Malware Analysis Report

2025-03-15 08:23

Sample ID 241020-193nzsvgqm
Target 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
SHA256 2cceb8b4ab66644270d945ffaef553e843bdc76dfdf0ad5ba563ec8c2c40c079
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2cceb8b4ab66644270d945ffaef553e843bdc76dfdf0ad5ba563ec8c2c40c079

Threat Level: Known bad

The file 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (83) files with added filename extension

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 22:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 22:21

Reported

2024-10-20 22:24

Platform

win7-20240729-en

Max time kernel

150s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\aEgkkcgg\VogEAEwQ.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tcAQAcsg.exe = "C:\\ProgramData\\fasMQQEg\\tcAQAcsg.exe" C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VogEAEwQ.exe = "C:\\Users\\Admin\\aEgkkcgg\\VogEAEwQ.exe" C:\Users\Admin\aEgkkcgg\VogEAEwQ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VogEAEwQ.exe = "C:\\Users\\Admin\\aEgkkcgg\\VogEAEwQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tcAQAcsg.exe = "C:\\ProgramData\\fasMQQEg\\tcAQAcsg.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A
N/A N/A C:\ProgramData\fasMQQEg\tcAQAcsg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Users\Admin\aEgkkcgg\VogEAEwQ.exe
PID 2300 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Users\Admin\aEgkkcgg\VogEAEwQ.exe
PID 2300 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Users\Admin\aEgkkcgg\VogEAEwQ.exe
PID 2300 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Users\Admin\aEgkkcgg\VogEAEwQ.exe
PID 2300 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\ProgramData\fasMQQEg\tcAQAcsg.exe
PID 2300 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\ProgramData\fasMQQEg\tcAQAcsg.exe
PID 2300 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\ProgramData\fasMQQEg\tcAQAcsg.exe
PID 2300 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\ProgramData\fasMQQEg\tcAQAcsg.exe
PID 2300 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
PID 2944 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
PID 2944 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
PID 2944 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
PID 2300 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2300 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2680 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2680 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2680 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2808 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1056 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
PID 1056 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
PID 1056 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
PID 1056 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
PID 2808 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2408 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2408 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2408 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe"

C:\Users\Admin\aEgkkcgg\VogEAEwQ.exe

"C:\Users\Admin\aEgkkcgg\VogEAEwQ.exe"

C:\ProgramData\fasMQQEg\tcAQAcsg.exe

"C:\ProgramData\fasMQQEg\tcAQAcsg.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oYgMsYEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kIAgUQsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AcwYskkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\doQoIEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hGQYAEUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fWYsQgcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bOQgsUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jyIsAsMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eewkUYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eWcoAYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YYYMwAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQUYYYkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FcooQwoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JMsYkwww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LMwkUMws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dQMwcggY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AgIQAoIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGQskUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OckIEwwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hkYUwogI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RGggYMUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQwIgswc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xcogYQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KkwUQQAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuUcogAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AoIYsEsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wEEQQUMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKEMAoEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XsQYUUAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rCocUEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yYkAogQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kUQEsMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3672757108709938321733643975-729135812-1807599579522960982-167600093046727621"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcYUwskA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EOsoEYkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DkYQMogs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2120708054-4631554841916130249-278720965-987611638-1933960960-7019249631117740292"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bOswkogM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1052575784-1881794233-762170853866665482-1421496857-38955661-1158530800-991396827"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jywIcsAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tSQUEcYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1035027188-8671965171436015375-6497302141161943821997361751173128503-434398744"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SCUIMkkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1888402554181644392380435595213343592414532997851217796335-20746938251935388731"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\awYYQAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OeMUMwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1325962914574983617-2139348062-1614343110-65945666517897021138983101201239256144"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\emUYAMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-908154344-991688382-2443326931408133248-408057502-15922956291107566185-54581000"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LeoUUUAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1898319623-660438506-211309053-1063230975-1948571672-1493570633-12244514081885514548"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TyMYcEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-17286538571547885498-1908407419-1679121430-2009891099334692846701771501-1141808895"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hIcQoAgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "193458132-176641217-1942975891114948479979785552-198973919-790085027-1856212239"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HooMcckI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogIQMcAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ScgAkMMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GqskkwIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EcwwkscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "857006303-163182957716890012131343827182-1674318803635260031-45692305-510405959"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hAgEIAEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-70111358114844260320321778581302050557-118942985-106997015-1812028281-46477041"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pmAEsEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5171910361959399470-12084659411997540787-1988545430-2144452531-18980410002003510188"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zSgMQIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "158040592111230006211056514959210910506311460079414797492871672901551661071972"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1052532305-7323066431765509440-1901970285-1739955222-246483331656552555173148433"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6620290431806452587-1810934955-2022765233245810853-1379471251-5354312191863514450"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zkQccwUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ccEAksgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGcwEIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CasssMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7274398851002646510-4346683436448005-1039844086-857853784-617368903-1283076606"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iqAkEEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9521917561306870056926398841-8155791401044065608235069368-515526985-1784865688"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DsggcMgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NYEUIQko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15699343993849304431727911575-109585363976664152216760585041513853671-1197196295"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-489989225-1961569124-185719471-1596726211306874677391867055-416010944-1634834897"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgsUkQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vKwUcoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19718770451045918795-18590175-1194633659745968593367856138-1533735517836153276"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.169.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2300-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\aEgkkcgg\VogEAEwQ.exe

MD5 ce1c5229f8035385325e1a2f5b41a79d
SHA1 a0f4c57569bccf192e767bc7dfb5976a1881ea96
SHA256 5d463cf113c964813bda3a84c6bfbc0a30f88c680ac42761dc0a47cd067c189d
SHA512 50e727bb5d9c4a474aa81558521a04368343ddcffc96ab6190bbc6c31c8f334929f48bb0d581825123c2f1fbca3efe766cc310988a5b17b4fe42b07989a55b12

memory/300-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2300-30-0x00000000003A0000-0x00000000003BD000-memory.dmp

C:\ProgramData\fasMQQEg\tcAQAcsg.exe

MD5 7f2c7b54358e4c3ecaccc1ebd969c3f2
SHA1 98fb8192719ab670f859b0797f580c1a381eec13
SHA256 54c2859b5588cdc51942e50b394895bdc12f4f58f971caf5e2ae752c681d82c5
SHA512 3041b6b2b55d70b778b3abd4ee206488b06ab663b13a900b2bd52a12e5333e22986c2c518b150c8122aeac40b1aa93ced1cf856bacfc4a2c6c075df2acb7b02e

memory/2392-31-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kqgogUwc.bat

MD5 ff48ff22110bf80f05117038f5aae3fb
SHA1 dd1bda63b60a1fc38eeb3af87b11efd93265b8a2
SHA256 918a7ca94f4de5cfa49939fd9df81712a44be4f6ae2eef57359d77ccc2280eb6
SHA512 af44617e547eecb32552205cc090b4c1f247f3871c18b3b247da10682792d001db5f221d8737e7f75cfccb91cd35f4876b2887603b108c2aeec2ab6f757dda76

memory/2300-12-0x00000000003A0000-0x00000000003BD000-memory.dmp

memory/2300-11-0x00000000003A0000-0x00000000003BD000-memory.dmp

memory/2944-33-0x0000000000120000-0x000000000015E000-memory.dmp

memory/2944-32-0x0000000000120000-0x000000000015E000-memory.dmp

memory/2808-35-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2300-43-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oYgMsYEc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\EesAIQMg.bat

MD5 036929037b2ddc6a38449e89cf3f933f
SHA1 4f0e0619efaea8d6481e056d1589d181b883146f
SHA256 ae7b9a8570c739aac2cf7e4dd12ed5cf57402380f549718e550efe25f0779c0e
SHA512 17057039b0f37f237fcb514df3ff79e3a77285d743cdd30fc2aaca469dd2d9d7dee6a23c28d7dcabc75e5c0eb8a55de03b51e0c2569d5fbab4b122af74ed23cd

