgMc.exe

MD5 2667e866628a7699507c2923e9268e7c
SHA1 fb534f7e22d0a5a8bcc14e0b28a3492fe01fc422
SHA256 96d5b610275031918039046ca007fec5b8f567add6d6c275a4dd57af8e2fa399
SHA512 b9d508fb58d5fa5ec4762d8ac144ee27204ea297e02ba49118a3235589e1cd45d7e9b784b98fe9f2204c23aaff72596418bfe0de811ede4f18ca998ff4c0fc2d

C:\Users\Admin\AppData\Local\Temp\ygMm.exe

MD5 cdf2ea1b8ca1dfe548e505c63d7f419f
SHA1 2edce34253918c0b877f8e7e0e4c4a2d818ebdb1
SHA256 399ccab4cf100e0051193bef5ec8cc9eed6a66f04fd7d70be19f3b21ed119669
SHA512 452a927e08812c5c1425480d4deffdbe758d2e8a3cb20469022fe006dc48c045a03f8df9a37a5929a8fe7d41903c616a263cb95099e28ae66dcd953b08d76217

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe

MD5 149f41d8354f7ab4df14a1a24290c3e4
SHA1 a67a4185348120a58f11eae7ad11ff6d24b78249
SHA256 5dd126824e3b4829ce162c1e4b610cd8f5bb9d1e7c7149cba7f3bb9c50b88ed7
SHA512 9485e65cb613480e6f46b7e7c0a2f7d135bf5d7415ce5c2e32fc5b3717a2e18e746468477a358d028076384421d09fabcce3434027a86272ad5d2659cbda7dd6

C:\Users\Admin\AppData\Local\Temp\GkMc.exe

MD5 05f2ed6f2f7c9ee42f6be22fbef9ebae
SHA1 ca313ff02b3c2b5a3e9836ba62d9bf4cdc947132
SHA256 f0cdd12d4fa487d478fefcfa07635f4bea3ac31d77d227dfbe7d2743355fac0f
SHA512 f2446957fd9b0f0e6b93d5b229ea99745f6967cc503ab8488a7224207c64670085866f1ef687b5f2723da7af5b2124cc27e8435405f1ba6d7c34e6cf57a190e6

C:\Users\Admin\AppData\Local\Temp\eIMy.exe

MD5 42d00b1e1327906ee6a645be9f294544
SHA1 c3a9ee15d759ff3b77658e7401d2e3bf26f132ef
SHA256 051e1617178dd834115f46a40baba599bf01bc83e86f020fcd65a2d9f2b3d71f
SHA512 b8e8f2c2a9010a3b7e6245d77e01e2ad524774ebd7c65fd18b30be9210d3355a5ab387395fa2873d81b0c5802b620281411e2135a4c14cbc075b0652b7ac68da

C:\Users\Admin\AppData\Local\Temp\ykES.exe

MD5 2d8e2f5e0fb88c92aaa66ac15661bb47
SHA1 04beb581a8724090b67bc90229da1f9e31d6337c
SHA256 81005856a542a369c841b076b8dfeb4eb91b612d20af40d60be677dfc34bee93
SHA512 da61c66432330203adbb2a81e7cdc87483af22d41af8a64240caeda3ae818218f7ef93ff5529877896d4dbe7e14e20079fc7b7d1307b278f2cd6d8f05151ddf4

C:\Users\Admin\AppData\Local\Temp\IQAo.exe

MD5 44a168fc9574e1f4a7316f79d89485f8
SHA1 8583722dfe9f18da0e80c4902a8bc73df00add0b
SHA256 0de3ac48f00568632d83a46b079d6a6a6289bbf328c6c75df586d1fbdfa9bdd7
SHA512 007bc53784dab784969f2e025ca87de0bfdb29e13bae5b88d2292011e747544c7990933576f1f21c18915375448761cdc0745c6a0af32f16101c9c4a5c1709c6

C:\Users\Admin\AppData\Local\Temp\OUEy.exe

MD5 df8d222bba3f0da7b886f149ae2d5fff
SHA1 76a5a5a39f0ca0ad73c4b355008f0122d8df372f
SHA256 e659a8f7968015f4de5c7be735182711f624e55afa6dd1b265b42d9146b3204b
SHA512 fcabbc6390ccfc092b3870912e4fc51e0f1dc89f6d44307001084ba4f81a2bdd20a2bfa8eaf58d85003ba2c904fb457acd9e6ba02a56e7d25f0e28608a9df57c

C:\Users\Admin\AppData\Local\Temp\OkUa.exe

MD5 cfe407e023c6e4e1ca3e82d2331c74a1
SHA1 722a116a3b6e45586e0520087a5d263664271c66
SHA256 fe2e27aa35236ff7dc5ada640933d5d57439480ec0c5cbe778cd5090854b7a21
SHA512 3bea7e5b4be476fa65d9c438ed337c3f935083a3fbae068afdf0acd8f03a9b9cbd710dc5fae9ec529a18d01c59a1988f6748c6063670294c58c934e4538be6e6

C:\Users\Admin\AppData\Local\Temp\sAIo.exe

MD5 53d9fa287a22ca172966c52af3329f63
SHA1 5a26f721b8dab4770f5dbf89a36e5d3dbb9e8a2c
SHA256 2d65545d351bb2d8d7dc7e146b616e95f736df02d892f2a04d33c6f09d815828
SHA512 d647956ee127b1525302624f3916074c8152a5433f8790ab769fc00ec3adfdecedfe81e25fe9ff4d1722be811d5c49adc1cf838e46f5cfe4149426b1f8f5f334

C:\Users\Admin\AppData\Local\Temp\Mwka.exe

MD5 acce691c3678634d7bd4814e44f96f20
SHA1 a54009eec6c5243e1b8285d3f750f10720b0c9ad
SHA256 668bc03196a49f9ddf65c23cbae97c86eed03976a75a224186a39c63e0e1d4f8
SHA512 cda6099ae88f57ad188ac90e6dbd80187674c839d69d9744495d21d281a636aed8463e6cb9de057a042abecedba8cb6044e68847209c12308ab66359008b0240

C:\Users\Admin\AppData\Local\Temp\IcUs.exe

MD5 efd5d3550aaa0f62f03aa45963f84f9f
SHA1 b2d89c5960ed8d0091523dd514892b7243b1f48f
SHA256 e15711b1f1d98752b3c41ed2d5d666dbe68cacb55afc37ead6d6155482dc6544
SHA512 5d8095dc075f6eb1765b29ef3dcec4d64de5da66efa1035f67ef4728ff6517c69e858a3c445cc8481185f8c1559fd898dc4f949dde615eb972dc91e574de7dc2

C:\Users\Admin\AppData\Local\Temp\Uooy.exe

MD5 263099dbd821abaafd005b38282326da
SHA1 ec5b8993969e61a02a5b8b732298981206371f93
SHA256 797f022b36da4226b3000980c04ab175b01b61e680e590d4a45e54032e3f1a06
SHA512 42d9c0738f23e0516ab324d95ae167cb9c715b12a01d18183dfb5616f5722f4a986844b4612525c14c0d0be5010667fd6bdd963a2d631b1b706f473f40fccbf6

C:\Users\Admin\AppData\Local\Temp\sQEu.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\WIkq.exe

MD5 318e7ca87a90491f3852973ff9de6551
SHA1 92af63b9bf891547c804618c209627bf5c09fb32
SHA256 f6881fbb7d60a8934ca4be44d25e9b1f4c88967001c4d65288073acc21975a84
SHA512 2c24a4524b578eb8dad12312953698294309bf4421fe21cc0db0ae9bc70147c853ff3c73bb447eb4f342f66723ef2bce15676e9f705bd7bf4058366b84491bef

C:\Users\Admin\AppData\Local\Temp\cswQ.exe

MD5 3c4e885e618f2b41de93fc003101ae99
SHA1 327f7ce3c559cb871406fb334264e7e149b11dac
SHA256 b4c0fc9047650eaf679c9482892cb3c1e151497963fefd649e406755320e5c3f
SHA512 c75e04b31a40a128a026b9179490b5d2e25fe7b3562d0e5d9415e7b0aa61d9dbd45ddf565d30a0e48f5191911af75455dc76ac7be5e0b5155d609a3c96353926

C:\Users\Admin\AppData\Local\Temp\sgYm.exe

MD5 6d4d6ced89003389b4c9b88fc03c5d42
SHA1 5f85119389b54a09da96b72576b1d8eaffd0acbd
SHA256 3674556a73396c7c05f7e6d39ba77ebf9964301f7b46f2bbb7e5e1a6598559a6
SHA512 1b41c62da52f0475d4b3383572e3e7afbfd55110cda0b2dd91ff468122df0290605338624760e3c0c9f4ba650eb5e0d1d6f733d7ffa6db94c518b7c8d38ee324

C:\Users\Admin\AppData\Local\Temp\SwYi.exe

MD5 5c9144e4ff1fd08b9cf388eaec42ccff
SHA1 6fa9ea95f3f85bf3be104704dc0f33d12d23b422
SHA256 0bc75f841991dcc741683d4122b8ffda08a2ef0b84f41dcedd46538fe3fa1592
SHA512 ef821d774334f1aea92684dfa00c58e9432d3761d6b12a2bf618567a47f6b2790df38c9685d1a4b67a4d0bf0fa706eaed6ea629616cee6d6bf35ad1a70899bb5

C:\Users\Admin\AppData\Local\Temp\CIkc.exe

MD5 c76a8e1f8a4d0008668a8f0db50be25e
SHA1 803781e523e4e473c7234a8d99779c9aafb55719
SHA256 fe1292f901dfbe6afb56b881dced002f4db697b952aeccd29f0eefba22de8c7a
SHA512 cd4fdb86c05904d0daebfb0ec19b83ddb1d6b2dbd97ea4c450bc1d29e5a954ddc5f27c89247ad290844d86eb293dd2792fe40bbef15f829cf2c3d69924cd3e3b

C:\Users\Admin\AppData\Local\Temp\WQko.exe

MD5 1696309d562c02e6c131b232c439952e
SHA1 fdedcaf5a1d8179b37e4247e251d01697c261dcf
SHA256 d2b13f59a1e96bcfab595fd4ee4489908d9b6fe170789200fd52e62ebf5b32c9
SHA512 4891dc9fd6043b0ca5d448d8dba7fb14c169ca2700f131506f80bdf2db7dfa1d4770914dcb65be2892dc4dc64a33e1984a00c5f0721aa45312901fb6d572edfb

C:\Users\Admin\AppData\Local\Temp\iMQi.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\CMEO.exe

MD5 c225a24e7c6da477face6cf0f79a276b
SHA1 c0514c03202a0d037a320063f01bbf223a91c3c0
SHA256 f4e59105690ca37b6b038e9bbed4d5ed95f06e4afd3f919a51826c1116b83b2f
SHA512 de51ce229e4d8e10fe346e7f0af120c2fc59a722be93254daf1b3867aaca9b7298c87d695c85689258a3073107ba78cf541bf84ee7086706c2ca1348ae234811

C:\Users\Admin\AppData\Local\Temp\MMco.exe

MD5 d164e1aff6bc5a008a85db1b92f7afb2
SHA1 b25c7dee0f70097324ec8c8e138a692cb7e7b374
SHA256 e294f07321b6eb372f16ff2de318c9c31845b5d35ecdefa518e8939bf41d59b1
SHA512 149bdad5b9eaf6bc4c3fa77e90e035c75ad5a24f69febdacc53726ce3b76a959c03006a2593b885cd2ed78b15d89e614be6ea1eb6fd18814c6216e375337c11f

C:\Users\Admin\AppData\Local\Temp\Ckcu.exe

MD5 07f9a0d4029c2810925122e6850c70f8
SHA1 179d6578722c70ff467ed072f807d2dba3dae185
SHA256 c99a75123b804aaec7aec00d3c84dd83bc7fa958ce0f8c0edee439149ac9527b
SHA512 1b4e60cde813e42264affa397869680f74a0cdc946ed19057ec004fb67f13554ed2c9c36faa7ce61b15e02b0c100bca6f8938d01be21636bcade817ad52138a3

C:\Users\Admin\AppData\Local\Temp\coAw.exe

MD5 fe679381f0b235d1712271a9148210ae
SHA1 b063748abf6ea82f160549c305cb844a254c6c87
SHA256 3db3ace5a274aad6a93421132c5ae5d9bc4e4854b9cf71fda23472e61db55cc2
SHA512 c0a3f39c225b853b3264c0c302cf264f93cdca47353606a8a344ce092a516ab87d1e3ce237af6f80b81b978d5910f2643d9040434b4e2480a6b76d71b9593d35

C:\Users\Admin\AppData\Local\Temp\GMgS.exe

MD5 e6cef2f657dc7cc34ce0f2a7bd5571e7
SHA1 656f32bd5d43069faecf3ee397f2cabdb9a81932
SHA256 2d07551e93c4610911a9ec96299e30e782f00643ecc70a24d4931bd639b4c350
SHA512 212238cde80b956f7156ffabac50d5348493bee22479bf3b4098ff38644b2f2a2099acc1c02abbd02d28a9b8bd27d2fbbeac19acdd0938b1a61599be5297fb22

C:\Users\Admin\AppData\Local\Temp\IcoQ.exe

MD5 64286894e59fedb34b59083e827a7c6a
SHA1 080b2df8a2d038f4011c1cb9fea3137e46c77a10
SHA256 464e5d42124f1cc951749ac3de61f1d94e23654fc9de53f07d025715201c2c9d
SHA512 ec2a7aa562b53dfc5e1fca458ddd81576f95a905f807dbcf7f56adb3ce26e82cd3146803e788e74107ac9e1f192188b57cfab5b3d439967b1add8bf829010c5e

C:\Users\Admin\AppData\Local\Temp\ysoE.exe

MD5 b6ebdee21fb9ae6d999154cd60856d81
SHA1 9c4c48498314676f60a2eac06145cd51caed1d1e
SHA256 f98a6e9571f87e0195cf4db8d49811a27984bfb9ad3859c6f08cbd9ca43f41ed
SHA512 529836a97881bf9a6cf9a157a0aa08b47dcbf2922f0ce02920274ce19a4682aaeeb6313a4fa6f48ae29efcd81cd8f04604643547c88ee614f5ad43175dbae035

C:\Users\Admin\AppData\Local\Temp\EUsC.exe

MD5 e44fc4443714d8c98dda4bc59f7415f7
SHA1 b5c9e7137423dbe59515580a6a363ecc07d48860
SHA256 ce72c3cb55add6206c5817012da9c2b8b8ef1392eb46100035e161cb52642521
SHA512 706e35e8222014e039848489e0ae8f1183c5d234d3c91976be55fab137f225fd2ab9ace71cf79455967d33c4d06139174d7a8453b9cd3d03528d19988d4e12e5

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 22:44

Reported

2024-10-19 22:47

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\OkUcMwgg.exe = "C:\\Users\\Admin\\VogsoEsg\\OkUcMwgg.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rosEYgEg.exe = "C:\\ProgramData\\yCcwwMUk\\rosEYgEg.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rosEYgEg.exe = "C:\\ProgramData\\yCcwwMUk\\rosEYgEg.exe" C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\OkUcMwgg.exe = "C:\\Users\\Admin\\VogsoEsg\\OkUcMwgg.exe" C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A
N/A N/A C:\ProgramData\yCcwwMUk\rosEYgEg.exe N/A
N/A N/A C:\Users\Admin\VogsoEsg\OkUcMwgg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Users\Admin\VogsoEsg\OkUcMwgg.exe
PID 2376 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Users\Admin\VogsoEsg\OkUcMwgg.exe
PID 2376 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Users\Admin\VogsoEsg\OkUcMwgg.exe
PID 2376 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Users\Admin\VogsoEsg\OkUcMwgg.exe
PID 2376 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\ProgramData\yCcwwMUk\rosEYgEg.exe
PID 2376 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\ProgramData\yCcwwMUk\rosEYgEg.exe
PID 2376 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\ProgramData\yCcwwMUk\rosEYgEg.exe
PID 2376 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\ProgramData\yCcwwMUk\rosEYgEg.exe
PID 2376 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2440 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2440 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2440 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2376 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2600 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2600 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2600 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
PID 2848 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2888 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2888 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2888 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2888 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2848 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1076 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1076 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1076 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe"