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

MD5 9adaf3a844ce0ce36bfed07fa2d7ef66
SHA1 3a804355d5062a6d2ed9653d66e9e4aebaf90bc0
SHA256 d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698
SHA512 e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

memory/940-67-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1056-66-0x0000000000180000-0x00000000001BE000-memory.dmp

memory/1056-65-0x0000000000180000-0x00000000001BE000-memory.dmp

memory/2808-64-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mSsMEwIY.bat

MD5 fc63c6c7f0de320f285baa2d385dfb3e
SHA1 1413bd4e6cfea76731ae569172e9a6e47cbb98ac
SHA256 712dbbaa8a59baa6133d9fe82f03fbdc7848d6903270d34cbe20a0c5db662605
SHA512 e9fafd366984fa4cdb3c740d16cdc1e0264bdbb5890eb9695bc56edc68eadde40bf7c0cbf342688af59b1dd992d5c9692a040a014166fecd9f3654cb92be6a36

memory/2844-80-0x0000000000120000-0x000000000015E000-memory.dmp

memory/1932-82-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2844-81-0x0000000000120000-0x000000000015E000-memory.dmp

memory/940-91-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QssgYsQk.bat

MD5 265500f8c1329f4be760721ee1b3ab06
SHA1 f95cfce3315d2dab9ba552bd854f1083b03ae4b2
SHA256 9a1c352258fec0e8fc2151faeb3bec8047d7bfe01ea564ddf33fff7c4b7caf40
SHA512 16e31310cae33e1fcc41b5aa336e9dbeada1558a3fce81c9063d854a18d9c600e08881d51f8b195d6c5a97cfe4343971b4e87bf9c673983bb23fe635c63fdbb0

memory/2132-106-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2136-105-0x0000000000130000-0x000000000016E000-memory.dmp

memory/2136-104-0x0000000000130000-0x000000000016E000-memory.dmp

memory/1932-115-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XQUEoEww.bat

MD5 7700fddc9185b437ddab8b30387ecd9c
SHA1 e6ee08e3fb5911893c3738ebade22c207fc35b48
SHA256 2f79962aef4746349e4c6038bc036a35ba96cb8d759436b60cc66f3d9c3f9424
SHA512 4b01b604409f3e7e9beeabd2ce21bc6a8ba6af525806a30ab217a4328fec97875b4ce1c5bfd8f4e9f4d76287b30ce4939e1136ea1fd1afbdda40746d248029bb

memory/2132-137-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1492-138-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1604-129-0x00000000001A0000-0x00000000001DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RuAscwYQ.bat

MD5 c321726fceaa03c17f0f6d9e6436ef5c
SHA1 f1e33d866e2527adf43e14367e5fb6f5d5e89535
SHA256 ddab67a2a47afc53cb690ef878590b2ed9b2b59acec8107e2e77da1de951373c
SHA512 4b2eecf815eeba61baa7b4a2a94279e54b65a1d75ef12dc8247150a68c34306c1933f332d3efc1bbe9ce2aa0d2039e6e087ad6dde0755b8c5512bda7e135daa7

memory/2316-151-0x0000000002220000-0x000000000225E000-memory.dmp

memory/1492-160-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JgEcYEIk.bat

MD5 964d8c414d73ce316669a863f31b135a
SHA1 804ea13c9293f8539a6df9efa35d037bda6e562e
SHA256 630b11335f014b0c2a12da65831728396bdf16418cb1424d0fcca7f7ebfdbd5e
SHA512 bc3508f8e2eae0c87824a082c085e93bed8c5c3181537fe1ad7afc2222b96f11df383423946901e9abf8eec20059ac6301f308882e87ee19fbed4f93a78f40ee

memory/2784-173-0x00000000001D0000-0x000000000020E000-memory.dmp

memory/1616-182-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XUIwwMQQ.bat

MD5 61911e5f5c3a81b03dabe2ae9aa251b5
SHA1 dd01ddacf797da7b3dc555581b1ceee6ca18930e
SHA256 1886a7a5fb492a576e8233fa4727e57ac69600e8456ecb5ab379c86ad5d6289a
SHA512 143e5b01c0a625e29f22fd55665de3aad498d3e1d37d5efdd8ce193f977f7e21d46df437dffa1bf74d2c0f5cae89ab059bf90cdf1fe3f6d31cfb6ba230f9ae2b

memory/2824-204-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2632-205-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2416-202-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iYAAEQsU.bat

MD5 91883ae00f1ad0156d70fddb11c14975
SHA1 6d800f6b302b97a9ab071277277020d03743cb2f
SHA256 59d9d07f69e8fd6d43e7608bba4e7318d385897eb0392575e2f83ff2eb8d923d
SHA512 e0dc19c380be0a794e2c832d2bb87feeef5ac9e835a99d232add746df296af2fbbf964e9c2da2ea0326d07871de6c453641f753d46ae0b1e2164e7f78b8b6caf

memory/2632-226-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kaskAMwE.bat

MD5 d933ae205664a67aba057467d19bb3aa
SHA1 2168579a7068cfb93b1e83dae2616711b92ad805
SHA256 6065a970eb033df0211dd29f1de3091562411a291fb0ec878acc30b8d213cfb1
SHA512 05de735dfebc1f7827a54769509c35ceda73360d1a5661f16b135298cbb29b7e018daa7057a8ed5809d2ee15bb2b6a887f6b9c01aa53e1a46dfd03edd1fab8e7

memory/1840-247-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EeIIosMo.bat

MD5 b1333d2d2f90e9be80d961c578dbf018
SHA1 b79806ec20ea8ccf3906bb7a07f55e22406ee836
SHA256 48c0c3607cb366c7293d70767a67bc00d0f06a8469c2ecbdcbc561b922f27586
SHA512 701a3570af0be2e25c3dd418d3b536f6be2323cdb839652c1adca70d200ea35bf59b94743396947d9cf27bd1a257d8d9de124a544c8fc20d1ada21b92b337cbc

memory/1556-261-0x0000000000220000-0x000000000025E000-memory.dmp

memory/1556-260-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2336-270-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WyQIokYI.bat

MD5 4fe71fc7c7dc0f9d6454eafae21555af
SHA1 309b91c228b724ee991b9e651b60cf0b97359199
SHA256 cdb67867a37e3c18f900d17e54ee48fb09aefaa950f251f4e679d8d301fbf521
SHA512 fc48605aed7a13fd4f062342064ec8a1d148886649a9803afe025c3a744169f50fe7c7e03182e373935c7e751aa2e8d79f34b99bd7c92fd8eaf4e66908adeda9

memory/2912-284-0x00000000001F0000-0x000000000022E000-memory.dmp

memory/2912-283-0x00000000001F0000-0x000000000022E000-memory.dmp

memory/2580-293-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JYQMQwMM.bat

MD5 b4222d0c17ced0581582d0aeccb0a6e3
SHA1 63584374abc737fe9cb6ed673090a76418bbe815
SHA256 b71bf052cd16ceeead2cb0c3e72f73dc3a3bccfdda1536f47fa6b4f1c36952f9
SHA512 00af50e4c190eeac0819a2fd869f9f8bf807fb69592e22be0dfe95a3270b1c6c4db663a0888bc85bf8190052584fa94a49bee0563b928d6005d54fe2d45699bb

memory/1608-306-0x00000000001D0000-0x000000000020E000-memory.dmp

memory/1604-315-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dEQkkgMM.bat

MD5 7a4d7eb0f350449bae35ed73fedd412b
SHA1 b83fb68f76f4f7d2b326eb590e67565bc65c17b9
SHA256 027bf47384e1354e39a83b7e84b4315804ecd210b8aff9c6dbb7b08aafc40e3d
SHA512 93cad63d37686fea118ed4a3477ad91aea7bf8a1c9769ec44784371f9bb8965f6371d0bc95c7cc6749dece13bea22ebf22cb783390732582a04ab1cd40de04a0

memory/2340-329-0x0000000000440000-0x000000000047E000-memory.dmp

memory/2340-328-0x0000000000440000-0x000000000047E000-memory.dmp

memory/280-331-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2656-339-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nQgkYEMY.bat

MD5 21dc9517810a15356f68cf837e8f054e
SHA1 6fd883eef6ea71e1fa7880ea894fad031e1cf7b5
SHA256 4e0a1ef348c87062dfbed5f42ee99e7ca1b5481e72d5ac6ae3808d24b9666157
SHA512 bbe19ead1a27881737eec7bf09dd298e6759371b1877f72f35e7607700b161f3fdf667e7dd406ced7c367750e2125157ecacc38a7e0510bb05a5bc582ec6e82f

memory/280-360-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LiUowgAc.bat

MD5 66fcfda2f0536426414abc9dd1b25334
SHA1 ba17b621a6390955661a687f787ce167b615d829
SHA256 d074fa04df96b73939c22c849a6fe21f5e251ed00296e2c93479b8d6c6740a7f
SHA512 311a991f1e6535f89eab696c8331c88d04924b2c84d8f48d5f30d2004633f168f4652a6ebb2764347653eb1b6e6241e506774573b08e5ec927c828a4dd540992

memory/2364-373-0x00000000001B0000-0x00000000001EE000-memory.dmp

memory/808-382-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gwYgMsoU.bat

MD5 490e70a48ed34807716bdf4da2aee492
SHA1 6fa058b3bdfa2a8f6b89af77b2e12584edafea18
SHA256 6393619ffc0f6f4b03d3cf5baaa580d8c42cf384b9e0e8a015f237f266bc8d9d
SHA512 1125e7812fdbaac9d742723eae4e4217666968fd44ec1420491f4b5c83d96b4beaf42bff7f9c780968ab17716d2000ca2274151edeb662b1b99606edaaaee997

memory/2432-396-0x0000000000180000-0x00000000001BE000-memory.dmp

memory/3008-397-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2116-405-0x0000000000400000-0x000000000043E000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

C:\Users\Admin\AppData\Local\Temp\ISccYsMc.bat

MD5 696110c0742bf4e7fae8c0200063a62c
SHA1 f17d8e2c8e245e0be43a806b12ef0df8f58a3e85
SHA256 86154b1828f7ece469c5e46971c8b98ca63c241eb838bb5603e67cf2dce81e0c
SHA512 661e61e532792ad8618c226bcc5c87d0e2ef8aacda858a43821d6a638f508c02d45e0c6813e4828591acbcdfd6e89932776bdbda2eaae48b9d7f849b9d3fc1b5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\oYIO.exe

MD5 96be72a88ea4582475aa91960a21934e
SHA1 340696ece9a25c8cd26688118748bf148ad2891a
SHA256 78afe23d0554d15912ba852fd3fc05dbaf9a0d746adbd2328a21010ac16ae7f9
SHA512 13d52c555ec5cb471f3e234065ec1f5b972b867d5be1b2220000e69b0656c4d826f6a01bfcc3f6c838e5c7d1482e45f516b683346f69d2ddda0e5039195182e4

memory/3008-430-0x0000000000400000-0x000000000043E000-memory.dmp

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

memory/2172-446-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EgUi.exe

MD5 5ca74e9ba310e49d53fb80586d01f7cd
SHA1 86b70fa9880a7517555c3e4eff7c01212b0979e9
SHA256 1745a57300d6b761880fc8f83c98e4784cf378867b95ba7038653377039bb6b6
SHA512 649404a0b39ab7bd1573ea7d46dd9f6700dd3d313a8861314ca7dbfd6675e63c37562bd8edc02ec7fc398d69dac932eccb00a47f5ade69566308074b5312cffb

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 4b1993cfedc06f6f7a0b43602dd02a4a
SHA1 4013accbaf3f05c71530539669ce416744a70ad9
SHA256 b8f6cd1c29c74cf64c44d1e555de538b5653c7c511e33fffcc12d60e2e9488e0
SHA512 1148b48980e010e739b9603a40eeef4c31a2a909363c0243316153c3ec1f3166a348832a53c2725337781fcde82747205274585b9b741fa0f839cb9fa10b2f75

C:\Users\Admin\AppData\Local\Temp\uesokEkc.bat

MD5 bdad788b4ff7e5a4818b256ecbbffb87
SHA1 a2fb51acfe7086d447d985f323394a4a99d606b7
SHA256 1bd113a8eedc4c3e0b2d1a954cffbd72ac21e6c6446da900453260340ce3547b
SHA512 0cba565399aa186453dd005b3dad1bc47584d8bbcfdd589fb65a816cea48a0a9260a57d38121dc19d89c2c0b0c6d25367a8c26ebb8d634160fd28be845d73cc0

C:\Users\Admin\AppData\Local\Temp\MUYm.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\WcoA.exe

MD5 49f6ea87ea69eaf2908280f4bff922e5
SHA1 5e01e2821b4732d6067afa309fb6d81c0e047102
SHA256 47d4dc8941aa651777f84ac175e502a57dab88473885beeaf0a92a56f781c4f9
SHA512 8c72b2c24e854d9f1494fda1b5cdb5c902f2c70e40d7e45faf52da21f9d435a0f072c04c690a423b67c4f0f0eb734c7c3af4e3b71e550a4e0887b3e8f9c66b01

memory/1252-497-0x0000000000210000-0x000000000024E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WMsG.exe

MD5 ea85da4f0d843a1277b61d63174f5750
SHA1 17c060d3a57b835b05d6dd4a73a5aa981f2b3175
SHA256 43b4d5894377169181ba0127d4f8dd4c0ee750263baf9f636fe47dbd3b0daf89
SHA512 c304690835ef8b862df5b54994c3e3cfabbd2e2ae240331ab48f12a677f41b39711eddc566312164d4ce882a6caf59a6da527f2226ca49653523913568b12d36

memory/2172-519-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IYQi.exe

MD5 787706473736473bc14e7bb4925dc79b
SHA1 35fe4f9954eca48185c0af0ec3f44379e8584f48
SHA256 c4b0d3c2be7f70dfe8dc7d4d11b7587fb160556769f3eb165ff8cfb23d5c4e19
SHA512 0cfd2430d6ee18abbc8e9c8519d325e64fb38d5cb2570180d35e67b34604e664f94ec4c02ce5095de70b8b1840976f7c4ad9c57fb603d0ef6ee6972f06deb7cc

C:\Users\Admin\AppData\Local\Temp\wsIA.exe

MD5 0963aa1bd2b0539c8a8f138b38331d4c
SHA1 b225e043d10fb35338c46010d26152e86ce66251
SHA256 a8c1d52eca0c35f917357abe357eb88417cac3d8ba4d5b8cb8c1e7e7532b10dc
SHA512 c380f6c698bef9babfb893a712206dba7f704f23b4833547e11b7863ddfccd7c78768cb9e14f7d4c48677876310898e292e3d2ed691867fc15f67f53b31a5c58

C:\Users\Admin\AppData\Local\Temp\gYgu.exe

MD5 e54459b15d2e2360c646ddfbb0b86d97
SHA1 d1c7d69e34412d43e7863353164a5fa010c28758
SHA256 bc261c1f476664d512205f2a3b3c9c85c9d0b69aacd627b2193a819c832dacea
SHA512 438baa4ead3f92be970391bc30468e56d351390f481cd769f3700bf070d9a388fa2947306548b0db52a9a5c4a4bc372c49103a8e0ed51d7a22a3d908e508ddbe

C:\Users\Admin\AppData\Local\Temp\MIEA.exe

MD5 d762af797c7d00a24be96691b48c631b
SHA1 1c09074023728859df8c1f37ca4f458cfe697692
SHA256 27062fb605a10a5c689ea03924ac85e0d55c08371370ce6aa3c6377a36ec91d3
SHA512 e982745e2fd257684cee620403e19b4b578a2eaa199ac25553bc7d13ad3b1e80921a363ba2809023d80f4d2830390c629edd0590ee37a4698b6e20bd94cb2536

C:\Users\Admin\AppData\Local\Temp\IMUsQIQM.bat

MD5 42645b5bc7e64688e41767f9f4dad9bb
SHA1 8e2f71fdee15c5e2e141a98c0abb06d1d377ebe0
SHA256 1d76b0ac39dc280f8d01be7483de816f5f278eda308163caa7bf44d587560436
SHA512 077bb959e285c98250a84283baeeb792d6a98d6d231b845e2b039b10be6e6986e64cec6d87a9df2a66935381f3dadf181912a9ac6c58a83ca102f30aad802450

C:\Users\Admin\AppData\Local\Temp\EUce.exe

MD5 ccdb97198473a2d0fb5ba563d3576ab4
SHA1 0101a2e924f420843e41d3192859d7678a3a75e2
SHA256 d9f4b43bc7ab4846f5b9c1e8e7c9ba7d66e300bdf20167a9497bc7f72a2d9aac
SHA512 f231eeabd6e9f3824e2edd68e7b37b021a74e8a03cdb7dae87fd49e96257dbac4510279125be763d2239647bea0cae059433615c2dd29b786964b28ce02e14e1

memory/2164-594-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1080-595-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IgIU.exe