C:\Users\Admin\VogsoEsg\OkUcMwgg.exe

"C:\Users\Admin\VogsoEsg\OkUcMwgg.exe"

C:\ProgramData\yCcwwMUk\rosEYgEg.exe

"C:\ProgramData\yCcwwMUk\rosEYgEg.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bocUosUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LmIEQkAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wEUIQAAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iqkwcsAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eCMwUEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ScgUAscU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JoQowYAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rGgwUoAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwwQsooE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JQkIwAAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ACAccIQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CQwQkcQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CkEQoAow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EkEMUIwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\reYgccsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEYoQswA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NGEgYQYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1276669138791286998-979422388-876549899355978172-1822352357-1127100639-1487302504"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2037747958-4144575171845098960459820952326897355-17666886611042313507-1171442823"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hgQIcQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQUoMcEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6528396181496473665727454720216022391165456713759143520-966189933-1652463829"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eeYoIQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mQoYsUco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MUEMwYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HokEgUAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIQYcQUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tKAwIEwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "681336078-65019638920982151201964400777-17217551331924199421481780999730980037"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dOYAoQow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1042997096-516617004163162028-20160761191901375771212057288-8860014321278254428"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qgAwYwkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "739632581531254283-797654873-2007830605-1178978717-1178516220972300797613388718"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cKQccgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CeUoUUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1541765976-570379439-1339695259-2119368392733705666-994133011-1682956091-588490014"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1216194823167837033112022861535497101-571060911-1940317682-9381008091956973694"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\agAwkUUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QqkUwswI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQUUMksE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKccEUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "606737339580104541-1685783532-3672092791368211710280996060-19078684391049564856"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DsQcoUcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "29017990-1023847137950859282-11755990851162749091707308367127990205983370353"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PukAsIww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8955199043047717581821860521196334413-1025626980-882465454-2136429117-2016410465"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qGkcooQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQsosIEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13114131661268720813-555736107-6618682771478062019-19409476071502726111-998491498"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oSIAYsco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1983244138-17358775642018182908-1568794851-63616139135726426816182041781311024515"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gOMgIsMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqccUwgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2062967144-16849107671883805374-1385274508-840450009267701683279668518-2129724311"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMgoIswI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jWwoowoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-187263425213645253151138062622749164495-1388196213479767165-38214256788131803"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JMgEUowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WIMIokoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8099304311736569787-1905922725-1235171276951096935706510329-1641107383151036039"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GaYEMAAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9573115011775184418459149331-3458323371223989501-964778975-1110442879598762905"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1535397125-833333543731506230-14990446331993824003-1523723054-81264760-1188107504"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1412933911955229264-1769817057-181710216714480320714949676-1334195503-2053261918"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eqIQAQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1619487503-74623452947234972-817862345-4944592331661618584-1794416524-2046061820"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FCgAEkkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19902824681273445615702556776-64096474967486525643114210-19300626981619402844"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcUogsMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1266467191-826835699120659232-1674933768-1276580962-1785693164-14257076251417822294"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LWIwIkAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1262328289-7630784341162974781-2125072566-538265264-715226857-347482537547161316"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\voUMYIgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cecskAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2695727149291204221619377474-1917605647-122262942806709079-1259966595182562075"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2092315065-2130065843-573849790-1684289913-1447962795-182424985-12358029851445147065"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-509200737-2738782201072871397-1821652361-875069304-135721244920674010351629045101"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EuEYQIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "61387281-2096027031-6990688671626198111-933427385100592557356658878-2005425352"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14290061891296424608-15122797301657480933918015620-1598107233-1450402847-1331434398"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-18062455421141796824-1448826874668951409825538300354983947861533651993929253"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\maccwgAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-132132130215404935961182758831915922276-294869475-18347553661348759584421261299"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GKAokYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "207345819711727384931158258574163239064934727007616624012571369853027995654021"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "365087462-1367314340-1161204755-4520056552985289711623863139-421034504-1917600460"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "427013058-1460676152-1541276598-64847716-62940086614478505011997270930-234982203"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcsUgUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1817152280-1490206482876288898-689326898-1171837036-1404516003-13859402591997278340"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-825466984-47523446267165738-157004025121354679771041614567-1034037104-1818719242"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DcMIIooM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\poIgsQUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-960842707-1561382727-1621653201-501757395229470280-647827218-366604084-1637494977"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIIwQQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1710386864-1319239381-1151654892377033348-1694358809-1714987296-704821021210873840"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1159446744749788011-14144112982095493479-1951565419-126402085914861422411285918200"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1494105666421071921083315962-819010737-1254652355174456427011168796821872615587"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\auowEsMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13534597181060348617-3290449291501092322-8198834011288126668-43776816-2066521171"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qgssowAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5874456538079263-19894365121708522927-214592684570369701-560730739-1426396390"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "187100493-126484442818148895916842940083291534562029039695-1956378876-1983633352"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19318112681536561053537774916-848667261-100598715817791207225312520071863260296"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "652596762-848094263-1844088863-515648418-830992270-3166244991236496997568956055"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iYUIwYAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "177521597219732350071318346891-747631141-16607033962027746533-1401393157226709542"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1205688171-933602758309345762-11005497140471281022417545854111442588531384"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqwcEAEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "272339226-1338152575-1102194219-1498945359-8250342361585049320935394464-2095077317"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LiEoQMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13956951736693513993753051141497458290-852886117-173821344-10334257982570719"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1216676625-3636180701717949227-2081069370-19358371755333739302119710412-2049668540"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcUUQQsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1234284599-992194387185557687266105870670285032003043522-1460053495-1927947489"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jUAAEsIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "939406398-2074939340213790622812469869871390160041-6736360061317043079-1651242772"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "430060869-1606806033727389354-304433002-1647361948-6944797-1947567212-750343117"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2121477529-1610229841-181116917147419745911392728311150387339123559222841581931"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QOQQskUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "445280870481225466806981541-1409266207-1790934729-7719104581301281638-1915779496"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-43858177334131299515171622211298573789948369654-989837943852047052-1569180533"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.46:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2376-0-0x0000000000400000-0x00000000004A8000-memory.dmp

\Users\Admin\VogsoEsg\OkUcMwgg.exe

MD5 33a741f62b7c5a29f7b2369034c69a74
SHA1 1ed582cbcbb559f5f6fa2ef1d5b6ccdb3c8e6628
SHA256 6da442604152f75a558d25220c7bcd64f98b36d801130854ec267ab9ddc694c3
SHA512 eb96ed624b79e5345e55c9db51ac2ee8f50fe6fa44804519fb363d77f996cecdbc7f88007ecd4c58afe78f5ab3c9b72d52730f95ba5f36c6c6282284e5c5c21a

memory/2376-5-0x0000000000390000-0x00000000003AD000-memory.dmp

memory/2376-12-0x0000000000390000-0x00000000003AD000-memory.dmp

\ProgramData\yCcwwMUk\rosEYgEg.exe

MD5 5678da8e75e0a14e63d5e6aaebf77938
SHA1 1f6b175ea98b40c19fd92fde7d06bb59922b599a
SHA256 c7b106e692cd16e4ea0bec9971a31c93e06545f0a8d7361e4a82cb6e38c28637
SHA512 3878e4d9526f42c1bfc9d4d47f13fe8164eab0e3d3aa191606dfca78c7d331b19d751ee0a6c3047a67665a8f4f950541f673a65dcdf7741e2c5b9830348a32a0

memory/2164-30-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fsYckIYE.bat

MD5 9e86e9893b91e8389be2519a92aa05c6
SHA1 67228d3b76e2b9465870db4862d29942986a3924
SHA256 0bbb2991175f90f11aec233cd24100f8915efae7048ebc30c016157f86c774e2
SHA512 9dd27d70fddfc932e50a637e99efbbce243a670b7df31eb760a7b4ad6a44d15572eb205075e9d7a600d1d7f7f8f50196c279ed483c54cf184f8ba2833fd6bd23

memory/2376-16-0x0000000000390000-0x00000000003AD000-memory.dmp

memory/2440-31-0x00000000022B0000-0x0000000002358000-memory.dmp

memory/2848-33-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2440-32-0x00000000022B0000-0x0000000002358000-memory.dmp

memory/2376-42-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bocUosUY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock

MD5 8969288f4245120e7c3870287cce0ff3
SHA1 1b4605b0e20ceccf91aa278d10e81fad64e24e27
SHA256 ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73
SHA512 9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

C:\Users\Admin\AppData\Local\Temp\bwMgsUwQ.bat

MD5 b867834bba91c0a985331b76ba033559
SHA1 2da936516b4e2cc4e6814220e52a64d82966721a
SHA256 8dcb42f9fedc4cae446ee4cd03d8b6580d01dc7202799cdfd0b6992cbebd9f26
SHA512 fe2dc2f3e481efa1744b83b23c6af392232c57d8d2fb26e0671324174cb9d3b85a2751f21436a291b7cd8f54cbf297efb0f4c6788b91d131152722b6567b7866

memory/2600-54-0x0000000000320000-0x00000000003C8000-memory.dmp

memory/2848-63-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\wukUgUYI.bat

MD5 022b4dbee7e9112eaa957e59d93a4a47
SHA1 81e9358c2119802e964bb08dac44621287dd89f7
SHA256 abd134d322d85ea696d55bd02deb87bdc28bc7d5e6371991adaf9920eeb3fb06
SHA512 a15e619238137ebd6a2005bfe6a6ce6e42b0c194ee26b3058153c0b049326a9961b9845b3e9e244fd323b6e7f256c92bf83f6e0f0b7e033c01fcb1452f3fd203

memory/1164-75-0x00000000022E0000-0x0000000002388000-memory.dmp

memory/108-76-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3056-85-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CmoUsMcY.bat

MD5 ca29d8c37d52182d24cba5d51c786aad
SHA1 040ff3dc213256b7178a6bf3c05882e2bdd41982
SHA256 f729cd8fb2a9f113b3418917750206d325e01f7ac32a96d650bcae6add21bdc8
SHA512 7bc846cfe2aa97dd917fccfb9cb10ea2b75cce9fda69b9c81cc29f0d315de7588895369bbc78280f2f252d4328bef512c42935f8c79143469b434bb4cb54e446

memory/792-99-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/108-108-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2688-98-0x0000000000570000-0x0000000000618000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EUsQMwsM.bat

MD5 c591a85a6fbdd0c440a6acd74cf5842d
SHA1 a8c5b513c6594f1dc79e727b62957cd1cf38be38
SHA256 a1b2e3475525352630aaaa30e51594a74dc9f5a4e8e52707310b07d25fa1cfa2
SHA512 12ccf9aed92c6775181e7de848d950ab997ef4bee419dc9f70acf4f6f21bd1b7be296a768dd3b1519fc4bbaa2502c58e6375ba0ca36cb3d5f1300edbc1efe364

memory/2344-122-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1144-121-0x0000000002380000-0x0000000002428000-memory.dmp

memory/792-131-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\awEUcEoU.bat

MD5 429a107e3b986a754f11eb96ca9ffabe
SHA1 f87d924d761a923aee568f29ed8b1d7c8d7e85f7
SHA256 8dfd14dd4568b60780792ba1dd5dd319c6d309bbb6086891f1904413b173c138
SHA512 560984b441167aba7b00865bb062aaa8f10f17770e82a1b79a6d55e37a6d903954664d47c12ef696bf9121963b47485059bed538c8cb66ca13664f7c40ad391f

memory/1880-144-0x00000000003E0000-0x0000000000488000-memory.dmp

memory/1588-145-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2344-154-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VOwIkcMw.bat

MD5 c3063dbaf09b8b65e3c31c8f2849192f
SHA1 8165fe70aacfc96832866fd0a30f35f084f033a3
SHA256 db2b34e24b82bb5ce93e941a5e2e7fe5b064167673e1f48c8a611e629757d1ba
SHA512 bcbf0f688262cf7080621b60c14f75d15d6be5b4e738eb8482eaf713e48dbf0a115011b042da431d5f02c0d802ad50f2000d809a124a9feb38e53686d27a0e19

memory/2620-167-0x00000000022F0000-0x0000000002398000-memory.dmp

memory/2500-168-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1588-177-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lisMIIMw.bat

MD5 8d4df712ee500329231f162cdc96ac70
SHA1 05e6cfb43cd298571a3ea8c9a43d226e13261ff6
SHA256 81becf332328b16951aa8bdfedd68549904add31121a79dfa28597eda6b84ed1
SHA512 2f8277e7da0a6024a54ce561981d1dd2964d49c7ae6a765d74f1fd21dc82a22b75c469bec8e811e2427fc327a1136c6ce5ca4ecbeee7c7afd123add2c8ed124c

memory/2412-190-0x0000000002310000-0x00000000023B8000-memory.dmp

memory/848-192-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2500-200-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LAEwQQcA.bat

MD5 340e93a34e459c593bf0e377de9c2171
SHA1 2cfec4608dc46caaee7fd00ab55a0085410b6067
SHA256 68481951fc563a84e311ff7f92f98235f916f79cbabc7695a4cb2930c3677fc7
SHA512 5b75a296e5dc94eb9aa6b8fa4580709d9966d6479796e08dd7d44a6bbf79d1e2edefc9ac22ccd2758413c3635db0fa81d26d56c6533cc960b05097e3bc8065cc

memory/2792-215-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2932-214-0x00000000022E0000-0x0000000002388000-memory.dmp

memory/2932-213-0x00000000022E0000-0x0000000002388000-memory.dmp

memory/848-224-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tyQQwYko.bat

MD5 4913833295e4114dbbe0724d944a953f
SHA1 dcd97c97deee51e3f90cd67d8cb0af6d24c06a94
SHA256 695c25d5687ddc5b66cd4a4ea92578b4e13803857ade850f0e58263ba4d648bb
SHA512 e7d8a800edb968c77f3c635fc7c29338be0e2039aa53c4bdaaf8e6c0eed079a14abf5eeba6250a1220302c36dffd720ba83aa0d9083d6301cb68db1c1572b05b

memory/1304-237-0x00000000022E0000-0x0000000002388000-memory.dmp

memory/1304-238-0x00000000022E0000-0x0000000002388000-memory.dmp

memory/1328-239-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2792-248-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\buMAgkAs.bat

MD5 6ba5f5c303b4e1f213b7fefd284675df
SHA1 4cda1c7ff706511665aed6b5134120dd263c430e
SHA256 b192e466c398319ed88763b699c5a46f1b097ff6b6339a840b81a0610a92ce74
SHA512 3fe3c028ba7c4175b515c15d862ed83a9e17886a048f9aaf4de075094d5eca4e2bd89187a35fef8d485ea74374767c29225af0753f42416dfdb8a94fbda5cd85

memory/2176-262-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2396-261-0x0000000000220000-0x00000000002C8000-memory.dmp

memory/1328-271-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wYQcAEcU.bat

MD5 6fe10fbe00305520692bb017f8f98e37
SHA1 3bdfb52c22775386ba1a55b16f91617ac3c1c7f5
SHA256 7909b196f2787d014f521145e4aefe3903a1d9a87dfe1f03cd69c8aa9e48706b
SHA512 9725f056271c96d7073aa8def79c7204e15d80debd63a619f30c70845781d6adc959eca9bdfed1ccc2d2c6d8fa980f09f60ef9635a9d37d4da4b50b97d56273c

memory/1636-284-0x00000000002D0000-0x0000000000378000-memory.dmp

memory/2896-287-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1636-286-0x00000000002D0000-0x0000000000378000-memory.dmp

memory/2176-295-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wukcUEQA.bat