MD5 ce922033f046e9b5c130169a83acd164
SHA1 0d2d42b7fb044ec361d3919bab4560a3c57b5c78
SHA256 5bacb48237712cf780ccd2e673ddbd5515b72431ad07074f1c342cc3b6749d3a
SHA512 b91d885ae478fb7f8bb8e265ed1c82182ba516a1df281ac186a9c6be39204d324d0c5b61a216fec9b854a543d7a0e982d4cc3dc7684d5be7d823a97486be2e9a

memory/1780-617-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MYgy.exe

MD5 5bd5944fb7ee06292a0ee803ce160e22
SHA1 dabb3dc290b66c31b74c6afb7b880acc9bc22fc4
SHA256 8d603b885a32ae0c640fd3b360af6a02a7ae1886c04246f93c410b0ea0e443ef
SHA512 6dfb576f67a5f7fcdbd9e3155ef0810742a9efbb5b419586e33fa6af620afaafa564b5365b16357219d080265b4efa365afe2c546a2a183bfe224f523f942471

C:\Users\Admin\AppData\Local\Temp\KcgW.exe

MD5 a99eb39f893fa1634d6abd22a44f3767
SHA1 aeed6a93dc7b7cd1d8bfad2d9b40ed43051db09c
SHA256 0d4dcda4086dd5e83b429cc489095fae222bbac45789947e0e4c159c3456bccf
SHA512 fd16ecc8fc6b4625e0c5e912dca129beab94242e617b4ed01351e386e97c199f33779c4478ab8336918ea4452f063b6a42f62c3a7ff10f77c3f0943667547665

C:\Users\Admin\AppData\Local\Temp\WQMK.exe

MD5 121173ef62956b910678c6b09f4b78c0
SHA1 ee80c34c0d0ad6d73a64348c7731c11c17957426
SHA256 055b088206b93b2f8060eaf389b1b6dcf72e5c4d9cd1dff7f570fc833d427010
SHA512 5bf9dab5d34b2a88ed94c2dbf48b69f372b3c114a1b62f5fa4890d236d4f410f64cfac96c62a32d8cc19ca95b22943e720c1e09012c551d81ff9fb901f2461b2

C:\Users\Admin\AppData\Local\Temp\Yski.exe

MD5 634fe6a37769a274d64b862ac47fa68f
SHA1 e2824b5ebf4da1cbb1863b7c4d7dc4f953f7eb65
SHA256 a3835f878fbb6b9a89252489b89bd7d5e9690c0df8f3e5df34018e40dd03086e
SHA512 41bac051493ffb345bb287b82b3f46c1800ad8a0f1c017821e7d1e00c4710fe50027a5c6b72a05af70cfb0a0d2397466a0b75abb1e7ea46eb0aefbf8a2a71d15

C:\Users\Admin\AppData\Local\Temp\buMIswUk.bat

MD5 2d92f0f828361a46957aa4efa7d4246c
SHA1 f1a07fc689e59d7aee2abea265aa5e338615e922
SHA256 4bf06b210a89eb4c5f86713b7c0dc36011cc77cf54f2a2cb3dbc170455b47031
SHA512 f7b4030f0659ccbee6ef8c25da7d641cea92913ca14a9c4379b58096e9f2a96781edd593592678d7fd1eb09f38be76c9e909419d37d6901e28235997f678686d

C:\Users\Admin\AppData\Local\Temp\SIgW.exe

MD5 19b5ac530642ad71a6c3243bbf336214
SHA1 9ee095af9254a6fb9a57e4f67db2961f8494c4b7
SHA256 4e013f5cc34bfe9b0773fc6cacefffba5281929355bdc3baa5dd9f5ecaa36720
SHA512 0c8fa4d04ec8a47e64020068f486aa1a1e3c475ccda6de1578117be0fa5097af3442627ab6fc552606a35092dcdf941c6f56d37ccd88ed27f629925016fb3e20

memory/2956-692-0x0000000000170000-0x00000000001AE000-memory.dmp

memory/2360-706-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AoQq.exe

MD5 951d6fcee379d9921c5192cf8c6f93f0
SHA1 1a6c1c937c69bbf0f36edc019064cd36c018b1bf
SHA256 32b40bc8f9f3beac2c1ac6bd0ee877bd8c83ba10020fff9e643d510ebc00f91a
SHA512 5e5424568b57d011d249b0cbccaa30a737a3e804e2ac1e37e9fd52ed518040d6e117831e11cde12f6eac845041ae161e3e27b024356f7d38b7e37c858b1d932b

memory/1080-728-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sEwQ.exe

MD5 9a920f3a0bb5e31509f72b60eb87f955
SHA1 d346e4c20954bad6b6b3f17eb03031d5767e365a
SHA256 fb82327ef465726df30d6900e953912dba23cce0e3bc4777a167cb5ecdd24969
SHA512 8a0db8d6e56e306a32e15e6de324460a6904f743924ae12cebf8985cc32402ed34f637c431d87a8781e3b7c9004bcf914898e4b1f857db0ae613d61cc0d3a7be

C:\Users\Admin\AppData\Local\Temp\SgIm.exe

MD5 50f05d2e58fe72a27f335b2410a908a3
SHA1 4e99382a7dec59cc2004de9b40a72cfbfc2a353c
SHA256 2ecc2db4c1de2bf19071fa5b335f8db89b7e3a02df8082f736ca333088bad164
SHA512 a93e6cf5274fed7763b2986a72cc5ef90c3937eec7cac11e3199bcb69d9e2a004a1be8d1955e3484abd4d5f54a6ae0e8dea81a9ce68f340a0e03a7c21c46309b

C:\Users\Admin\AppData\Local\Temp\gEgo.exe

MD5 d6d2b36af108c8d444ff16742d7a6073
SHA1 de37f6b9da115b432ffd8dfe08b4c70a621bacee
SHA256 dc56a71d0569886f83d2131f483e418c4950ed1e0f3112256d63b67b0fe43dea
SHA512 e281449fffe7bfdb99326c01bbe2a9a9c66d40920a2f6ea035c3464cac28cb0dcfb1897dd92a7c0c59a98766ca55a1aa06886310d11b78e7ebebaed4019c1cf5

C:\Users\Admin\AppData\Local\Temp\IQou.exe

MD5 e8e0efbb989c4943892f24cb1d5f8535
SHA1 8316f5d32dc5675607b760ca8596140137735c32
SHA256 6a51350d6159b6acb3818029be0a1037324330a88639c4c145c4298336d51dbd
SHA512 23c133a460b9c1c4a7e34121cb70165b880aa8a757ae42831d4363da86c59c53444ba41efd1af78b2cddc674b99c2653f32052219aa8b8bccc9344e964ae74c5

C:\Users\Admin\AppData\Local\Temp\UQkI.exe

MD5 de5c491b7f5f9c57ffe3d23136e71b02
SHA1 2a872b41627ae08106d181f6b1f81acd100a5d59
SHA256 1a1933f6ead1fbcac91d771bd1a454927488df9a6a1729dd48100f72ec74aa02
SHA512 367c0f6e287454d69830c556b6000d977eba1fb4b4beab9b26eb6daf5e238be1be53b2d958935e0582a3e820fca1a5b07957da2f828dec9c0dfce56883fa95a3

C:\Users\Admin\AppData\Local\Temp\goAW.exe

MD5 ecc784fd943f40d4d82923a6aa539f7a
SHA1 9de67c245bc965fc0c86a275fd1815ee15f96bd7
SHA256 d8b04685d1bc6068d976c18747dfdfecd6993f524aa320fb410f8da47e49c69e
SHA512 6efb7769ea4e902e4bfedf80cd5c2a55141f1868249be64933e0375d0c0550d205ffff5471d21f76a8888b195e709be380764816981f6d0f9f586c47e21c922b

C:\Users\Admin\AppData\Local\Temp\xookgwkE.bat

MD5 9ad08bb27bc4bf14286c00b399bc3c09
SHA1 e4d2f8b93ca367f6f135597a3ce5f00cb723f76b
SHA256 3430bab57c6d995cb462a6c58532acdc72572341f4fbe78e3b95e9b4b1076e32
SHA512 2e7a9d67f5180b22a63add4313de4d9db59d0f648e8ab7acfcdaaf85cfa51f57eaf2ed2279bd043e7fbdd0b694f61174fa6ffd3496458e7f0a336c892463da71

C:\Users\Admin\AppData\Local\Temp\YwgY.exe

MD5 da98e00a4fd8d3c0002764b9c70a62cd
SHA1 9b9caee5dd3bc3864757eff1c7c86433e583146d
SHA256 825f3588cac974da4384432af86183df053580ddeb36c77e1c116debc1e571fb
SHA512 7390f2d667ca5f9963aa1845d7df3e2b98457735b525f1086447d4d7ceade79ad8420bd2b7069bd27daf29b04463a6218a292fd26ac9c648ff9348aa2000dcc4

memory/3064-828-0x0000000000160000-0x000000000019E000-memory.dmp

memory/2068-829-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2360-838-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IsYE.exe

MD5 6dd48235ee030543c23aa73b9a06b88a
SHA1 e6ced853ad930be0674f4faf734015abc1f2278c
SHA256 caac1ecb2a9d2946d03093f3797d6c9ebe9a23e20c64610623a9e94ce50c6eac
SHA512 39f3d7c0a0cb97a4139a6a00e354017e928dfd7a8e382f041c9c4aac2db76ab4091c26634457fe54218848e1f7b57ac8fed4437c663e169de05a7b8603b33c9b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 b430108058e7716d079dc471fd6c4533
SHA1 e0040aafff07e8b3d301e2ea30b2ad628fdc1225
SHA256 961da70472c6ae19d6647c8d3dd146e368a690d328808bba6d3ded48fe7ff9d7
SHA512 80a1070ab655cefd891d3a9915777001cfec10a50241d4c48e5aab6549e6d744c033a8382a681172f1c644b504124c04f1d0ef25e42b97649f522c7d9596b4d3

C:\Users\Admin\AppData\Local\Temp\Agow.exe

MD5 33e87adbc94f6a6a654b4551ea2a32e9
SHA1 1d8affd5b6b22318a68934509559a327cc80c434
SHA256 ea66863cb7e060e0fdcbc0bb64a0a11e4d66629f0f2e913c90147484e25f4f79
SHA512 ab4343920a67e6dbdb54005279bef67323d75499b442e3fcfd00737cf782d8b598413353c77bb9494c698179d217116f141303190b7fd1cce484c9afc05994b7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 2f7a32d04e2c141f23319f2cebf2a141
SHA1 8f5f368d54eead5f9cd3f67c127ef71fb5f0fe7f
SHA256 e4cfeaf339127faec242d8a2bb8e101c64eece1e9aecf70ed63de2f67cce5c2f
SHA512 2683dca0f2407570885dd9549db91d38975282f3cbcdf99540e764b444c581924e1de41aeac1ea8cc958543ebdd557a8908b8e17a901ac0f946a20109beefb62

C:\Users\Admin\AppData\Local\Temp\eIki.exe

MD5 74660d0496e8cce9651e79d8135d56c2
SHA1 c56caac0af56dca7d6db622834ed0d4b323b5904
SHA256 567398a5cc441c6c4be556691cc39c6336cfb6e90ccd9af859c812ab07f3073c
SHA512 78e4f061d7afb41a586743f1bf17bc335af2d8cc0174ae1dc2171376f6d0fec35bae9ddb92e83f4144789060b3e3825abce3d138b5cb98b95eaff96df254de68

C:\Users\Admin\AppData\Local\Temp\pUwEYgws.bat

MD5 fb2352289035c0e87832d5fdcde19e10
SHA1 74e925611c068f0f5436fab0341611500b35d2e8
SHA256 5529808b886b27c365bb956d29a2e04b03ff5b09123790cf0459d914bb0d7eec
SHA512 12aaac0c04332f0e76f7a237f99bfbd8e14e185268badde29a27452d832db0e6948b69db3b54837fa6fb8e7b53e18a86243e3cdc13d72f8c440a76764abbf1ec

C:\Users\Admin\AppData\Local\Temp\iQQK.exe

MD5 edc12240b9b5e5e9f94833eda1f26ce1
SHA1 b60539ca45f425b994711d9c613259d73956b5d4
SHA256 87118ebadcb5028621b39d9f39552e946b38351d01dd27c53844bb4badcc9ab9
SHA512 daee1598126b76455f1218cee56f1de022df1b693caae55a66821a9995f01f91808a66729fa79a23742a9e1b8c8944f12a0ced0f0812085841c701263b3035a5

memory/2700-939-0x0000000000430000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wQAY.exe

MD5 48835823ee3a4ba30ba27deebee8784e
SHA1 b5d32d8891259192c4d38d2cb61ca9dd1339e1df
SHA256 6c31ff7df97b4646a8e0930228f2aba70a9311ca66cab6bb7fda507d946c6209
SHA512 eb8b5e811dd260ea6b1b723fc794c5f3581b8c85747cd3723957e42367bf54c1fabfd5bba2cd9a6e962ab88a810cf0faed4c34f8de4bb0cc4bf6742d3a68b5ba

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 3f939cd25d006f3d22794768bcebedad
SHA1 e02ff344ce424d5a9788b5344389d441a20c94aa
SHA256 ee979cb963a7da020c886d430960697e72ea339e1af3bf5d1287f449c3fccaeb
SHA512 0c4d005a03bd4ff27e76b4531b7ec213f27f38183f5c2c7844b92be37e7c41e5c8f5e902f87926484f8c12d71450178b0ad645ba1bc9597b4183231690514fdc

memory/2068-961-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uMko.exe

MD5 0417ce5a1920124a966c538a34d9b162
SHA1 374fa89d48621afebd69af8b12708871800666ca
SHA256 5251abb2463db429ca1366a03f41dd9b9d049a8416ad84709ef3319574f4ff99
SHA512 d497fa09061100c5c49bfc4fb54cff8eb1d387160b3c3b4e7f399746b1361b945b2bccceaf96cf0847f458a94bf4cddeb5b00bc17d59f945ebe05e470d60c3d0

C:\Users\Admin\AppData\Local\Temp\EQcM.exe

MD5 528ae28dc50a4780566470dcffb59863
SHA1 8e34dbf2da12f1e27563cefbb04219a46a62c23c
SHA256 25f793a8b8d6364430f902012dcba0e242150a458bac4853b2f0353968188cfb
SHA512 54d2f2b97463eca9d9ed59528d095393c1b45baaa32800e9a604af6f5af3120c3c01f56931ea48f6fb5f94bf3cabec46bedc3a93b5ec067873c4b00fec670b45

C:\Users\Admin\AppData\Local\Temp\coQQ.exe

MD5 7e64f2a2528cbe32ddbcf2affe00da7f
SHA1 dde59c9e2202fc31bc401efb82bf2aa3b179e5f5
SHA256 b7903b907f5441e54e85604887e00e720fa641ffeddeb5a779d9cb17f2702dc3
SHA512 441598719808c8a13440edb602572a5165e27681e10df955ccf70317d9c703febc792fdf5155ec91b312e26f6d747f52e2c06caedb41adb8a179579a205990bf

C:\Users\Admin\AppData\Local\Temp\SwIEAQYI.bat

MD5 6c4c005fc3a435a7c137d9ee5a6ad3ef
SHA1 e78ad2f86750b88582dacce936bb6434346c4834
SHA256 910752803c25c74dd0c39dd62edfbe5f73616a9b9e66c7551556262d959f0368
SHA512 608b7936aa3c54fe9a456eee1a1edd9c4c898b32bed0aca8753355002805403e3e47d7c1cc0606cd29cc164742428ff6cbe0e528f4e8101206c9fc2ed677d4fe

C:\Users\Admin\AppData\Local\Temp\OgkY.exe

MD5 d700ef7117596dbd0b22ff76ada50166
SHA1 bf517435b4aacb3fea952fd670fb3e259693efa0
SHA256 f066a9a6a2fb9f13a52df4a5480924855920cdac09897bac2b4bde29fc2281fd
SHA512 d65a796b2e45c6cbc7e1c079d7e47884e78970701d0a1454b854d6f7146e731e56ecf86798aabf50812af2603bb44c446d0dfcf25cc9c2bfbbe2a7adab0fa765