MD5 c83b2335e7c3e81a9e90317734d843f5
SHA1 83a4ede2e971e22d90f3cef2e6913dbfdeb7e0c9
SHA256 e9334cc16d11f24d10aebd470af38a8501011cf2f42a37ad9e31b466934931a4
SHA512 7b7093cebd0fc09d58ee17d1761ed48d133a41443ed6a3874874b1aa4a73860c30c25663c97280ef769bb7aff9d1df49ae5c2a216defaca0185e691d0f20bc5a

memory/2608-317-0x0000000002380000-0x0000000002428000-memory.dmp

memory/2920-318-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2608-319-0x0000000002380000-0x0000000002428000-memory.dmp

memory/2896-316-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kcMoYMIU.bat

MD5 728b89a5ce615137dcfa243865ef013d
SHA1 755b29da4dc25a29c1d57f78544e382f4681d552
SHA256 fc985f5c9648912bdd44714a1d95c770fa30f5ec9a5bd99a00b48d1d4b6e6056
SHA512 bea81216e3cbf8c8126c13d67ef837b3cdde802e19850937404f356c5a439dee7ef8d37d66df46fd2956f74f09445ed700c6bbf65e2695c12a44710a03271edf

memory/2920-340-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2020-341-0x0000000000510000-0x00000000005B8000-memory.dmp

memory/2748-343-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2020-342-0x0000000000510000-0x00000000005B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuQoUsUw.bat

MD5 e8acc6fb325c93d899fb85ce3ad54af3
SHA1 1aa6b2216b97e093b4acf16f0ebaef4eb90a5604
SHA256 ec827d37194c14bc2006640aa143b6868e15c3c4118855fefe631a3b97a03503
SHA512 cf0d0ef496bc4bd8ea95481ddaf3d962916c076a8ad03c3940e422a2eff56f8babca18ee5ee3ea3d6ba91b2440cee84c0313f395e97817c75bd883b7e5470803

memory/320-355-0x0000000000410000-0x00000000004B8000-memory.dmp

memory/320-356-0x0000000000410000-0x00000000004B8000-memory.dmp

memory/1436-357-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2748-367-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PEIAkwIQ.bat

MD5 d397abc69c5045a546c5efe44512e726
SHA1 4d4d3e94d4ed05a8dcaa45319bc08bc0af422cdd
SHA256 e0f1d8cb035e393db14b013c25737c76d367c8c238cede5d30b600cad7182a20
SHA512 b61a2138e2872750580d439515ecb0a523cceaf604269cb49912739e521950ec5492dc2373400f57f2a34abe758e682acecbc4c4aa8c4daf134c2f9a160acaca

memory/1436-389-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/880-380-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RWsQUMIw.bat

MD5 809a7b6458b716ed16f23ccc5c0fbf4a
SHA1 b03e3b0e4c084ae120f9fc879504e79c55e1fcea
SHA256 25d069026b9bc04b00c52a28cb2f95d8cdfbe5ce0dc2649fd4579a676f6f09fa
SHA512 d6c3bca3a472abcd2491674d5d23451736b0e0c39e5d8b18d38911ab7157c90ad69e5562a737f296e0306650d461a3aed5e7f80aead7bedc8f9e3097f58e7b59

memory/1144-403-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2728-402-0x00000000022B0000-0x0000000002358000-memory.dmp

memory/880-412-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ruwMAwMM.bat

MD5 13aa90112e1f6f23871bd8fe38c0c456
SHA1 f91c02adb3a99ee3c4be835c6292418d5f42ccad
SHA256 c87e999b21b74ba67ed6cf2bf33d0fccaab8980916105bc5d0316b1e56ed877a
SHA512 1f2a9ce09b4aced0417261e42c1bbc0d68a36b7ef0d4500fdb4ed479db0b860b54aeaeee14b056a8f0fb6ec245e464d38dc594c79ce150d4eda78212949fba63

memory/2732-428-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2648-425-0x0000000000270000-0x0000000000318000-memory.dmp

memory/2648-427-0x0000000000270000-0x0000000000318000-memory.dmp

memory/1144-436-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ukosoMMY.bat

MD5 3fc4038bbee3d972cad06e6d225ff033
SHA1 cec2747a75bab51f5c5847bc2622303438e09e47
SHA256 9ac966bf53d665f395521d567f8d663484327b66b501782938349b2423ab1933
SHA512 40cae175dc6fa7ef57ba2daf567d7bddb70922efa489df5ec4abfdc6690aeda156e5562dfce985227f5942193471e63d1159a9f230b936704edc37924d4c5945

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

memory/1808-465-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2732-474-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kkgu.exe

MD5 87b26a3f0b9e557b4115dbcf1426f46d
SHA1 ec6e4933c3be4584a0e474a97a550212223ce28d
SHA256 4e77830c918b32ed1bd5d259cbb52a2b6d1f0e82cf7edc2d3eeb4e98239af3ca
SHA512 3480f4eea2ce4b80189f246dcdd8ab6bd3219fbce6add810ac82177d9b8ad17a594195541ffb432da8d81bf5ce0301b20d4508ff8c95c8e61e09250b433148a9

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\AuwkwkIQ.bat

MD5 17d7c6b835892421e67c31005af86ef5
SHA1 005b3c3c51da376bf09b8dc95168991823fc1608
SHA256 477a682e9891ae8e379d28418598de38136681ac7b36f9017c4c15a63ce5a106
SHA512 116b923014d937c68647f1d4727bbc4daa654a62450c118498f8787fc59cb8978be5bb85153614b300d9519288a398d8304c32c7a91718799883d82cb2feb009

memory/1620-486-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1808-495-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GUQI.exe

MD5 89ce6d2f0df61406a60b96a5642b3fbe
SHA1 6a6e18435a73b392ad7e5158fefd9bd34ab47c0c
SHA256 c558e7db9029e9b3c4247bb3bf21b0cf4b283ae6307db7afb6f074ca2aadc9e6
SHA512 0485c69019be392e5fa1658b6825f9cab9f52e3ba7e9cdc6aec056d1d45984973d9cd108a58ba1b3f21bf2afd68c86d19edd39037e5604cc55f514e308c21396

C:\Users\Admin\AppData\Local\Temp\cmAkAIYM.bat

MD5 e7b8af4385b7f0da9bac8d46d607e63c
SHA1 dea27189b252ca016ce1ef88ae97106be8055402
SHA256 21fbf33f0f992b3130f9e1f5158692490a7e14b7efca0c5df5286f001557e8ca
SHA512 feb013ef02c93a310fc42eff6d8fee63704222d73195b54781e042eda118dc5f33aba809cb990d36b47e732c00931b1830718e3c4f2b5caaad3459569fca5430

C:\Users\Admin\AppData\Local\Temp\oIYA.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\MwgI.exe

MD5 b488c00d7b45d3cd78c01e03a2659a2b
SHA1 fee5949ff12048bec2325964944667c347785784
SHA256 9aaccc6d8c1fa8650141b2861e36c7036a5845f16dc09b78cd25ebc73e9c9bf8
SHA512 19e1a91cc4e79227cc86ecab9049d787803fdb4599628d345700706b7c61e0e68970575f642221eff02e87f520af491efd64f404f8249c5683a563db002404a3

memory/1436-543-0x0000000000490000-0x0000000000538000-memory.dmp

memory/2400-545-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1436-544-0x0000000000490000-0x0000000000538000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wwIo.exe

MD5 08411e12a72bff07d2b4efd6223dda9e
SHA1 a257f4a434c55a70695580b96f39bbd5124ec1ea
SHA256 3dfca6bc4a7a4aa7673777212dd1a558fafa225d3a2cf874ebbd913225c33ba4
SHA512 ea1a47bb10a079dfb77c71d52b55c7079cccbe630ef17715d6a9bb33919229f363026b627e8172369e1d4c84a2f5e43616636f5e7c9c333f6698073c5da27f55

C:\Users\Admin\AppData\Local\Temp\YckY.exe

MD5 c6b8c74e3b323a8d7448b7528910f998
SHA1 151f18e4a5215b47f66f27be4f1ea4e68ac049fc
SHA256 6ce5ce6aede173310fce0853cf27ab87f108eecad6b92659e2f89cf0d020b91a
SHA512 9f5acfb6f28b15606cfbce02b05edff8adfd5009274eaa0c3ad7716fe3c3d5d4d752191e96d2ccafe6dea4b8296fd67e5f6100f7205495b73dfd0efd48e08150

memory/1620-567-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SkUc.exe

MD5 2d2218c93e07b13761af71c1cb0783ef
SHA1 5455224e34abbf90b198bed35fe6061365f02484
SHA256 362e3623c01e19de51a0aa61b44a533e42424ad9272c3ab15b0317397596385a
SHA512 64182b2abb4adafce779d578116e338264e16527540eaac14bbb32e9954421089c163e3bca03a48b7a45aa123ecce0368449fd56dd1318261618c9309373677b

C:\Users\Admin\AppData\Local\Temp\YCIMskcs.bat

MD5 bf15a938e093bba9cb7ea0ffb1133815
SHA1 081785a0afc3558e6fbb6e6e67ea4842622e96b5
SHA256 fef4bead09b9941d1d88b0e72ac6bcb9d2072aa294a6d6796d47d8eb7f920cb5
SHA512 62fe0c4c331bf4944bc6e7b41ac1001d8ee75e6d5dc1a4698e51d47ac4856adb9550235f09eebfc1ce48f515d25dac739b28976ed60b046f5fb414d3ad69e2eb

C:\Users\Admin\AppData\Local\Temp\uEIc.exe

MD5 f52835925335a8309bcd91aab6911247
SHA1 c2505b494ff2ade057ece8f4dd37dee51a16d6d7
SHA256 6e76a4f9335b2bedc430985712e36cc0b2e25e90300cef33fcbc1f4544116533
SHA512 7b9a816e4d51730a82b20580378176e4e6f0a2b36b3bd00cde4a2fdeec5c359c92b191719ddda590cfb81b770adbad09c7656359fcbdb3d758c68309d90441ee

memory/2176-616-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2304-617-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2400-639-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qkss.exe

MD5 a4cc6bbba10905bdb316643139422163
SHA1 d3b2b3aa5b04c61846ef14d8583a097c7f9c8a84
SHA256 3370cb79742f1d831eb4accb14440044e7328f339809a047a60da411b8b4f5e1
SHA512 f855853331354c9b29126d5511a7c4107b95a71eebd13e55105517d547bc10dea16c69cef69a9935dcbeca47d9b8a8993c9df6f953db6efdad2bc939e5a1db00

C:\Users\Admin\AppData\Local\Temp\iwAg.exe

MD5 b6d05a00cb3f4e56c4ca43ddbdbb7a6d
SHA1 9cd53cdfca6421a0b018dcc5040a1aa96c964ff8
SHA256 8dea1f49ffa5faf4b433f2382a44fe0292b833779d08302e4880126690c77761
SHA512 678383d4ddaf5e27dc23848ad26fc79b2cc03635f1d40b7c10e07f178ec8da8fe86323cb53b322a35b51daee20196d75abea8fa7a1eaaaf6e30564cf86d8f2d9

C:\Users\Admin\AppData\Local\Temp\oQoC.exe

MD5 838c0917b3fe06071bf514f241838d3a
SHA1 093c8cfa8a0853729fda28dd5f20e3e1dab4bb25
SHA256 955f466b4b4fd79b194abc4b9d0fa09c9d97c4d59567504c57de56e6d2f2ac3d
SHA512 6ef84e0ad76e17a12231c5b181b4a864eb7156eeaa4b4694e0ffdea881daa872238cab8ec4d251aace0207c2ce9b215dddda7fe0a7a77e7dde5802144bc426e3

C:\Users\Admin\AppData\Local\Temp\WUQA.exe

MD5 18e2e79dc2068729c736b9741ac72971
SHA1 215f06ffcead601ccc01e41dd44dd484e16234ae
SHA256 d1047881713dc770bfa6bcfad7a868f92f7a6d4259df8b0a821ebdf8b339c9a5
SHA512 41482cccbdf741e8386a418ed509af894c32dcae78bbf91d12df8e95df8db36c41decc0847911f65c4e3009a611d99e1eff1d773cf6dcf6d74c8f00c80af9cae

C:\Users\Admin\AppData\Local\Temp\UgcC.exe

MD5 ebfa67ba495d256ec9df9f9602b28b49
SHA1 6ab0abaf137c24a435c5af6ac08b4a637cd7385c
SHA256 dda057879a85b469970f5918d022a660c38972dfc685e2b56d2a24234f3a234b
SHA512 63dc2d082a973130961c133e1f5d6013c7ce4924832cb1f71b359723adddbf758a63bbc32c81bbdf41252de8e3a6022c30fae5aa5291b3f654b24200ccfc5a9c

C:\Users\Admin\AppData\Local\Temp\eyowAosg.bat

MD5 e5d9d76f0f784b0d67c9454d908cf4c7
SHA1 0ce876c8504eff0a89eed6fae94d3e3aa062856d
SHA256 7c81ccf83cc3291e4d1361a522d27ea16d6e75be89f2f0c2b77a175e65728188
SHA512 b2620f6348b5406edcd401d52cc0c7179f796c6c21165e5f93c0115b5e106e9d01bd4991caf3ecacb2056b25894dcbae5d856ae11471c39f24550e4a6eb9ac0e

C:\Users\Admin\AppData\Local\Temp\YEYU.exe

MD5 2b9f90d72db318964cd3112d93746cfa
SHA1 3f8e282ef34b116e27c749efe3aa407f0376e122
SHA256 9fded62ade0af513636445226ef83a577e9904d66bdcc5cd5342c5e7e803af9a
SHA512 ce175c08c4cce891bb13e6f8fee9a489ab4bf56a14d22cf6f25b3dd8efc90b0bebe5e8d3691c6e6c33e3b6e11eabb49a291ead0d916d67cbb93cd976373c9299

memory/1792-714-0x00000000003B0000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Iswk.exe

MD5 bc68ddb8dc7300d1327f38ba3558cdf9
SHA1 61d1307f6663df418691728c5066a9315d9b2f19
SHA256 3a5289f7cf73b782b5e063d493235f162dfdc8bb435f03f09c15963588c84824
SHA512 9de4fb5d230224a533129dd08d040c4d8708e2ab536c75e41a183ce59804ef0d9a9616947e8b1fa58fd50e6490eecd6cbc5130e5956cc4898fec36812bdb6c65

memory/2304-737-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sQYA.exe

MD5 d017ecd4d83f64be1229fe647e372687
SHA1 715b3630f67d35ab34b78695703cabac883a40a0
SHA256 546a75083344ffabc1576451a578f1316b6b34d30c1cd53cb3b5aed3acaa4ef7
SHA512 d7607c70673994b186d635af392ab748c7a0111f1310e6d657c003c1e4825af53f8680c31ddc0ad294010668847d68fdb899d6657d7c955fdebaf539b8fa7251

memory/2800-729-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wYcM.exe

MD5 4d60a2078b2a73adc1c488431a31e122
SHA1 9c6172b44560ad5e35622605fe12a8b7e866a586
SHA256 5fbeb9b10a3d2d25cad7ac33c22cfba4add355fee76a64ee65596a6e099b7f63
SHA512 e7b49950759e349d04ae3e9262cbd55b679e16f9e29fda589b66c26ba7a96002461b12d33c3c066921245865f56059b84c147eb0510ab5fb3d111d1285dd3b9d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 8a12539d1e81ff3691cedc115ea80003
SHA1 bd53c6136334bbc5f467223e383f0318d6dda3f1
SHA256 9ede210e7205d6457abc88740cd2e38297fe1e9f45403542e0b9d696aa03a2f7
SHA512 3a0d38f6b403051a00a878949c04ff4ba45c8dc6cf01c2299bbae583676b400701e13eecf1dab6265760484d1650a3e0d87095b3a7d8463d69e8fef35f84063f