C:\Users\Admin\AppData\Local\Temp\QAAw.exe

MD5 1b3338bdc86a81a3a34e5753cc5ab87d
SHA1 6d860f98e04a6ecb846ed20ca653be25e0840e5c
SHA256 4db97ed56d5f9292ff0adfab50bafcb09a2be4f81d811150e7a62172625c1e0b
SHA512 30abdaa1a29e39ac20d2b134afd003bdb7abde8296484fb356fde624acda56a843cf7658a70e6df0d08028a064de764dd78fb440d863d44b9f0501b03a3e39d7

memory/2976-1036-0x0000000000360000-0x000000000039E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mQEi.exe

MD5 8fb77cb9f8bb3831cc80456bd934796a
SHA1 7aaf5599eda42cdc3d37724fbbda82df3d7e9ef3
SHA256 d949c3445b71e5c64d986e257db7431326a07eaf9bad20b51f9e40e60b802c3f
SHA512 831c68f2f5973aa2b013114390834d8b382f192c6d74b1e28bec9cf0b19f2ad8be9358b79bc5da79a5db144be58b3f45ade9800501d0a5d3675247aa0c951ddd

memory/2092-1046-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EAkc.exe

MD5 f025fc99544acb50171362947cae841b
SHA1 4945996828d2fe0b4aabcad428543fd6066c720d
SHA256 683871909c9ac6d392048b74c63bd477926faf2d213a7129119e82905cb1d56f
SHA512 41bc3bc85542bbc03c35ccd04898c70a7183eb6e767787ebf7b86057f8dd6c3d21f87b62129088c5db75a6caa38b63e797fd7b80659700e1e092efb542dbba91

C:\Users\Admin\AppData\Local\Temp\gIsI.exe

MD5 e8b946940f7238f1fefe3cb158bfeefc
SHA1 e873e53a20f93ef55c9e50b67e21836d8aa01c1c
SHA256 dba83fda631be4f7507507f7ccd8f64734a038bfbf9ef9f962b9739e6d2a65d4
SHA512 5a78e01e05bc8f8c61ec4333314e6d01c0a97e11df8160f5e6ed4c5f2d30256a951151bb0695760bca5e016d542d569d0141ba07a0f3c531e7fc993f87e8d1b0

C:\Users\Admin\AppData\Local\Temp\CQcI.exe

MD5 f8cdba3f2430365f62848f16f6ae3eb6
SHA1 9f4fbb1aa8302c1481d7fce004991da66502c716
SHA256 60b6e744552b9fa1940bf1b1bf2b3fb6107b3122416d183e62eb84f0cf4a7340
SHA512 abf779103ca909b6125c61e9509b9dbffcb2312a8c91df353b401237f8127e2ef7e6a3b210cc59ad52499546ea0605ac80960134f7f7eacb1efd8a2bfc7f8bcb

C:\Users\Admin\AppData\Local\Temp\ecYy.exe

MD5 5fdda068f292ce6d188207c25b0cc512
SHA1 bd81efbb7977d356f07b1bab770ea871b4a1255e
SHA256 13644239434a7f264a39e3587612b2357df6e241686bd26454327ff920a6b720
SHA512 d008d7bb182d90a930752b3587e4ff06b6977f5771b9a3fa53004471757aa62f47429b5045d726a654051c8fc6815b03f688c2e060dc790f90eb6580a28dc752

C:\Users\Admin\AppData\Local\Temp\cQQAQQsk.bat

MD5 f47e0ab01a031e31c2729e9054b88b6a
SHA1 e7bacee61ef556c672018afe964c3be3f7273196
SHA256 2e0a4a98e7382276d67acd3b0ab115fe9427c1fa49d599306bad2fea11bf906c
SHA512 2b2915bc30817fdacd53c5e9aa8d4afdb11fe3deb4bbe7790cec0a2e3e743b8f951525df68b3cb6f7a24068d1ee7d2d2f5d8ffa7a9ca11256b32e4e05eb70fd2

C:\Users\Admin\AppData\Local\Temp\koAY.exe

MD5 c58ab1fdf8c5f1b1a83f1bbb6428a2c7
SHA1 02074494ca7f5d19eabed0bb984ca3881fe8f06c
SHA256 80e55d58f1629a7684c9e41da340a6fde8001826754f53dbbeaef3b78581f0c4
SHA512 13946e6a4814a62a04df4654ee49139aebfa54f0dbb8be48a2b0a735b235d2ea68f55273d5d3b817149a23df5a60ff6da551c7235a307425b9e0dcb10d72006b

C:\Users\Admin\AppData\Local\Temp\SAMm.exe

MD5 62e8d08a17c9f451c781a954e935a493
SHA1 02c71b49f3e4e4e4264b5c5ddd31dea842ac8a5a
SHA256 175fc99e228542360cdfe72bc3450d75b33669abdb2204c9698262bbd0018f24
SHA512 bab816a4899ac9f1718d8906887bacd05291bdd293deaf6b76ee641375ff1788fd929eb418907bcf2e25b24d4d44a93fbd01108b6340e9e6b4d72fff562816e5

memory/2924-1158-0x0000000000160000-0x000000000019E000-memory.dmp

memory/2160-1167-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uUMY.exe

MD5 8e8a631b06750ddc1d76f9d03ec01b7f
SHA1 014e5f6e586c86642ed71ce65e1727239795ee49
SHA256 b1a1d7b32e8ce206ec337f15fcf758095e935c68c6bb41f54c39b7f754fcf581
SHA512 dcb07df1a785fcaddabe8688e661f71fa8e1507e1a686324a29f2d001e009d06bbfa41e9712b4c420b1e94eb1414ba6356301f62203ed4f19423da42e46edd23

C:\Users\Admin\AppData\Local\Temp\OkoG.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

memory/1960-1168-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\owcY.exe

MD5 e5bb2e1bc04d59483fad9cb104e413b1
SHA1 fa8a2ebcd00b5409b5eac47aa20c25e77da7ff27
SHA256 ad0b555b864bc34bb98d38d884f5f51029ec59619c5ac3d58fe9221db87d3b75
SHA512 88704e0a06531066bb931ef13087ea8de1053bfc4809a5d5099c82ee3b05e9c7a8b08f2acdfde9384efaa5cb0353d9cf7446d354dabb3816eb84c1f4972a94cf

C:\Users\Admin\AppData\Local\Temp\cYMa.exe

MD5 abe87d14104752c2071f1fc3b3acc183
SHA1 9e1c1042d2f8256a801ad1a97f80a83eefe7f777
SHA256 394ddd50f747739d6ddd790bf30bf5fd1e44dbf4359db9d7561805c324162c04
SHA512 3dfbb00dedd3e131e415803fdc23642fa8d2c4a7c4409ecf12edb6f4a2857cc3f8cbdd92ee62819ba47b39d8b5535c9ec2425f6674b8212f08a9f195a06a5dbd

C:\Users\Admin\AppData\Local\Temp\WwgS.exe

MD5 7430482bd7472c603c80be63ae1d6d85
SHA1 13bbcb7f72f8c9ce9bcb1b68bffbf9af3574f090
SHA256 3bf1f37098962bfd32dc1c50b26a1962718a29c5359a03e088c1306654e5ef7d
SHA512 d27a8d19ef4ac1eda2d75e4564c9c76c30c9f6d630c357d30195e3f258fc3fe275e7480aef470e2dfb8a3cfb3bfd1c6ccca56370ee2642b9cf4a1339375cf1ae

C:\Users\Admin\AppData\Local\Temp\gWMQIgMA.bat

MD5 c706c9a0b8ee719c3ef0d21cf75137cf
SHA1 db42fc803797ad7d936970a4bed248890b52a271
SHA256 7edb4b489d232359bdf90c62be59ffe88fde53c5097775f6f050fff7de79a66c
SHA512 c100a5ba0619a0db36d168773eae8484d7e1f7b417eef6bf6baa68d6007fda946b2c506a776022a196168a446fd9def5ea066a4112603d9a76304754ebf33d85

memory/1608-1230-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2152-1231-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1960-1240-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iEoM.exe