C:\Users\Admin\AppData\Local\Temp\hEQYsgAM.bat

MD5 0efff20550ea627ef33cda38daceaa4c
SHA1 d97723ec68fec62360f1836fff4166e7f7ed764d
SHA256 94ed573d7003024af2c43e72b38b505427fb38bc442b9e60b50e938ae0085afc
SHA512 d9705a4b8b905e8e9e8aee11d4b72c9b47d996a426db31e0334952220598a4d1c4afa2a218f5715bd0b923c5cf52c71ca6d93af49c9ed7b69b5409815371a63a

C:\Users\Admin\AppData\Local\Temp\WAUG.exe

MD5 6c3f57c1efb169d2f917a7eef9467405
SHA1 d0013003e59822475647af1ba03361d22d719959
SHA256 567765ffc64577ead74d6e1911673411013ebdf46dac8cc36ac5cef78ed83f9e
SHA512 1259c71d5a04ba32ea37b29859116fd187638b27a5e5299b110817f7e3aca0b6d7fd8f437192201d0c6d3436e3f28a0c3a5498514982be81e3456015c2f3c170

C:\Users\Admin\AppData\Local\Temp\agQE.exe

MD5 f6eb75f81599e314e301cb30d1e4521c
SHA1 9b1392bb08236cf77c050d81140061e08b1be202
SHA256 c3f126ce20a80ef5c9ed5eab6851c5fff9fea1d410519af6ab84b87eec12790c
SHA512 e1bacabbc0384d513b15f84b04b3ae0b19405c81fb205d63637d470aac4be7e4906804369613e9ed6622dc7bf02255b98c9820cb50f573dcfa9d83ec5ce5a741

memory/2800-820-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\akUI.exe

MD5 ea829fa9e62bf708e22c29f4ef9d05c8
SHA1 81d7d81ea72955c488743d0e65eace6985d8253f
SHA256 397698e4188e82abfeef3d91625e0a05742b6223bea684e8d6f3e04b5dfb24a8
SHA512 f8fea51b4c4bc67238fe8a19d2e7eb6ecb066abf1f83e610b3bd84f52a9b6fa7a8ea488dfd941c279b9cfa206746f8405d8170adf91c8e12048c49e3729af888

C:\Users\Admin\AppData\Local\Temp\EAYQ.exe

MD5 bd54b3364afe8412a32571b6abc2dfa4
SHA1 91f7594836acd5dbc6414e3a9f3d5a989f1bde13
SHA256 34f6b30f4ae63d87252230b5f83474e7890db720dc2c2ef62f21de2ce2b3105a
SHA512 4d1d13cd767c1636cbb3091ae0f0e7e8a9c85f2dded97d446a1ec64408fa82645318ced7dc1ce6afa620bd3eefd4d452b81f4d97003aaf182e62e500caf4c234

C:\Users\Admin\AppData\Local\Temp\gsUi.exe

MD5 fc3ea27db9101f5fcbfb6e5edf8e03ca
SHA1 da727ad8d66711610853201135288c17b22afa3e
SHA256 daeb12b1d50476441539c20cd5a7b8eca44508d7aba082749515f5d2449d7a3e
SHA512 470f024b47fb88ea95131e95e9dea17ef4dbfefb87609a9c41d6088173b2ee3135a0c45da03dc67a619d27618ee477d3b1ab1940f82a87ebb58cd695e25e6afa

C:\Users\Admin\AppData\Local\Temp\YYsM.exe

MD5 362764da0661a238ced2d02ce179f179
SHA1 25e1e49098f19644eefb1415b142f90b0bdcc9cd
SHA256 374b94f2a68f88ec82a6b0c8ed4c574e3c0b816ef08321f6ecb7ee7db3829c84
SHA512 b29a16bd2c8908c7f0d1e8d1893de1430bc7e85061b7b025a6b19b4b580383b795dabb0f058208f2f61220e78fa351982a90ab91dc54510d785659387bdaad1e

C:\Users\Admin\AppData\Local\Temp\IEgG.exe

MD5 bfedd4e568030ade8570439ecd4af9c2
SHA1 7d1b2e347c2c34914e84e7d0b5e4f4739c4640bd
SHA256 005c71cb5718748d3480635da07be636fb25375870875ba5e77b4aa48f55477a
SHA512 1bcaa7acb8ce9fd2cd389f8bcc71414bddf7b1cc355f46dedd4f8b84eaa7c8a9fcb814cb65782eeb7e8dc8681ae8aa8dece0a66ba2b46b5e6412a4d49df80048

C:\Users\Admin\AppData\Local\Temp\YwAo.exe

MD5 0ad5662a21e7b829342c0075d71c6434
SHA1 ac3b9c68ccf96724d26dc9b208c9abd2204089b3
SHA256 f6354e6fd7c19db9ba5fa9d2cf594f975693890ac82e82ee889908a37ddd2c1f
SHA512 423f0aa24de8daa9fd8944496e075dd07546121c7f01c31ab9eb68a536d7d28e93cb084d495a1f48b6dbc4e0bfe1975ef36803b24aa4699265b0e74e64ebc8c5

C:\Users\Admin\AppData\Local\Temp\dQwIocgk.bat

MD5 36de6ad8f0011d07b767e2d27445aa0d
SHA1 97ef09c0227123834c0260116ff8b3f0e05d1661
SHA256 5a5f7756ea9db97d06be822bd63d1c294fd274a3a5f88bc70d68c3f65df5fc36
SHA512 e57da02d7ebe8eb17e4d064f4445eea1ec7ef96778b2e07d0cff50edb03202914c2c992a821eaf352b087761538c4f1274da5894abcbd00e8641823d864c90a1

C:\Users\Admin\AppData\Local\Temp\qIMk.exe

MD5 dcc0bebdef1cb2fc9930e6ad2f6b37fe
SHA1 791ac51690b85ff91be7ad8842838e4f1cb99be8
SHA256 f4d500ff0adf1394aeb33fde3a2de4cbcce18e23b9dae4d22124e7e70abb39c3
SHA512 56276cac6a0cf7c3ac3f79c59ff78fa8f69d49390f3a58d264a0e5f1ba83575fa3169f6eda48723c92fa76707ef850eb91ea97aca684481065d66aa2f6cdcc71

memory/2744-921-0x0000000002380000-0x0000000002428000-memory.dmp

memory/2608-922-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\goYW.exe

MD5 c8a47ab68b2ee7ae2f968c2bb9a466b4
SHA1 55a0235791ac0fad37d830be76baf3b793d31f04
SHA256 90c91e827c6bbff0627c808e7df606d67ddc3bc65060494c5d3c36b3b2f3731e
SHA512 348dcc52966a6507e2328df350c615f8abc72df278b46d12fcd04e8a52b24eb936805aa3ec9d8753c37894ef5c89e44600663c4fb5d96fb510fedec99a7d4aa4

memory/2080-931-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ksAg.exe

MD5 45866893c12f347deeb323d4dd2219bc
SHA1 b23d63479d0af6d2cb3f5ac1ccf0a393105b8eb8
SHA256 ae5de11d5df6b18ce870c70a86ffef6669a5ee8bb23b10e7b7aa3eeb0701647a
SHA512 40cfa656a7346f2ef91f9e282ae9a4967554d0c38765826ec38171103e6605b9153201bfe0815df8b3086af9c88757e47e9f309d5a0b70135d68df6b85331d4f

C:\Users\Admin\AppData\Local\Temp\SUsm.exe

MD5 6c57388af5657b02c14f832c1bb48e11
SHA1 34489cc8dba9f33d2727d7dea343fcc8906d7b6a
SHA256 c698a3addd2a536f0177d58c23b38a5182ef4c094aef85fefc1b24dfcd46ef17
SHA512 c9ae9bb482b5b738bfad6003131f77d538b721422bcec2323abf86778f715dafa4d16c6c8ce62d1504098b47c104d617de649221416eb01ed0729cbce4d34b05

C:\Users\Admin\AppData\Local\Temp\WUMM.exe

MD5 185a43222f47e50f2368ec9b974a60e0
SHA1 ba3f02714b80e411b5e52d9e46f974884705758c
SHA256 fa6c48d94e3a3715bfe689e36adc95cbf997e5ced005ddad86769b0f8e5adee5
SHA512 bed5d8058fceb6b2ad3c6ac6f8fe1fd56fa185ec00a1c74487263869d1d50f6f19cd6ab0b51aebeaf498329b54f6cde6ac65b9c07ae8f3f38e2489a4cb78d710

C:\Users\Admin\AppData\Local\Temp\KMoa.exe

MD5 74a0dc39645b4df75451ec348cacf89e
SHA1 2b57626f655d6e5b943ff477b82787114cf796d1
SHA256 8b3d8a24a9ecfcba7fc39954b8553475d902a37894815c10c8cbe63c8b9904d5
SHA512 04d5fdaa42f3c3c7fe37431a68efbc88a70b3485ee0c9a68bbc0463dc164f78a5816afc78cd3b3746bda3ae4c80d06012781d9b43a1373f15eeea2149c051d2a

C:\Users\Admin\AppData\Local\Temp\rWoMMAYI.bat

MD5 59e36ec4e5ce622421e4b2d09fed5526
SHA1 96e0dac861339bd9284d236dc7038b83336aec18
SHA256 9f7526916dfd4ff5b650ed89f1aa7ad4f2eabe7153111f92b654c2c8bec56e57
SHA512 db91358cafa7e814ef64623d8601356c817a713f64faa9d5220984e896afbfd9f4ac3b7d48518d0bb8b7569b53c82b1d2ec9838d811f96b50621596bf19a168e

memory/2272-1006-0x0000000002340000-0x00000000023E8000-memory.dmp

memory/1224-1020-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\okwC.exe

MD5 6475cd01ef532e68aba5e67e90525dab
SHA1 5e6396c5f5a95ddab0a3f3ddd419734b010b6924
SHA256 9abd320c01edb4f6a2b896a6bbbe7552f7f9ab725db59151cd1a7b52d09d31c7
SHA512 3e0f3b814552a098641921e7db55e6e50a00c3aebeea0b13f0a3299ad685a927d6d341573203116c36478a84b599d1f83d82f60b8912fa6e26ca6a3b08a1bd03

C:\Users\Admin\AppData\Local\Temp\AoEs.exe

MD5 a887995d7a7b79e26053cd339746954f
SHA1 b3e8c494f76498005f6e92bf065b3c93445fa75c
SHA256 5a8be87b37c637d57332ba807ecc4702fb5b43931cfbb23abbc56f902aad0dd9
SHA512 bca36380ee1e44997bcc1368e107cf1a5106e05327d6758eac4cb171ec9e7c7336d13fe62c1a9426da6943c86275c763d3159b8d8273fd19bc3fb9fa89038e6b

memory/2608-1042-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SoIK.exe

MD5 f51f0042ee82fed4c0140f2f00f976a4
SHA1 dcf2d6b480a3970a9c09050add32223331ae8cbd
SHA256 08a7f4d0672a14e4b543dcff39ce8e471f49eb6b53dc4f9e06b396d995f14cec
SHA512 9ec1641cd3c52252a6d0721a36814f606df14ab2b603825619c761879454c70832f7bd42db4772b73124cabdc81df5314dde541bb6c32892698eaa61dec65657

C:\Users\Admin\AppData\Local\Temp\IQQc.exe

MD5 1e0e5d6ea91784846ee4fd8b028676a1
SHA1 b3bdf5f60045da48f94b5e2039d0cbcc34a44e66
SHA256 2d2d3c7e57e09f8118f944ce175646533558172075371a45e367bb646c3e6d0f
SHA512 867d070894176b40ee70803676a3f8b6d58cec482ded1525707b34afc1dd1c71f604c921a14a2eca9b49e41fd4e7e95783fde08fbed310ec594922fb81d38e1b

C:\Users\Admin\AppData\Local\Temp\CYsa.exe

MD5 c4590f00f1350faebc144577251d0dc3
SHA1 5ce8f178947b9d451379d8fbaace1bcc6db2d14f
SHA256 4ae624906ef3354431dbcdf0ce472d1d3445c4d64ce3eea47ce89f53f600549c
SHA512 77c768caf306253b0f044c737b470b423e41c1f942b2cee0b0b228c7d3453bd29686a5c153bfdf8334f0655dbfabe24749c67be3b407283429e988471fa1b278

C:\Users\Admin\AppData\Local\Temp\dQQkoAAE.bat

MD5 4813b768af405fcd30e15b0dfaedf919
SHA1 13068d8c0d636fc93aa1cc6627fe60fea8d91bac
SHA256 37e05848cb88320d31f4bd6670dd334f26ba52d88c3d3b07e99917251804efc1
SHA512 70b4f9b0dfefa8a7ecf0f6d553e47af5f046f1094a9439cdbc6a533e290a4e748220c82c250ec6f8627659e80f5aab1cd3b557160ab44e968b2a072f0537e6e9

memory/2424-1092-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1892-1091-0x0000000000590000-0x0000000000638000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YkwA.exe

MD5 2d626e873bf94f25ad1035afbb886aa4
SHA1 18021a9a48a82469ee3918c4e91232d0269c4aa8
SHA256 cdc928c1fd85aecddecc9286fcfd0ffce8b7758c2011ce39bb9d1c98b6c34b53
SHA512 6beb85cad2258e31184c8588607d727c1f1eb4ba361aca906487d025b90dea1d873c263110147a6773a5c8ca6e514fe7d6f7bd61486000ed53853066d0d08259

memory/1224-1114-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 ab31c6ff081ea20551503ece796f8e8a
SHA1 e96d6b50fa0c49d67e0aa063f7b196c6a866ebef
SHA256 8d91ec5085423083de22577680ef247c809879a141dde29c6a1d29ddc3fd0ff4
SHA512 e5c95d3d7cb54e2a9b18f3b84f143c2d1206713cc3b3d9a2763742755e7b3a005ee01186a0f446df6382265bb9537247e91e4b2c77205995079d016cf230ecc9

C:\Users\Admin\AppData\Local\Temp\IYMAYkUU.bat

MD5 902d2c8ebc60724c47ab116cc2915981
SHA1 9862c05ac1315dba47af6de0e091571ac91a6d02
SHA256 fffd8292f3b31eecd866aa958b3613cb6e2b217ae0c9890b979e0c1f4e1595b8
SHA512 7befc0ab796ec8b1ea253be36ca3fbca9fb8c5b978bb1ca1f38656f8051b3c69b94f64ba5004f8d25497d49a107f93f8d89ca2e3ba9a81afe783600ef8190e8d

C:\Users\Admin\AppData\Local\Temp\SQoI.exe

MD5 a6f4cf6e4073a1858b0baf5ead117bb6
SHA1 7cad891a7bcb4e123f4d0bb3e8d1a3866bca5fee
SHA256 fccb20ee918641f0b1faa4090921ff44e710e7c8433006001d91e2387a3c549b
SHA512 b9ca420ca9bec260ff7da0317c9c867c1ac416a2200009fabc3b6ec419b48b9fc8bd1fb1936df624914ee7e7c6077f4719d96aa9383e0f3752fd3511fbaa3e61

C:\Users\Admin\AppData\Local\Temp\UwAq.exe

MD5 d07d1b1eb2b6873a572b9e6cfdcb1d84
SHA1 2e0a7cf42d9fcd594929125bbdd62c6163aa729a
SHA256 b56a47fceafd43cbff11c3f6473b707905da4df62821f2afb4921ca845ec115e
SHA512 3f8999134170b36817c79b64ea3d22a910f14c68b351612cbd575e922b2881e4dc9c4020b850946683b8b6df393d7961720564eb332a0127be6c9a9187d8dee1

memory/3064-1151-0x0000000002330000-0x00000000023D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QUMo.exe

MD5 56c548d56d812fe8df330ef6fb980536
SHA1 77081f82a6d4f140e38a8625e576728ce46753ac
SHA256 2b05e9013d07bce454e3f3c80c557e2b108f96f6ba858c3f8f70abd8291eefe7
SHA512 4520e8e3f86f3a35a26fb64a929cd381221d6b55c7b99c0c36ef720e94e0ac833c3c5696a320562d9201e5bd81324844972b60e9801d9adedec96f89db81ff4e

memory/2424-1185-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Owcu.exe

MD5 0320fe349b9ba0726e6d5674b15d2483
SHA1 d1704279efd722193c7b9a025e3df621c2dc2cc7
SHA256 92957133de8a9f4de166957657df87d6d771e81901a8eb02ad2c9c91a5d4e064
SHA512 7bcdaf3ba8cba44e3084cd8f548049d8147f4fd90d33602f95c2ad572cb8979ce0671789ada04318016b1cc03c6a5f81f3537c353a8d54788c244bb1baf90938

C:\Users\Admin\AppData\Local\Temp\IYoo.exe

MD5 3f343796df2dc70658f78f50c2a58d6a
SHA1 bea7d11ce145e95fca7f4c9e7d645ae46d49ae35
SHA256 21148e9d384633e4611dc96159724b2a156a53f4889d92fe1314f350c6531a72
SHA512 359cfc8125106f60938ce1fbc9b9cdd41c534c1be5771d2573f09e6c84b93e5613b6a733d73111ade79c71279d4c488d90577c666ef2ceecac083e1b36f5fdd5

C:\Users\Admin\AppData\Local\Temp\ukEi.exe

MD5 640ac632967cf76b0d85080f7b874384
SHA1 c6a96f562decd5ad07a5c4d79ee0ec3e00695f59
SHA256 7c229bf315b0074a88d89994a70bfcfa8377b78c89365258f8f1db489b4f31e8
SHA512 293a5e12fb50b70023ce97aa12582e7cb975fa7582d23ab424a45b003bdb06f2d372d094df97a452ebfdeed1dc41bbba709f8426ce1e48f68c1b54bbad3e9a24

C:\Users\Admin\AppData\Local\Temp\UYMEwUMc.bat

MD5 470f1f3777b4671dac2ba38745fcf6ef
SHA1 663ec5ed771db01cbababb95fbeaa4df7ea9432b
SHA256 337db9316e8824f8199e8489091848d0d25f4497ac345d7f24203c0d956f389e
SHA512 97e1aff87135ea19f28649dd2da1ac14fd0d356e466aa59255bd10555263bde721af0699478a398d7590593fc7126a4c2b9e6fd5eb6997e1fd4ce44590d5bac7

memory/860-1249-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2568-1248-0x0000000000190000-0x0000000000238000-memory.dmp

memory/2568-1247-0x0000000000190000-0x0000000000238000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Aogi.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

memory/2604-1271-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UyAQUUgU.bat

MD5 3a56aba0b371ec5efbf21da19b8f78e1
SHA1 d30051c4d87c9f32df6c694eca0ee94e4c356f84
SHA256 ed5bae71227d2d792d595d0c157a1484aadf33f847d5240c0327d25e81b75d42
SHA512 1ee2d70211b361678da4bc256d6bd2fa8a15bda64acf1ad1eff21a63da72ff57419914776c681d8341c42ad5904eb1e47494a8726cae6fbfa95b5dd32bb7edd5

C:\Users\Admin\AppData\Local\Temp\wYIs.exe

MD5 795b9acf00ec954d1955b001c6cb2356
SHA1 1feaeea15d1740fc5b0d7533cf1f41fc950506a2
SHA256 205560b5fac3c90a1d489dead526ef59dc42cb138c65592ea3612a248daef5f5
SHA512 4c5ecc90ef08164b4ac07953e2b724d5473194536a078c68aea30c7c74803e4354ba28318f506ebc27c50111e3dbd7223d6438828ec98f896fd36b3dfc8693e5

memory/2064-1281-0x0000000002320000-0x00000000023C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ekom.exe

MD5 ce0225283c7193e1806ae0ed35872703
SHA1 7e32657a44228805b29db7df16a1c72da0f31f40
SHA256 590dfe8d6ea274f291e986ce700de9a383363d24b937c837aa1ff2e839cdd3ba
SHA512 029f1f7d86d93e3b0f9fd3fb054d21d5c9417b6914409cadb003cc5cd5f53dfc481a61c5d7b54b677e2671d26209e90a18b90fc2029fe88a80943c273f1bad99

C:\Users\Admin\AppData\Local\Temp\egMi.exe

MD5 978fe7ab9b9197ced08fe14e37e1d7d5
SHA1 01842c999cfd7c200b60c478394ed24abbc01c75
SHA256 e5669356794b5dab0dba9f31eba72cc6cc56f68823b57ff83e8da54c6de18f6d
SHA512 c1e01da7569c45276ecabd33a16573d5399041c36602fcccce905c552ae3c91bb29d2371048eb4dafbe9200bb72dd4f3290051b877006b9070285e52b043fe17

C:\Users\Admin\AppData\Local\Temp\IGowoAoc.bat

MD5 485f45fee04e21522deb0ab969b4b24a
SHA1 cb9d1aa034b209ad8f85703222cee58c83e338f0
SHA256 bc7a971c76ecae2ad3015739c75c6dcafc8561f4dc3cb950cf007e8f57f8e7e0
SHA512 a02e228733f8f2f72ab8a20a1952f89ed65ea87db59b1478d06fe1aa1db628a732930ece8f64fa4e126a8621de0506bf1bd2eb6c5ffb7a25e34506a6879b1fd6

C:\Users\Admin\AppData\Local\Temp\sIEU.exe

MD5 c8f6b16b87a497b559d6189624ca8c05
SHA1 4e74c4cc86f1057d082f3dadb62e6dfa30cf1a97
SHA256 405940c2c059c747abeb773f6868759057a5794a303711c93df9ce81a4a87c5c
SHA512 94853c42717975dc8c1e6c7a44931623350a60acc42ae12f4ba68b58c9899b2ce3d5841778e657bd377fc559c74f1ed2e18b05a9983a18e010b52d63833864d4

C:\Users\Admin\AppData\Local\Temp\yoQi.exe

MD5 f01d2aed2fa4f162c4803ac90867b77e
SHA1 0d2ff39b067125cda0debe81b717ea1a62551160
SHA256 ed625ad24bfe16e961a688fca0cc828e3323736ff6c8c07ab9e52bd9e5c4ee0a
SHA512 974bb5ce7aba40900fcd5d44ae16da04d2a6015c31eb5981deb3b23b25bf18587940b644f40b33ea9f5967ea7c367bb7294930dbd718523e72c4b82d4290c350

C:\Users\Admin\AppData\Roaming\ExportConvertTo.exe

MD5 b0e74b30a1c62d44295bc62da64e3651
SHA1 fd2eb850af64d453beb7cded6a92fcb51fe68aeb
SHA256 2ccd1dd44343416b81509b3df210a28c0e5373f6dc3070a8165b6af499071044
SHA512 397d02604331da457da8c42ea159997d0fe56a30d6e51e40abc33abc0a69335c8799a3c4312e3ca73d142a34a2b110abeb31965b639ddc32bc5faa8edc5bc522

C:\Users\Admin\AppData\Local\Temp\Sosk.exe

MD5 b81726a5d72d10674dd5ce80badf0b80
SHA1 d30833b51fea927b7cc5bafa6967c01166e40b07
SHA256 b10ee67c6040b8451242d02e490a17c98fb6b7825736eee0bd0657ed3280c589
SHA512 c5686bb1772e68af0deb0b70421b8685bfc0f0e606baac34a22cebd4971dd1f3d1dfc7f94fff8585cde62afffbeea9a533aad605e6ff0deb95bdf703a6f458a0

C:\Users\Admin\AppData\Local\Temp\csIK.exe

MD5 3061f3a88857cc7789ceb347faf52ec3
SHA1 f31cccb86d0682f0e4e1d7b5babfe01eff9e2d6d
SHA256 aa2921f6020975b0866b3a0dce123dc7923fdb9690d397682ee51b7270cb5433
SHA512 f5612db3c6c4556b9901acc8cf6a4982cdda402ca7dc1298cd8017faf9d45306070fef619df8bb8cc3d7079afd517fae7fe92011295aa1ad38071cb72c8290e5

C:\Users\Admin\AppData\Local\Temp\WCsAcQQU.bat

MD5 4903078b8fe7693dad001e96965cf2b2
SHA1 1708bc4677715bde518cb2d604bce1c2b855eb94
SHA256 0729460b79f1b36d76bae2552c70d742e0c72178e655d0b69de0038c43595f03
SHA512 89da79421ed787a148c61a82aeb58654abab15b943a5c074eee67918ae875d76cfe7a180de7340db30f541ea11ddaf16594b21823c17972d090884c0b64b6059

C:\Users\Admin\AppData\Local\Temp\QcEA.exe

MD5 719d346778948277f0170c46fc27323b
SHA1 d14ec2a182d78493bc1419341560f9134f9c69bf
SHA256 26cbe866011d21bc8f78509e6db32bec64ed2170e5d8bce6c66ee3fe48e574bf
SHA512 4cc35d3ffddda513fce2db951f992a6ce4347fab3ea74009e2d0e2272b2e0e20d6fe17f8a5007ddc74e3fca124e82249de67df4674a32eff9aaca10a3688cb63

C:\Users\Admin\AppData\Local\Temp\AMQo.exe

MD5 eb69832429f8f83c98d39b6c17d266d1
SHA1 680a37ab6b64c52f6cfbedb6859b9b5ff30c9e20
SHA256 a3be11ef142bffa8c3ca0cc30fd331f7153cf72eb5dd5e13f0e55a15fc6da3f8
SHA512 528076f2f159bd2c9be21b5e8715ca34f3514d130c57496bd831ff40250fb84aa9caf7e8c61ff49cc4800ad4509bb4f498576bbc6bf872b29fab820bd3f03b46

C:\Users\Admin\AppData\Local\Temp\qoEi.exe

MD5 ae9650604e9fbc98a3655be3a256e476
SHA1 715d68c76d77897461d54129c690a9fe59959e1e
SHA256 768e61ebe2f827c81ab5caeb643ec9ffc873cf8a65906056a77faf3aa55921f5
SHA512 50576d1402302fee1804efa0f1c0a8d65a56e59c939233a49085ebd7f1bd89d68054435cc28e76b5097b0b09e5f363d830bd0e7d5dede46357d4fb3655fe5bf1

C:\Users\Admin\AppData\Local\Temp\EwEM.exe

MD5 db274575d000b91ee530fe948dd27d9e
SHA1 5ceacec8e7df67bcf6e4ba5d1cc5d95cf7f0a898
SHA256 dd9a040e7f65acd6cc43444805b478081bcc7394e8b4f8b564f1ab70ab518140
SHA512 cf4391ebd8c2ca2d1b7df33a24c20aa0d9a6fffafe3bcf45edbe6f026d5be1024c67e853f73a7ff017694a86806201ef4e7bfc0e31545034b1639a3601531875

C:\Users\Admin\AppData\Local\Temp\QAkE.exe

MD5 fc64b316b429ce3546821de104e745e4
SHA1 628365465bc59bb4d45a7af78cf8d40bc25d2fef
SHA256 2e1fe9bbfd707e0d43c1fe684f81603e502421dc6a744ed5c5708f1eb9139fea
SHA512 2ec79bfa9563d9107a0967e2e137901cf0d32bfedc53df8a6c796540065f66afc7def524ae55018fbf154cbc58b4b0a697d8fb9eec634d866d2d878435205436

C:\Users\Admin\AppData\Local\Temp\cMYk.exe

MD5 3c59321041f9002adf3b1bb3719e41cb
SHA1 2161248d7d4a398cd6bdb1b70c10f5f1cd92d6e1
SHA256 c1c97486382665ae7aaffea8e4582303402d032e3dc4579dfa0f6aa0eeda2241
SHA512 8588861b48c9e70835199319335491c06e2f09699c0a3e3dc20dbfc00a4c71d4e588a5227e14ab4e5baca13d7905f41c7008b5203463c323d13f68531d02838a

C:\Users\Admin\AppData\Local\Temp\XWoMsskw.bat

MD5 74125d2a357e5ed93a5f7bed859ee096
SHA1 e205abec75aa1c0c4c71aaea9fdb50bd44523ecd
SHA256 f679ea03f5c2516e3ac3795fb0f60a27313d44b4feb993151b8b5d2e22490eb4
SHA512 3fd7d03ef4d72d33e36fb2839da72e620d89d4bf6f639444d026d181d0611abb2e09ad4be12775638fe324b960d720f0a0924eb94ed1ec9316ace38630907fb3

C:\Users\Admin\AppData\Local\Temp\QoIG.exe

MD5 aba9536392ddf0f476154c17a8c74c0a
SHA1 1cdfd6cb19a5c940327d81771f8810a1df6af262
SHA256 6a598e8cddd8a2de4638257168bdb348008be296e037d254d9a1df6073010b73
SHA512 f32989f072c4188465bbb0e5126e5c8e5777c2e021815141176c43ebc1e0dcc716e858d80b2b8532af80bfd2260f0e23d26176f5946a9c977ed079cc9eca3e45

C:\Users\Admin\AppData\Local\Temp\Eccs.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\WYoO.exe

MD5 96fcb0abc4c3442ecb2448821156bc6e
SHA1 edf62718d868fa00ecc3e3847aa4ca4e531630a3
SHA256 9d976c0972d3d907c0201af986be0abb821216f686965029d6e6d7d9d931c8a1
SHA512 d39515fc7f26080ac9c3b7b5d2ae674ac872d2bfaf6c77f0e07da7bbf7d6e685f082f09a09ca364585d6927b5d52f09d0322569a2931de3fd3757104bca77505

C:\Users\Admin\Pictures\InvokeUnpublish.png.exe

MD5 f5e6116d65d9b928a3d6450cec373b9a
SHA1 8b8c37231e822d3ae3a15ae0837dc26db9964bc7
SHA256 210780867ca76a4dd7b2b774f3ebd24ec65ad8d5545703f4306632f8c9a35f52
SHA512 eea1ab20f7874be7a96512e86437f1a5011911f7886b302f9b3d96919fcccdb3455e110df93d24dacbb6fbaca6677df53401bfd3390b4523cba5850253b0bd5b

C:\Users\Admin\AppData\Local\Temp\MYkg.exe

MD5 88209f9dc8d9c9fcd3fd3193a6990778
SHA1 44d2da83d2f7c682fdb8fbeac95b8f339e9c0630
SHA256 9d3fe4b0258a810362963afcd7bf23e3269bc53df2e98d081ad419fa8bb75889
SHA512 fb3cd75f6b0233f829affb23ceb968dac36d842bce7bca3abd4e9da2e5e3d46a40eece44eea6314173a931ce1006e036ad5ab52811226ce3fa616e522d71fea6

C:\Users\Admin\AppData\Local\Temp\QYMQ.exe

MD5 a061ce5458a486d16b6a1844c5612965
SHA1 9316c013172fe7f8d310599e1bedf6ab4d16e8af
SHA256 1cf2b0a1ee21332a7163aa68ac8ab30a871aed8a0949d16186020b03c23619ab
SHA512 92776c8a17690534364d596ca0d18eebb13a22d88c9d25f39f5b2ed5ffd31b34a7f1713855bf81a61c66f29b48b4365e1e49e53b89054cdd8de3d9e1756fa9b3