MD5 b3f4243b76ec129c049fb9c93da2dffd
SHA1 7229395e3489f7636612c2fabd4e0dd04b6eb3be
SHA256 37eb438ce23c6ae206da54a3df4b38793b4b8a72c1f44c217c19daf68d0c6e2d
SHA512 a5decae04833b7751422a8d1a422f3899e1608782c2cea463368863d24020cf8100bdf55f529b5570291afaadf3d236758798cf1873e7b665cebc969aeac4950

C:\Users\Admin\AppData\Local\Temp\KoQQ.exe

MD5 c39742bcb9debcb47d862376ff6873fd
SHA1 f17b40be844443a24a4581fca74ee7ef070c6d27
SHA256 1ea4786723955ea4602631f1986b3a50f2c740391edbd400e02bdcc6dedbfeff
SHA512 c8750ec47771a4255d5dc6602b6083f204dd799253ae41efebe343ffd378be99323c0577b12296aae7cee01d2b7dbe2155a29bd5a36730d38bb6d4829ea9bc9d

C:\Users\Admin\AppData\Local\Temp\isgo.exe

MD5 4fe01d140279ec2017a8eaa20383264e
SHA1 331edbcaea6b74dd9b384ca2c692b9602d8ec712
SHA256 3d2ed861ba715109c2d7cb6cd4577d6d904084c5a8e30b71127da0afa32a8cf8
SHA512 dadefe17a8a2000af9d653d6532fb6af8a4b3a65fac5cfaee6f97140682770bfb39b5738a0e385f4f35f9fc77ad08a51cfb3e05e17af2f8610f4290ad0b454f2

C:\Users\Admin\AppData\Local\Temp\meAMQsMI.bat

MD5 9d77d0e1b70533892a139532bd6687a5
SHA1 af13e9cf848d2d21fe1f0845829b93119ca4b1af
SHA256 7bd0bfd5691538979f6ae67ed519800195109a7766b7e3d62bb226d67fb6fdfd
SHA512 4258d90df5c706d6b84d5b29f194a4e48c0b01ccb1ed7e4a5e2d55bad13b22603165486febf6f8d1a986f893f7832cae7ebb7ef305adf79bead7ab4d42d88adb

C:\Users\Admin\AppData\Local\Temp\ockw.exe

MD5 d5216033a4db3561a4d5d3a414b9327c
SHA1 1f89657dcaf380fd84a622ba1d5ac0a037477ed4
SHA256 eff81279c74e241a17f1d15084ba736c0ec1111d03e5221a8b63cb29cf16b00b
SHA512 c0c9d4c24e2be6f91cc88990d83174ae675a63f6f8ef00c39918950919976349ce8a39779aa29f3d164817d2cba0045990311b650a63b248e562eadc8888a157

C:\Users\Admin\AppData\Local\Temp\IYMA.exe

MD5 7a30ec541ba642996bb324011e47f235
SHA1 da88a83a0e6825508c94bacaf26194bfe07cfe4a
SHA256 2bd3371ee67debb238882212ce437bf45679e07e6cb6cf65542f8bfaa17dbe05
SHA512 c82d38ba3507ecbd6c0c8afd82db817e3ae3080c50179e39f0a900369c0ec41b9baa3d634ea0febc3695a1bddd779eec0bc8d18641cd163eb8aaaa941298d59a

memory/2152-1336-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1836-1337-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1712-1339-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wkgq.exe

MD5 9e32a6cb98aa93037140a0d9f992c581
SHA1 fc27b30cac306f817449add350198656f22735ae
SHA256 f858f577a417451d59bbe1ddbe4858bcf37fea72f7e08bcb67b312ec12e7667e
SHA512 557f9c6cb9c0af82d31b85cc8db527af2ae9b77f3eefeab6d6aa407e244e58a65fcbfd9c8e3f3038547d94cad59cb6941738f3cd05390551b5ab2b231fec1943

memory/1836-1338-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MUQy.exe

MD5 e7f089e94dffe30a4ea40ffb6f36757e
SHA1 22b9599b787f8bd221f35cb32e2bf1cfd8991070
SHA256 9cd85d2cec7810a4ec79f9bdb22a56b566ba1d9eaa1cfa1dbe00a5cc1d5e164a
SHA512 988ed0b51202334fc29d670feec5c12af84db2ffb08583a4776f723afad3a8b269efbf04a85b6f7bf1fb4e1a1d3f18ab08743ad1bae1f572652427e3641de2d5

C:\Users\Admin\AppData\Local\Temp\EUwm.exe

MD5 29c40c4650b1411294dc9dfb91aed9f2
SHA1 538cd8033c693938b81be2b77db27542329fdd19
SHA256 3f7031cca39cd493bd41f6ca0a39ed0a1cf54c91f7fd07abbd45b57a17fa657c
SHA512 d29fca4ebacfcc328560e1926ad79f5700e1664dff8cab3f93e655db12400aa07eff75fcc0b7ba1e95f64c903da829aa511170a9b0d8ce3b61d29a9e2b950665

C:\Users\Admin\AppData\Local\Temp\ggIS.ico

MD5 0e6408f4ba9fb33f0506d55e083428c7
SHA1 48f17bb29dcd3b6855bf37e946ffad862ee39053
SHA256 fee2d2cfa0013626366a5377cb0741f28e6ec7ac15ef5d1fc7e286b755907a67
SHA512 e4da25f709807b037a8d5fb1ae7d1d57dfaf221379545b29d2074210052ef912733c6c3597a2843d47a6bf0b5c6eb5619d3b15bc221f04ec761a284cc2551914

C:\Users\Admin\Documents\SwitchUnblock.ppt.exe

MD5 57e9671995a65d004eb8864abe5974c8
SHA1 c86765e8b1079f86cb5b9eb20a6588b23dc6bf3a
SHA256 9bf36b7b488631440198436af749a5fcc19595d50ca7658c11a75d7401efbefc
SHA512 da4b47e63eeda1d622f19b698c3b3925f3b2f7bd797124eb7604c6bb4b79e6cbf132143d7da314c934f31c702d2ea3e98f97871733b29ea25ccf5e15b94ce353

C:\Users\Admin\AppData\Local\Temp\xEMMIEgg.bat

MD5 e774041dbf86062f5809d77805841f6c
SHA1 7a620222fc9cd7f6de04797f1ec9c3f62e76c7ef
SHA256 fd8974ac1adfdef89aff17ba84284c04af8bbb65a0b44b90a5f0100f26a7e99f
SHA512 6dc15b2fb3adc2cdeebd483a7cde2e9e37283e9e690ee61904cf8f4d7dd9d968f71f32697d77019878ec6930fa03c5a47a0238c6a29da310aed1e609c2f87962

C:\Users\Admin\AppData\Local\Temp\Mgsy.exe

MD5 cf71c863a5b187dac1b68642b41869eb
SHA1 493ec3e80fe7d9ad89ca0b42783b78669ffc827c
SHA256 82e6206938bc2ad37c5b574b888aa32c4f4323dd97a10d506b561aa1ccda0c7d
SHA512 67a0a9914fb30b223138b6ba01a570dca18a1042e3532c1074631f34d169719c847fb253f8c08dd6d4243f425e8013cb52f7e3493842733221609dfe97bec0df

C:\Users\Admin\AppData\Local\Temp\YIkm.exe

MD5 8804bb4e0fb023422225f5cd83145109
SHA1 fa75cef3a9d14f380f3ee9511ca2506758d0c7d6
SHA256 d568c51084a08eac7cd7f2b48ebe56e771f92d34b36ce8dec7fd529c0724d6c5
SHA512 285a55486b73e44f0c501737a47f0ace7a5d8717e96900c847599c109dd9666986dfa4574c8db796d355880dfeb626e416636c5c4e4003a9d58fb0d7f324ec0d

C:\Users\Admin\AppData\Local\Temp\gosQ.ico

MD5 e1ef4ce9101a2d621605c1804fa500f0
SHA1 0cef22e54d5a2a576dd684c456ede63193dcb1dc
SHA256 8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0
SHA512 f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

memory/1712-1434-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gcow.exe

MD5 f4a841356b69ae13e17a66ff5907b3fd
SHA1 9a1e4184381a7024d8adcf57c73bb97a34fa66ef
SHA256 ec1c56a81109225755efed8fdbfbd4b39394727e837e9bb9257c92adf05dea37
SHA512 9c1163578391ad51a414e43fc9776fcd1523cd74b3f7df543f88d7951906243daeb476797b806dde4e1bbe1045695cebc5a31dedd8d15aecab4271c4590302b6

memory/1604-1436-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1604-1435-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gkwa.exe