C:\Users\Admin\AppData\Local\Temp\YAwM.exe

MD5 a72c41b6dbd2da49545b000e5223b042
SHA1 3ef5833b68192808aecde58f89bd3bd91d4f27ae
SHA256 2e2953d86399b40d7d4935e0c50f6fb68a43c087a7ec4b25416f1cd9b1dfce53
SHA512 5624dab7c5820e0fc8fa840f13817c2ce0d1541831272ed6de81d0822400fbe12581a485a80e5ecadcdc49122dc1f4e5573a62cf9f750cce5e29c4c0a4657b03

C:\Users\Admin\AppData\Local\Temp\luokcAwQ.bat

MD5 e642ab31d5104a462ea83d3bc4c36be5
SHA1 c604939dad07f20e37000794b579983606f6489b
SHA256 87dad90e40f661179752db65e077bb04d6849caa1a7a5e58d57ac986e46f648f
SHA512 6cd1c828af1f5291044efefe7d36dfbcfae4038e42938c8a7d26343f046f5d029166c8f3f75b353861609273a370de2f73f078003ee23bf89ce547ec4c26d046

C:\Users\Admin\AppData\Local\Temp\uYgu.exe

MD5 4a8187d5d39c16f50d8c956596ce9497
SHA1 f9700b407851947b003d9758e8febce197651290
SHA256 52e1e3f6a04db291b7721793278b9a9cdcc1ea04bef095ca63a865dd8e1aff4a
SHA512 51b1e1280e35d628696377ed75b5e04019aa01fb9411470e4021e04bb3df1e11c5af4874363f81b2942fca29c9d7ea776a2b5f1925ba5e0d4b8d702ab16dadee

C:\Users\Admin\AppData\Local\Temp\swQk.exe

MD5 af7071b40d5b5bbefdeb8c11ba2f731b
SHA1 c7c371276f9b029155b1281b67f5b4b89f71a79b
SHA256 e92e1b235acc64cb538fe12be242741221c1797b9f84a678c25686127b59bae4
SHA512 29ebf4f1f34ca59c674629c145e0d8af5a538b09477f17dc66deef1cc8f089cb8c52248193b900a37a5367094d67948528dd8e9c68830ae74c560369652fe2bf

C:\Users\Admin\AppData\Local\Temp\haQAEsEA.bat

MD5 e0f82a974aba209cf5375d988b13a57e
SHA1 e9cc9cf85671c16cb6d6eeb1bebd55a8861b099b
SHA256 5cb88f13ab3435891f98742297894e05beb0b4b3cc6ab7e3583f8d3409097003
SHA512 5716448ee701b2dd312aee7619b94e9316e7e049d121a21b1bbf21d77609fc3e0a728ae8d3de287599a878dea012e24026166bccd63c97ae5a0056a9f7a1cd90

C:\Users\Admin\AppData\Local\Temp\qIcq.exe

MD5 3fdc942d2d934adebeef754202d9894e
SHA1 47868775297efd92fbfd08e3a16cf8055c3c4405
SHA256 68fff03587896090553563d79472b08e6af4bbb42c6f16d939f251b7928e5f16
SHA512 db59bea4c047c978c50e0de27eafb391400e2c0127039ad26a34b549ac2da8d270673aadcf81207b32b25c4b5c4f24008fd9f7f605a36b9b22ebb63607aa49bb

C:\Users\Admin\AppData\Local\Temp\GUYo.exe

MD5 c5f7aee1d4a08b4535ff020cea787a27
SHA1 7cf2cbcfe1f98140ca73b4dc006275ee2d5f23a4
SHA256 fcf95f3756242dae4247137d90bc674db6186ef08f04cead7bed1d38543ade89
SHA512 d97a547cf3ea24518c1d9a1d866ed195761b38f460e92f51f3737a2bdf3a5758de515d66df3dd03947f7d5135e6f095944ecbfd473993dea783548010bd04a0b

C:\Users\Admin\AppData\Local\Temp\Ikce.exe

MD5 4dff9b04e762f4c0b020acedfb2b52d4
SHA1 48420b9801cc839d727521a699ffccd023555bc6
SHA256 e7af62e7f79f2a21a89f4bd084bdf1f7578cac2c746d377fd665b2010a0eddd0
SHA512 63ccb35140bff6e75f4ec2f87c8fabe70155eb84859eb8aacf5e43298259d7c60ac95a1f89fe09890a931a49400ec0f9dbe48099f49daa775e9b4d2ac843af1a

C:\Users\Admin\AppData\Local\Temp\IUga.exe

MD5 8906dc117fa3c9947703306561f16c2a
SHA1 2042cd9e5a6203d36d26a768c8fd4729061eebcf
SHA256 2b4d35a33028bba20585b2b04e15a6931f9de0f4df55210e483de4873aa7ecce
SHA512 ed111cfdecd77e7e6522db272e0f90a5723dbf5d8f3d8798c6b5bd760811249a949fd37ca0ac4f5a4bc9f855bc08cb403eadc53b8d28832d52f0a3a8f13c353f

C:\Users\Admin\AppData\Local\Temp\fcwYUYMc.bat

MD5 c3a2466b395288bc75c47bd9d095936b
SHA1 ab28518b24ae99f9642274e5a935af2232783416
SHA256 23b45e609178c0172c04e778a0d6d52593188b6513a8b3ec3a0a02eceea6fb5b
SHA512 43e17bc713f320683d9802101949d7dfcd1bc223a6ad5bbabd3a8b24f1c94039d992cfddc8cacdd8102c1429668091db628f672a84b1356a8a7203068b0571bb

C:\Users\Admin\AppData\Local\Temp\wYAQ.exe

MD5 1118ca1d459ac651ab03d1097e29da96
SHA1 5bed6bf5aee3a850227bdca71a9a33fd762dcc5f
SHA256 fa7b2f4c8a284ab634c36b5b48baf7585d8e4c05d525b28cd9ea2cb1d7fabe3e
SHA512 198c883b54222c9f68bfd8e56f0464f0cd3449ce3b0647c61867be4245a4191a8204d6508696d8ddc1b3ecdf7d44818fc6becb1fcaf4f970edb22a28d5f0c696

C:\Users\Admin\AppData\Local\Temp\mUQA.exe

MD5 81543f082344abf560fbd891598c08e5
SHA1 cb730d2a846a36029b0c7eb82c96f2b28adbe37f
SHA256 7c9929ee0381fc4795f147551dc78d98d907c6b24d4f548dd973ff3155cbbb44
SHA512 2df50113568c49b4233155ff11f877e9e1aed8e32a4488ca7dab3286cff0d4c48787be45ac8f70cfdc33cf2aeb863e61cf038f7b5e9da8d0e04e8528226b7c63

C:\Users\Admin\AppData\Local\Temp\ugQi.exe

MD5 1896ba77806b3f3cdccbbfd6c532e3f9
SHA1 1dea35fb9d7d2a2c09905d40f0405c1e6e368e29
SHA256 06b8f7c79e85d075bba1aae8d54c9d11444a8135e6f5d26ece800322321a0248
SHA512 d8009b0f4a3768f30cea48f30757c801474ca4577652c2ee58a33affea2add5d58767a269771bce81fb6e591a9825887cf60744cf801c54d4166d1b96ab0f7ea

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 7eb3d07582635ef58681d3c5b8c986bc
SHA1 8755938c8e01dfee4ce3c6acd3f3fdf1d0aee1ae
SHA256 e5d22f393e11cc73f0fda09673d40c5e17f6a4bb1bacbfc8105c4972a6d0edae
SHA512 c63170b2e26cb97fdd411173db0d796811e8bb9eff439e48a3172c9ee0dddf9e00d5a33787a03f60fe4fc2e2bf4d498477f67fc9d0747ba94946cfb6d4ccbf5f

C:\Users\Admin\AppData\Local\Temp\MGEAAEsA.bat

MD5 082d2e5c17db319e37e977834d265938
SHA1 c2fda2078d4807dbbb8d1d39d4e979839fe50d32
SHA256 bf7830dbf675f1c7006ee36b05ce03bc46d525b3597c30d2ee96d9d658a1a046
SHA512 d283e0e74acf797b891c8f88dbc8a305be279fe7f70f333772a64958c16535461b8ff3ab489c6fc7d652d72d00cf41f34de0c10fbac6a52a74f57ba2c9849846

C:\Users\Admin\AppData\Local\Temp\Yowe.exe

MD5 fb443766ac9b445ec3bba68babf47d73
SHA1 3e19f140acf662546b3f7ec7fd76083280e0f267
SHA256 472f8e9b6646cf6fb02f051e9e6a2f30c862d6c578db074770e0eaab960ae472
SHA512 ec2a24654ca7633bf889f22caaf1d00cda4d630f2e4b9228e832e03711baa8e47da7aaac0fcd99c7927b0f8c1c6acb1d1d25462a5793c8b2773297d36619d704

C:\Users\Admin\AppData\Local\Temp\msoU.exe

MD5 8ffbaf324ffd2be237f4e52f6fefa4db
SHA1 4b01822bc4b9a65b756a23167b2a5130d355c343
SHA256 e1f7b0009ebd3fd0de10d1c7848bc464b1577b095c8dfcc7d71e501bb16b2dce
SHA512 6c0fe55e7cbb5156d72375f50bf1fa74ab5b8868ffac2bbac02bc25f49dd21183133a1606b411bb943d23edebb86ad23750330e2d11255980560cc3ccb9d8c38

C:\Users\Admin\AppData\Local\Temp\KskAIEok.bat

MD5 1215fae24affd2796e085681cdaa69cc
SHA1 0c6de2af10b266545521515e1a5db2967228f3b0
SHA256 2745248db94007d8b4ed5c2209469320b729877043392f1eff20e002c27f6405
SHA512 4a716fc9469e349765bc88b5449183938297cf17a2d214ec6ae646f8d1d5f0d606ee0fb8a2632a11c16ef2af9b84190698fc0914195cf03794dab8072daa86b0

C:\Users\Admin\AppData\Local\Temp\aMco.exe

MD5 d61347f0266c87d479a5fae8d42c30f8
SHA1 494cb01bc81d6164fdc4db9e047727f83317e830
SHA256 49f2c5d22261cd50c763c1a2262e60757b5591d6f4d12ce00365321cee51da8a
SHA512 27f470387f2ac40e3e477e0e0f4b4d8f0e879e15125844ae6e02438b6eaae17572e1417f2e658e7e7241321ab772f545ae37eaca00eccfb76b7ac3a8c00c981f

C:\Users\Admin\AppData\Local\Temp\swYg.exe

MD5 541db9212638b09fecda770263a759cd
SHA1 4356a56bf3f916626de4f2f0d1f5930f80a2a8f1
SHA256 990a5a64c14fec22f5e9ab484716c92df8a92b3072759a88031d85aa69704e76
SHA512 7011122e78d033a81a3c5ac44464cbf09e69c4576c0e32de5f0520b60e5a2670df6d53b9664ade82701f4fb8a79d22b2445ab8e2471f49fd920893c3f36a9153

C:\Users\Admin\AppData\Local\Temp\KUIe.exe

MD5 fb7c198496ca75052bc6b7b70e0959ff
SHA1 477509292dca65bce84743c91276d57668a5de38
SHA256 57be59d6c45610070d55a8cf1acb6563de79363b617c94154dc8580af00bc0ac
SHA512 d63b56b82565275c7dd707343328dc40d63a3259e5a569785b42d49268af39c9f5750b7a254f9e2e6b3666fc11dfb7f15a1eebd5343a34c0d22cae50a6487452

C:\Users\Admin\AppData\Local\Temp\cIUAkAgI.bat

MD5 a5fa6a465839796ced0a88fbf8004e01
SHA1 5f2973d8107ef375c07946a911d2fc401872b3e2
SHA256 73ae0fccc5352c7ff513197301d9fbf7b1c0c93ddd68a591377d0adcd9d1e4b5
SHA512 16be65440bddadbb6ee48492e9a9b0bbd918929f8f45d744a03bb3752da5b455eb49b334c47ca572134f2478f5e65a174f2af82a4bec01242df6bf5103a92aaa

C:\Users\Admin\AppData\Local\Temp\KwgU.exe

MD5 8d2253e75edd73a6d194ee4bd606d9eb
SHA1 c1d42b0dbc15df12bd1832379f0f554df89ade87
SHA256 b2143b0f97252a216a4026e67ede290ab36fc02e93e36b055b4510563fd085c1
SHA512 fb1afa22d95a0ae4ae5eb154efefedd7edf52181f58bb1fa6002d752581a7ae374eee7dbf44e2d6bb7f8378f283193304def2be8d74de13ba2b389ddce378316

C:\Users\Admin\AppData\Local\Temp\usoA.exe

MD5 0764ebcabd2e3da541f558e0a393e698
SHA1 7d7965c71742521ff64c32ba4e54997ac92a9ecd
SHA256 82d91ac5974462cbf4e2198dd62cf9956a1a951065b987842871ea32154a9970
SHA512 0cba30be019f68b806bf3978bc879a7ed8f383b4a82e8c8459fb5abc9a4c363e0b13ad6091fb984f09d2adf132ba40d791b82167ae28627272076145b3f1344e

C:\Users\Admin\AppData\Local\Temp\KAAw.exe

MD5 85f2b6f629922889fa5f91abb52d2161
SHA1 d632e638585256a28f123e0db76d8115d7a0fb32
SHA256 de0b013840b7be22b970de0366e2d039dfaae09c30e10ac92d569d8a93456a58
SHA512 5bc87c5259f0434ba042d669df03969f41470a60293f3612bdc852175da9e30f93f6f1575021b555b5c5d204c9892a0291f2fab2809bcd2c104be0421cd2c13e

C:\Users\Admin\AppData\Local\Temp\UUcI.exe

MD5 bf9f7ebe7b72d225120b4e7380dc1101
SHA1 2484c0bd8d0d8b9b3383a1b08a8f7c36c72a2b8a
SHA256 2e1e87adebe9decd5cee9497784444c71baa6473e926a6042b3314c40169fc26
SHA512 6b0fc95be7e62d7a8cc4af586060d7e59ec77b754847504b7ee65866a269735eb437d322422d95f9d0431230c107da219b116b463087c912bc438b32dbc7b477

C:\Users\Admin\AppData\Local\Temp\uWkYUocg.bat

MD5 03820ac87e8063e92c450f2636e88ce8
SHA1 49c4315a98063e86c11c15a39befb3ebafd1ce9f
SHA256 16f81106ef5b32e1574313ef5cc15a154721ff59ecb6015762d910913750a270
SHA512 613f462b453eb2d272da62dabaffbe77fdc292bdad5c87762c907df0ff10bb074d8138cb11e14a6ad6e1cbacc9b01cc2fbc5b592bffb815637e098594baf8934

C:\Users\Admin\AppData\Local\Temp\GkQG.exe

MD5 fa96f5ac1afab6fd9acbbff32fe21f37
SHA1 8fa81abf449ed13a5accb2617e2836a14446d28a
SHA256 e65ca2e9631b6f226257d83ae7912d5ed04eda42d7af8a8965c51fda1178c6d5
SHA512 743c8d77ef63b9efac36465903fca4759637613b5ee8c26c8c118031351a39b2d937826d3523f5336d84ea9627c193711aa988f7ef7450646566c90391927ba9

C:\Users\Admin\AppData\Local\Temp\mgUC.exe

MD5 69af87d2585957c6ba6d04abc8b5f00a
SHA1 6af9515efc20452bc48329ce41c862724571f2a3
SHA256 8ecb02babe006a12c80f762e9114252b53e03293fc959c11bb8cdbbdcd2cf4b8
SHA512 b1d6d4559c48005a701912dfc4e8fd94f45c9ca7de532fea415f031e6db5d6aee7e04060b6f46c3ff581ef3bb80a0ec3257465ff2bae837b21b8f967fb8e0a43

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 357abac5a728ee3491b07e7a84e9b63e
SHA1 be56c796edfbb4fdd32ae960b7a17e3fdd666bfe
SHA256 51d92ef6c758acb6ab39e7f9d8d5b93741faf151947fcfc5c257c0aa103b8d9b
SHA512 03357e768c6b6cb191bf6fa265d8c1bae37777318e9d2db4f8e2577e8c53d42be42ec616d3e0405c88a01becd7201531d6440344c68f282d1c4942a3d7847ebf

C:\Users\Admin\AppData\Local\Temp\UMoE.exe

MD5 2e868cae6dcb87d116a37dcb17523594
SHA1 a5e61381f804091bb4c3dc10f5c1828b46c07018
SHA256 4da76ad8d19f4c5d4330b3294879adcf47b6e1455684758deb541a47da44611a
SHA512 254fc19c17ff18d16e1e299275ff7b529d5e63536d97106cb7c7279e81c5d752e400537eb2967f130bb8d960c30d804bee3728580c3dd0e851cb082f62bd61a6

C:\Users\Admin\AppData\Local\Temp\gYkg.exe

MD5 97b12ac074bc9015aa68b41f48c90c22
SHA1 942b9ab5ddc8572a36dc1eb30736121c91523121
SHA256 ca5e2e4b47e097f6201d7e2920e93e32c05d14b29774c914e11ad3dc28f971df
SHA512 ef1a3de9f0d224de092c6b4c87b802da46b98909d8c9cd8e47645260b22a4f7c3b60827fad465809cc16d29326478ad152f6d455040fdf480efda2e83e920c81

C:\Users\Admin\AppData\Local\Temp\bKkUYQAs.bat

MD5 e8f13b34bd846e8c998e94ae6679843e
SHA1 896a7a9fedd250943c0096cfce0806abd070537c
SHA256 ea4666d34299294bb7e38a2168390ae4659bbd6fd9d18699af5e10b39ec41e94
SHA512 8330f706152086f24e8bb3c799d758c243d5574cb834c2452dade731958ca50e38ee4aea10b774af4c4b48181347e9b1c59015431e3d8140bb4eaad34391e1f6

C:\Users\Admin\AppData\Local\Temp\AQIe.exe

MD5 cab8b4133432df0d0644a327892043c6
SHA1 111c3fa9792335b39d5899c617fc669f363b00cd
SHA256 89937297a3edd94e9a8a5562fd79910941994aad8cfbfe71455b1e47c2dbd133
SHA512 bed8437bcd837536d402f46f0c45bc35fe31de1b8b25fd3c220fdf757b43ca321f84bf164c8609cb9cf7f518a4fc093f274bea7a090f8e93ff96470ad2703f3d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 6c0394babd99636c1a37899edb5aaa09
SHA1 1720cb08c1eaf646db5036de7c405828d042c71a
SHA256 6be64d95bb5b9abb2ac89623bc2e76ad81cc409dc7baf2f00ac7e53c0e4e1cd9
SHA512 4b66d25516f55abf0749568a06d6054f9200e8de2115eca961ec75411f6c38486462ac14f721e8f73a798903a5bef326015f67a22fa8aa6c67d2711757942d8e

C:\Users\Admin\AppData\Local\Temp\aIYw.exe

MD5 165a1e2e89c7912962ec230d4d288e87
SHA1 b980cee962ad62e638ec6c7eda9cdb63580475f2
SHA256 b1b48ceed0fa5ca360c8e671653ea3fb092261c379caf395cc30d305a7076699
SHA512 18c05d48c73db6e8d89a01d55ce23839fcea46b811fb3945c9c9892693cd3a86b21b3bc770a431b2f4edb6b230eb515cce394b40836b3c8aa219bb07cb4507a0

C:\Users\Admin\AppData\Local\Temp\ZgYUQQYw.bat

MD5 3e441bf2ed1ccdb53de3f7b76b87b163
SHA1 9389645269d57d81b46da402be3201e02456fe72
SHA256 3debe749ab10d8c7444a4d7b4eb965c53d4abaa1790ea1abfedbb00565a770c6
SHA512 3c491507e107024dad1a8830c55fa1d6ce259fe49e40689f04df94e424601a73cc6bef786ac47d879695f4c83f2dae737811c748e441e35e575a89a38a26cb36

C:\Users\Admin\AppData\Local\Temp\IQcw.exe

MD5 8b72f56e511ff8ea90dc21ae1f2e8a75
SHA1 f3bb1a55dc5a825d1ac928fb2b4cbc6b89836381
SHA256 a98f60831dbbc27ebf2b3f02bd9b2cca8d141f6717f946a766963bd36b680348
SHA512 13c7983f06157c05cb21942b4c65bc461d4db9f05fada033c3b7aaf27422070475f0ee171070b7f99f6c2fbb3c6aabf3cfd6b3924e5b8598f9dff26310557540

C:\Users\Admin\AppData\Local\Temp\UQQG.exe

MD5 79c58814f98663f16fbdef9a86785041
SHA1 fbe39a7d1ef971023bc1b37a1adbbf5eee1ad648
SHA256 aff8e1d3c1c41cc01b0821f6f1d6612b5424958cabe0b7b5908b333a5dc643f7
SHA512 3ae7982958552fa93b2d97b62290171634344d5a0c67536085462915e67a0758d1b27deefe6184897b99bfaad819a18d1dec6aea1f1b68bca8be090e41f964fe

C:\Users\Admin\AppData\Local\Temp\wUgE.exe

MD5 235061da0bbfcce715b5751e62ad68de
SHA1 2fdf4c0c03c74f177fda6d5592e4b2e9c7d93f04
SHA256 57df79ae68e83de8d793077512d513251fd8f3b6523b584fa6dbd5f6a7d60fe7
SHA512 77f017b9ce35a706d2beaf07e601e172f09c8345cf4b6c0dea6f6885b00dc8731526d2f5a7ac1a5cf3ecb8d44e2ce6d8c5a3ded320c14b64e01c6701d4871493

C:\Users\Admin\AppData\Local\Temp\IIIW.exe

MD5 c2633fb0ebd93a9d797c0b8548ed7b34
SHA1 a036ab1d2e1b46b5cbb9fbcf6eaf4471ddb0e5c7
SHA256 832d56bd702a8dd36fbdae569157042f1a524da601d83f2318db517d9158df58
SHA512 8722a22b604ad37fc32a36274a097153f4a67bfa69cddde1584bf71e1a4f012e04d4b809563f8264c5eec11cdd28d09d45af8c635077772d5e90cd0404e8363b

C:\Users\Admin\AppData\Local\Temp\bmcAkMEk.bat

MD5 3d32721a6a6e268c96644f64e8b96225
SHA1 a1c5da54ceb5895b5a98aaa05272ef416c8925a0
SHA256 dedb08366011dca4ffac9be2ce574386fa715c77c44f279aa2587973ba92af05
SHA512 ef1ccf024aedddefb2d34bc1c518999e439ecd2c5219d522c19275decbac98f67570f83b6663c33bc722a4cebfee2ecb5b04ce8890053cfa05a67127ab358c28

C:\Users\Admin\AppData\Local\Temp\mYMe.exe

MD5 5fe16b0e580b27cf348f2a828f1f05bd
SHA1 627420a53329840ca02e9f7c35386cb8d15a34f5
SHA256 5ca3625de41ece78ca8cf40fbe1a02cfd90b3a966c1926bb6dde928a6405985c
SHA512 ded4436f9283ef95ab7a744b06a54168489c0336d728af6ae93d5e285ad0a56565f3838c3543070f6aee72034ef2e1c1b2b55f2250dde2493819ab84ef3d18e2

C:\Users\Admin\AppData\Local\Temp\yAAO.exe

MD5 7b22e944df1ec4f5dddef006fb516ab5
SHA1 4ea614a0a4ed5435fecc3615085c76cdaa795349
SHA256 a0557d4a229cf9d054e5f8c38c0b762c9e9248ed80f3b120a759eb8421d1b2dc
SHA512 40efb6eba50dfe0cc30fafe3ead3223f9864a36e732e693add4a3ef8db0a1bb220aafa64c0d46acdd7f199cc5dbe0c2e7a529960b8875b0cfc4f64db9201a6db

C:\Users\Admin\AppData\Local\Temp\OQsm.exe

MD5 17dda546d40b6bf301ee9e268788b120
SHA1 f4e99b3fba23dba09876142f7b77014c08f7d0f8
SHA256 83d9649a3208988501cdcfb9eb8755e763fb3e9fba8a7f5fbb4d19ceaff83340
SHA512 f5f86c3a3c4d84cd9d692aa14ddf5555113fee1b644734626416722aede05bbe5561898e94db1346e989b5b1e627db538a3eb4e4ca2fdd540e7dce167ba42986

C:\Users\Admin\AppData\Local\Temp\Uccs.exe

MD5 114b58e03666fe207e92d1e9981c8ef3
SHA1 90743eda1395f6134fa366614f344f93a32848b9
SHA256 35d234b9591665239edbc3e0769e24c2f0d1a5511d0aecd4d06995ba974d4746
SHA512 fae04dc13a97975c397add1289e3ebe72543e6c9982edfe234780672334b345a14fedceba18c5266663fcaf417fe8c0249a2e0a58f71a7a38736fdb04406290a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 440aafa3b11385096db58caaa3aca6ee
SHA1 4f05ad17b7df16fa911b3c293633d71a219e48b6
SHA256 59d61cc83bcbfb352de6ec9f9ad47043f292bcd7b5d1c03cde001d8a86234bda
SHA512 3329dea78d226608cbf7301984c8763fbf85f0777a677e84058660197789f62e8b78c0a281ceaa22cdcd658d4cfd73994eb6bd402733f9bbf93f8284b0f045a5

C:\Users\Admin\AppData\Local\Temp\uEYsEgMg.bat

MD5 b2bf3cb5a59281b3e08719642f8941ad
SHA1 4bcb8d5240ef326c4168038acd0dafceb59b8565
SHA256 198c6eb37251f31bdfc863a5995ad7bd97467b378e2b1f88d201408ca3a9be5e
SHA512 c884ac4d44e96583a4e96164a25160b9ece292d74cf95d72b0f2ba1942498ed4b35c538d9f1159d059ccac34a13750c27cf7031f02dc7b6e2e459860908000c2

C:\Users\Admin\AppData\Local\Temp\eYcs.exe

MD5 a1dfc3d56867e5054dc76287693c1da6
SHA1 f8ad443a84c6ad413c28010b0793fba47b828e75
SHA256 4402b22eb40798501e949982b550cee1b26d50869efa0f7576f2b8902924436b
SHA512 f8ad4319d9b9b8310f9ad28d9046af4dfa759d26de7f54587122c74246bf4a1dce66980830fe170000929d6937ab695c3049323bf4b8bc44adf9b88b8d1e741d

C:\Users\Admin\AppData\Local\Temp\UQAI.exe

MD5 93eb507f692b065cc08db37303319cb7
SHA1 df88f2398fcbce6d6256afc828ad9e7c85d52532
SHA256 5e517cdbee593aaf802a990fa963dadef425dfb1e3bfc48e431d57ff3582922e
SHA512 4d00cc75cb351dcbe30827321e3f49be1ac7c139d20365d24035524de9fead722c19ef6f981c228533b5804ca147098aff2db960bf9276680fca499b8dd4a4c5

C:\Users\Admin\AppData\Local\Temp\GAMe.exe

MD5 49d0805c0a876283e1efc4cdc61e032b
SHA1 94ee8f51f4a8efc5e8daa4459a07e1ee0c401970
SHA256 d052ca460904c94ef0c7fa7feeb257e5179dad44ed28ca401657dda1fc573f4a
SHA512 fc9d9e03749a822002f6f5314d9fa4da114c8e7bffe2057acdeec5ee662c2340858cef7a23dd49cefb5f3dff97ecc43fd2c096f56ab2f5d8f70b3aa82b307720

C:\Users\Admin\AppData\Local\Temp\YIkG.exe

MD5 325e8daa28174d1927bf07b8ebd5c7b4
SHA1 5f05f6c365f93faab85f5270e6f49acda67b19aa
SHA256 e3760305fabbb044f840520806c88e80a20473498474d52c496823a6faf891bc
SHA512 201b9bb86adf855b9f2f796a0a972e7a672f9793caf2c4b672fb20f785e17e91affd7d81647c0d8a498bd3b1d86df948e6e029ff3697d35b31e0287785e32ada

C:\Users\Admin\AppData\Local\Temp\sAsYsIwE.bat

MD5 c67b65cee9eecfd33ec891ae2666af3e
SHA1 835fa24dc98e7ca076469d0714c5139bc1e9ea2e
SHA256 6e27c629b95cd74b6a217a9a2a407d71554093a32cc0a4fb894964a7c8979691
SHA512 e4c267bce887df646667071d9318076f2b9c4e24e29b9ff62a2616cdf5cbc9eef3278b1fc2da40b90252340086624e9b18fd2c63a9c03ec288336ab3c06b0a99

C:\Users\Admin\AppData\Local\Temp\KAoG.exe

MD5 fa49f9210a4132f34b9565cc8033d0b9
SHA1 210c3d9ff4b9478e4529fbc7e3740152cccb9ec9
SHA256 9f9046e40abb4ce014466e09f5de06bdd1c107aa487064b6684c3f217157f319
SHA512 1a1122dc76693ff1e2f4e4ce93bebdc365264d9422dd54dcc2c2edaa1450a5ac0646b7ff384db208e6ac062fd0911e2f5d76b62105a0a80bfaa6b432b1f9ba51

C:\Users\Admin\AppData\Local\Temp\WegsUAkc.bat

MD5 7d9990847901bc835c4ec143265a46a7
SHA1 1afcdf7085bc51f194fbff5e9c5b2f38dc6b1766
SHA256 f58dc154251dc0cc0acf7ed53fac7212a60a673d8614a23bbc15c46861212e83
SHA512 02887a6f08b009da8fda519746352115b45465da0c4ed6a8e6b833b47e234cc6f8ca35d9df606034924f7797e166ccf5eae89270a181f0d14abde8034905f507

C:\Users\Admin\AppData\Local\Temp\QMcs.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\WcYC.exe

MD5 cf6bbebf75ebfa8dc72ae1f12a8d4280
SHA1 3dc037c58a7baa18947bfe69951032c5a7c20303
SHA256 678e53247622f81e63e021d0311a82b474df0db52c8a4dfdf1435799811da0b9
SHA512 4aa6727581f38e7597c3767996325a9dc03d5421b2cac15bcf378c33422d8eb57f9d3070d294dad93551ce3fc9ae5e7eea8d517122f282246aad8db71e4b7705

C:\Users\Admin\AppData\Local\Temp\EkQM.exe

MD5 43ed0716f4388368e9daca2ad557d500
SHA1 c98ee02e93d6329a9743d26b76f2cc43b9452bc9
SHA256 6dcaa5aaa67cb546da44312eb6958d32a12d5766f6ff2de300e8fe06f7e2f9c6
SHA512 10f3f91dfd8f4aacc921446a87a8af7aa9abd6e56e65e23289c4989ce3835603145972f406acb277270ecea84737e5cae85f27e40a2ce382df93f5ec5ba33db9

C:\Users\Admin\AppData\Local\Temp\ySEsEMYQ.bat

MD5 dcbded3ef5f1d057b50a446813f828e0
SHA1 3c2d8dab6e19708d47c4d48e6b0d5a1127d7d15f
SHA256 116a83bfecb4858cf63e71124c7481350a9a7d7918f421a9602ed368a11510c2
SHA512 04661eeaf121a4fa55eb6df8ca61dd02adca5b1baef6633c83351f5dcceecb9f08c7a7840d0786e0886ae1eb81d9cea073639582a836694724a699a30ca84bcc

C:\Users\Admin\AppData\Local\Temp\AcIc.exe

MD5 5ff5ba5d6e823de844935ce328b0f009
SHA1 4c11814736748e76578aaf98941956b4d3202f70
SHA256 eb77fe226c1270ad41c09083b02aa2c50a4dd452dae82c74da9e05e1eff41cbe
SHA512 103bad3f4d7810cf62a269ce9f181c4c21367b5b227cbb1a46469de579e70e5adbd4677c396d7f8651afecb12626c191f17148843092f305b7f3fe1402f89fc4

C:\Users\Admin\AppData\Local\Temp\Mcom.exe

MD5 1a2bcf67aa96fe7a69f008231b7e11b8
SHA1 1c992ac2a068bf33de513444335fe537a0ce7ecc
SHA256 0e7f1cd9e91f90c6a4f53b647c826e4414943f6662d1452e8265c8ce98841411
SHA512 4cdeffc65cf3bfe4a9251cb1530f306998e8c6e072279c4136361420494385a27d3e7df95c86f54639a171875eac324e009669426290db1ae125f87b670e12b8

C:\Users\Admin\AppData\Local\Temp\Egcc.exe

MD5 ea627756c45b1fa59afecfd2dff083b3
SHA1 9c297f83ec25403dbde53ee7c419787919559960
SHA256 dfb8bf03961a024d3a654f974a0ccdbb299220df29f4e91e25ae666d76dc78d1
SHA512 12fbed2fdb3ccc6f637ee2a85ade35f16abae96c6a9b2ebfdc1a6b83494a5cca9743f47a2615f0f1f867c97c34539652b1d32aa89fb75962a975a1388a5c6b5f

C:\Users\Admin\AppData\Local\Temp\Skcs.exe

MD5 8b0390c220e70c7332afd1806ccada44
SHA1 b68755aa574262b7b05a923afab0d567625b8dcf
SHA256 c7a6a930c75aa0ae0e4286da0cdd137bce508fd79edea119bd65b390746e1b8f
SHA512 4ee9880713a1085e75906ed8ebc94c90c6d00f5021ae78fd361f85fe448f4638adfd598eb84c2a753cc8687cd50c9a6a3a182698e838c27d24dbb34fc7603866

C:\Users\Admin\AppData\Local\Temp\uQUY.exe

MD5 66f5ae9d011568af7ea2e5d0b626678d
SHA1 15bc46bbe94b8e735fd0489f6c6c285679867123
SHA256 dcbc5c8f2c3f20f09e55015d633530e92769f99116b3710163ee60268c33710e
SHA512 7487b3efb177d2e250a15c5232ca13108d42ecf939dd442f4fa2e7dc63444993b72eaf702f440fd79c1229eb1c131cdf45eedc5cca9a237b037fa64e5cb362ae

C:\Users\Admin\AppData\Local\Temp\uYEY.exe

MD5 57f274af3b74b7d19b42be4d94edd075
SHA1 80d91ec4d8ce3e3c3106808ee0a7706dd20ee846
SHA256 e2b8750718e144407fe9ea175c7ef4d01ffc562ce12fb23c0a36b9ecbe4ce0dc
SHA512 636bf6aeb2eec7829390bed4a0fda4ac75430b24b971cfbae0c91952263e1b0fc2d1e3ae26e1a2ef8fb1403a437b5aca5b0673bdedcb92a1d5d1a66644107fdb

C:\Users\Admin\AppData\Local\Temp\PGcowUYo.bat

MD5 28050c2882a81cc23f42038a31ab862c
SHA1 3c9a85f74815ed26c7d18aad531a2cbbd7db1777
SHA256 f7d4557ac0343307283815fd2025e34353ef1c4f6048776b3f35bd087946848b
SHA512 20f60437ad141dc3345d7b1ac369274525f37eb9a10a2319d092c2afd91e5e49c6cf7248fb538abf002d49053bb01cf0d15b6129ab7eb22f494b6c9e95f9198d

C:\Users\Admin\AppData\Local\Temp\kQsc.exe

MD5 24cdd4cb6f3d58711e39e6430055aedb
SHA1 8bce0ee1044383454c9cbf44253394c6033ebcf0
SHA256 0c4364357ca99ce211f914e6290fbe00ccdc60f6491ab75ff5b83404d3785c33
SHA512 f82d623f3525de445cfe80d383e904f33a00681e70161dce591059250892d6e79d4b4c5895d4bd96304774639662d456847cb446805a87088e01dff3398db5b3

C:\Users\Admin\AppData\Local\Temp\yIog.exe

MD5 d6655d63b5574dc074ef0ae54b5e03ad
SHA1 da3ef3b4101681aa32eb3d17244a55e517362798
SHA256 b22fc0d7ce3a28f9199a8feb1c3ac182fd5e6da44ae270edb9b4945fa8d1a0df
SHA512 94fca2f289644663bc6da5a3fe1cfe4351003c7055df01b302c0436d47e26d9dc4958c069c7d83a0f0a92991b481d9e98607d55290fd0d0e4d041b2d329745ca

C:\Users\Admin\AppData\Local\Temp\PcMAAUgE.bat

MD5 f0cc1355f173053f7d00fd8c49d125e6
SHA1 40c46287c4d80f41b7e3019a040a8227b3429947
SHA256 cb1d7e25e1c99a6214af0737ea9e0b5f5fd5406f34c100b641c281272cc7df8c
SHA512 6e7d66a3df02b25fe48771c0997a48a0b2592e1be89aa944894604e7974fb19e80e42c196704cfda8cdb22ecb9897b77fc020d7b42bcba2636fa7a642d1c7b60

C:\Users\Admin\AppData\Local\Temp\kAoa.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\uwsq.exe

MD5 c884a591be0a0acaa678e93fe602a32a
SHA1 cfff29819cc14cf873e5c17c5fd9e6b1e8e77fc1
SHA256 b58ebddc60116fa3f1c9003d67a6d97a6de09d6ba43b14564580872c8f9d3ddd
SHA512 b61bac1031b0289914699187d7a4e4711ef228914d8a8b54ba288da19dfd55b94d4e96ac833fa41fdf58995f2f88f3152e038c6610600c2be9950ede64c8dd5b

C:\Users\Admin\AppData\Local\Temp\bYQIUwUM.bat

MD5 4b63575c8e5d5a22d00d89974be8dca4
SHA1 c1d7c4c51be803977467ee3a0b2a6ffccc9fc52c
SHA256 a8baa3949afafeb53705ae18c7f86664894c8906a519a6394d6b0ef5fe0c1444
SHA512 0f863f07b06ab80ba80e7a5f9d60fdd7ce6ec23ba1ead319c16864e9dee9f6e0ba297b78aa35e6daa86f5704deb207fdf8a173f1eb659548f711befed8331f98

C:\Users\Admin\AppData\Local\Temp\SSEUYYYk.bat

MD5 a41e12fa1ce138c0264ffc3c0ebb4a21
SHA1 70035955dc4b3c12417ae2e6cd32c11d2047f24c
SHA256 9ef82225fe730eccc5f52337864c2ffa117f06868e7fc023e25e636f77a59b01
SHA512 0edd2cd0790a0c5117a0aa8d2d43040705154b3416214212cdf6c7187ece6617dad35412b56b701fc63aaefcc786d4f02e1eeb3f9c3e5b46ec89976f2cb67225

C:\Users\Admin\AppData\Local\Temp\sKQUkQcA.bat

MD5 b0ef7678a9f037ed08307b1b6ace7654
SHA1 ac7e5b275a74db32a83f08c79c2d04ac711ae6f4
SHA256 064bc4912a148720bceabcc8ff475a95325ddd12267b8305bcefa95a756f6459
SHA512 fd656056c9e3b4f8a1ed9ce0b99e327e7da100071e7f4d251f8fe6205f0bba4a9badb1235a8808a3b4f7daf3a1d1856fdf41ef07eff4295e6763574ca4db9925

C:\Users\Admin\AppData\Local\Temp\EmAggEwM.bat

MD5 e51c65b2bc859ee8497a92bd3c03f6b9
SHA1 520ab05b87178f8d4c202cdc861df76df53e456a
SHA256 a298f6e5e4c7b5d41af74a253b985eaf9da13e575fb753afc0502a49e775c255
SHA512 77c50f48ff3ec09d29412cae0089011008e71c254b8573da3be976244cc05ee1ca79ef8b38901080d479a4361887c8f07b4adbbd45177baf98c508ff9f19b972

C:\Users\Admin\AppData\Local\Temp\gMMYEYIs.bat

MD5 11deb8520649e9678bf6b280a9bc5be4
SHA1 8f9d13fa6d11810d82fa18daf74a553470e5fe54
SHA256 ab337714bdd0fc171b7be0440d309095e6e91a9a9e8d1cee452fa0b5cc670f8a
SHA512 4e861178653685ffb89eade551e01912d6599e24c0324beebaf745c60e6cfe04e122d75bbda6d971fc338f45778a7f3d1db00036acdd991d4ae88287b0ea0408

C:\Users\Admin\AppData\Local\Temp\zicQkAMU.bat

MD5 1b76a8fc1635d69b8e1fc9ee249300a1
SHA1 2f60b585728670c4837a9ed755f9d239bd3bdadb
SHA256 9789a65978c965ec6ecad55fcd74c98729555f77c0c2c1a06afc5eac80f08cc5
SHA512 0d6a9710c7e14ea214c1e1f07cdffa838a9c7cfbd2f44943927e087670fa64cb1b724f98d71f2e83f09b721740ba47191a133b9d55fa5414f8aa6f99b7f5d921

C:\Users\Admin\AppData\Local\Temp\ZiAckQko.bat

MD5 1911cb59e504c7e53d03fe8b9b529a08
SHA1 a431fc450b68dd2142996b1720a01084c74f5823
SHA256 8d3f2320cc511ef55b8720aa0f969c46626aadc946f89d6c035e1bd4c2441d2b
SHA512 9c034d05a8189698d8e45448681e5d986d7db106199bfe6669212fdd2defe36b4c5c47e3624e3094c9eeb5260e7dd69d25646b3c775a18aa3380eec37f96c669

C:\Users\Admin\AppData\Local\Temp\BCkMokkU.bat

MD5 91388cbd3dcde3024a6f57a8a4bc38e9
SHA1 472ce4b87674f6c9f6bdaba54f7adf75874ea242
SHA256 ce0469b405d2ce3fcbef6d1f1b713c6431f84a7ced3a9898143441e2daeea4c6
SHA512 f7f9aadd7e300d2416af28228627fbf34f85bace1f3ead67b1bfaeac5146b6870e5473761080a82343f6868218a804e4663e0813efa8d1161b8ea676fcc096c6

C:\Users\Admin\AppData\Local\Temp\RAkIQwsk.bat

MD5 34c5714bee15745895980e418d1f4460
SHA1 7608c4a9a515c7c449f561803e6c7a6f3a5f2e0f
SHA256 6b77c0d234fbb31caaa7001dab702a32e5be15a9ec4edd75435e28addd5de6a9
SHA512 35202c5d5a7b3cce0febcaa141249908e77a20a9992968c0c36e3b21db9cd0b1527d8654404d50659459f9bd2a756f835bbd9bce66096eff7c81b3c568a52e3f

C:\Users\Admin\AppData\Local\Temp\MSEUwggU.bat

MD5 d7bf1570283ba8ecd81cf41cb3030a0b
SHA1 04cd9240ffb50aa011c90a0c015655390d0f821c
SHA256 e242df649f92dce08e6f6b7ea216701b434e166a19b066b62fba66f4c09f3851
SHA512 08b3d59fb43ecdde7d6266ecf76d816322572c3d7b9e42b2542b432be1caa32bf7860b1b7519c2c52de5aed7094633e37f2554e3353488c1382a2659dd3676e6

C:\Users\Admin\AppData\Local\Temp\SAIkcUkQ.bat

MD5 a3c8e9e4c40ed2fbcfee4bd0e0b1ac00
SHA1 31338bf6d8a77d53f8ebe895976fcf848e6609b3
SHA256 7c4587967f7312acbe6914f91cddfb881b025231a6cc14864df3fa1274eac101
SHA512 d04aa4f1ec4fe384d8fe13b09abd5a0b3a7960ec91050de1723c39a3d2334277618d4e48c1810b51515c92a437faf85be579a1e5cc957a619a1f8a192f1730ea

C:\Users\Admin\AppData\Local\Temp\SGskwsYE.bat

MD5 13e5025cb202836179508262cf5d1c3b
SHA1 0097bac912d384b399f49ca9f59336db609c296f
SHA256 a23fbb7da133c7941ffc7fd99c22a7a48dd14af9e896e487c91d92b785bf1b08
SHA512 2d08f9479a938ed85bb848ee4737fa89cf1c4cc7fbe0e288ced4dc56f5b8c9a23f251e795d2aac59f0410eacb4ab721be189b54ee0c5d396d61d8592bbc7c19f

C:\Users\Admin\AppData\Local\Temp\TgIAowUs.bat

MD5 debabef4e128515aafccbb188cadf0d2
SHA1 2b0237245dc13366c1014919b19a244743e250c3
SHA256 49cac38b89e3de3121506d98053e95f29da0c3985fd7f9f7dca6fe4873db0921
SHA512 0ef031a6f0ba4d588ffcc6b428d0a971d19967d658be1d7b92206d9d5284128dcf539e70eb96c178b177266d5a2efe5ba9e5fc7b1e63731de3f4d7fc5e8fefd4

C:\Users\Admin\AppData\Local\Temp\PwcIokYk.bat

MD5 cd240844fe31d02228682803c4f95cf7
SHA1 b36d015065635a22731e96cbbcc8d312bcada4ef
SHA256 63dc154e89f8a35c1ca512c5ce0d69553289557dc0bc2b0683f2e95156f49636
SHA512 2fbb9a9c6c11bcfbbabcc3123acc672a88d7cb6d175aa3bec7cad233b85deaeadd26499a07265f6a2bd7846364be339b8b8d07f788d69ac20b8a85567cd575f2

C:\Users\Admin\AppData\Local\Temp\hSIogsgg.bat

MD5 ff5b4ac073fab8015c421de30cc84ba7
SHA1 27c5f73840e4d64e2dee9d3622d9e442afe42096
SHA256 623b89b01ac4697a044f21a6dd4d1934c3ad09986b7641756e59ea2f64b65da6
SHA512 942c95a96e77d364ec5ed9ea08e29fec6c0e823afd1d6742f6d33ac39fe8f4a7056f6b5142cb9ef40f0f1894bd139f73818a3ba31f2be702c00163e6616f33c7

C:\Users\Admin\AppData\Local\Temp\LGogoQMY.bat

MD5 07ddfbe81985934ae56cb923aeb4fe9c
SHA1 cc74053e589eb5f13ad2ebb1dc655fdda794aad3
SHA256 cb26c97e0a94a36daa97fab507bc382c6f7a2673624d1a25dcba64ec8ed838a2
SHA512 bc6e6bd63d167c059fe192bbfeb2fc96f6873d740047c7a22e757d39b6591ef2cb0f173734a60ab695e5aa07a9922bcc72146446d810bd0382e72efe8142cddd

C:\Users\Admin\AppData\Local\Temp\WIMkUQwI.bat

MD5 0cf8d92b8399fd79b0598ea29d85454a
SHA1 5c6ed49cb9b0a2e63c64e555349c2ddded6912d6
SHA256 0c0c3a72bed9824db48bf63e9ad9241360f70f05206586c4258f7b34948a0731
SHA512 360bccfa5f0b62ef445facfd892fbf21fc8e1ef2952d57a6cfcc5c1ea7392b70259ed2d303f8388dded96c69dc98df34c795bb820befa4c7602a809a42ebcb7e