MD5 cb3c7e90e122be0927a3fc1fc0f0f0a8
SHA1 3ab87977796ede50242d954904c0fdad9ff89ef6
SHA256 04fbba2a8ee2d2f4d4d0b62f7147949231a941923d922d5307f0335801de506b
SHA512 1578e5d5e9904920b61db3c23ce3b11cbea3ce142a6abc57e890520be7e619ee3e191855d669a8fe8ecf45f1e7e5a06cc1123f54a84946a044a970b6d3b19a52

C:\Users\Admin\AppData\Local\Temp\ggMC.exe

MD5 60287c1920ad46899ec44c2a533ec198
SHA1 4a14bd9f964d126858e594ec3c2f5430d765f091
SHA256 64db2c8cc0e70bc0fc646a67df7c0a8b99449253e32d4e50a2e9b126eb249da6
SHA512 ab78e2ed313ea4ccec5dae6a9417ed6c55f9483caa288f07bdf4d68f08760135e234f32e1db0ffa176f16562f3adc366312752834f577a09c19d51f6b6acd134

C:\Users\Admin\AppData\Local\Temp\MUYc.exe

MD5 81a02a5b6a76e71fa74b4146866169cb
SHA1 7d04ab32a09f80e106e974db82f0640a126fb478
SHA256 166394571e89eb33cde735a91ab0839bf9a6e2521dde7ad45e5160ce3dfac39e
SHA512 0c4fe36918cb328e1a7c53e3191036d5f25b8984a5af00c390c454e61f930bf437ca1c4a354a602584f4614e5e4360a8aa4211cb05d92d32d1779f72fd4fb406

C:\Users\Admin\AppData\Local\Temp\mQAy.exe

MD5 3f5771d6d13c712c600831cbb7580537
SHA1 dbe0a94323edb08620acbbc0b412eb40d5a70a6c
SHA256 677b018d0802ed97a08ae90e2d08e1c8a7fd11d783f8d65efa3665554755989c
SHA512 050a30beb775b7742235dc3a04af9cf802ab5928fdb3fa473e375f8ea6bc41fc8d3cf645b32790f03dfb0a41e19d794c975aa0530e70e580f969ac8f2da4ee38

C:\Users\Admin\AppData\Local\Temp\AMIO.exe

MD5 b6406bca6a393f3c665b37b1c7d26508
SHA1 a8842ff0f5e0b3d3b8e3c8a12cb1fd44117aa144
SHA256 d0474eca45c5dc45a4cbe048fb069d08e62d219395d372ac098061f9209afa37
SHA512 c18e4a047806541846f71c0c4ba66dbc1d1ba07dc86613eee3892bb93df998ca172b47f8f0961a85eed2d97d091460bcf18aeba9bcd6c77f7229629fa8b36317

C:\Users\Admin\AppData\Local\Temp\FcgAoQAk.bat

MD5 08fbc246331544033b1650d73878c1e2
SHA1 e115b6869d558e3f68e2c9b874ebec944314841f
SHA256 dd080ee7be3a1a51d07f65fb04f8c96df9026c6584cb3d41b0f64de722963c66
SHA512 ff293cb44f9e3cbb6e80bc8c4467d8f4d4b43d40517d0fc7161ab46aea70ea4c97c0fe10f8c49b0ebb1018f814fc9d362580e2247679d687ae917ddd5e32525d

C:\Users\Admin\AppData\Local\Temp\gMYu.exe

MD5 daea10bcea732ddf1f0b38c73361e34b
SHA1 2b1c74902ad6f807dc48fbb8ef77462d7c12a383
SHA256 4484219386c50dca05738221d8627bb128f547e7bb70b4cf0c6a0e38513e30f8
SHA512 1d141bd10f3d0de5bd924d0dddd541fce3d505916e521d7305bdba92491ab9124266cba897ad248cccf16cf8313b4ebcc15199a2f199ac35419701ae34338fde

C:\Users\Admin\AppData\Local\Temp\WkkC.exe

MD5 ea7bbc4dfc82d3d529ba6c57f461c863
SHA1 147e6cb93df74b937f6be6ec5fb40ad2f7952333
SHA256 ea4ab1f8885b9dd969f240ae642b8f0db55f41fe1b7fcd3fb3faf460d8e639e0
SHA512 289f2dfcea1637c41c0190d37f3214f5e02fe6de418ea5b2a530fc156749e336b16a251c6ed7089e314663ccba37b0b0b12babc5ede92e8ebaf8c9a331fe288d

C:\Users\Admin\AppData\Local\Temp\EIMc.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

memory/2392-1576-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2492-1575-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2112-1574-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2112-1573-0x0000000000400000-0x000000000043E000-memory.dmp

memory/300-1572-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MUcU.exe

MD5 1482a01c669faf7332b4f58f98d79226
SHA1 c02b5a5294a724aa7d07b73a86bc54e1f35fb9e8
SHA256 0b6e5c8281a2cf2bfc33ec894d58c9c0edd2ba6c5d6c8f578e2826bbbb6a8360
SHA512 767c344894b699846c42c9a0726ecb6f95a6c871e8006372db511d4dd721345ee534adccdea3abc678d604eeb57d1b2daab391abdee181a2767e4b66bd71c7bf

memory/2932-1558-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SMUA.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\SsQU.exe

MD5 04473e3ebb8a7a1445edfef68d667cf6
SHA1 aa711b637a6e7db7a90456f4be0638e1a1cc34e6
SHA256 c183f9883cace88cc1487982e57e2f08a7ec36bdb7feea2a6c76ba3d71ff8bc4
SHA512 11e646d912e444b4cbd5d04d48bdf7da116ea812ff2cb9f0bcdea3cc179ac361d5c3ce311e79d8414b93242d8897d345f258de6515e055d6b8c729f60f0b132f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 2c0549bb304ac8c4214e74b0de914cee
SHA1 09e8c3bd5dda376b8034ad0a1152f77245116a97
SHA256 e723ea8539f0fae8fa1e0215ace165decd2f612aec4591b8b5b7a7036b5876b6
SHA512 2a17ca3a5fae0a246a8e67e734b04b210b838b23ef0123ee2bd233d3255fb80a514004ea2b9e58619293f4b81c4b3dde7814f972a614b6b2cc8ff42dd09f1de4

C:\Users\Admin\AppData\Local\Temp\rqokEAMU.bat

MD5 e4661a5e800a3982fbcd094ed795c3b7
SHA1 dd8128b4a3e30f91df24df81059490478d53b52f
SHA256 7928bba8b917685c01b09417c5787882166ef5d8ae9ff19b2e2a62e2de0f44e1
SHA512 1800c25c2d7f84dc860a805f705e8a60c51183ad3e572527932a1d421d3c6febf62f2dd60eb71aceb36c1b372553303335efddbc6be7eed2c7d93fa8f0817528

memory/916-1615-0x0000000000260000-0x000000000029E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aoQu.exe

MD5 205f0f832ef1ec225672ba408312a11a
SHA1 4aeb2a0701395d9d64651d33506f6e58a0a9182f
SHA256 ab8c810c08288727701303e75ec68553a09bd970ef8dae5f706673ac4091cd5d
SHA512 a7e7ee3079bcd078e6b2b843c02ff1f50474bd745b67f4531dd153b4f8b8da09ca1a649e2acf281f122b6564fb19c6871adae283a16359f834ffe73e7663e67c

memory/2492-1637-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aosM.exe

MD5 3669023149f290e6bcbe2cdcfca4338d
SHA1 dfc918c83d34c974941afc18b38b557d67f0e75d
SHA256 25b726c584fb6a36820de4fcaa1bf9d1ec9e20a599de9f5c8e41ebd9f4e8e2e2
SHA512 78d6605f9db0312d5deaea4e71114dfbfae63cb281a81253f72dfbbf729e10c2cdd0ff5b2c6a6e109948eba7392174d1699be6bcb47f5d4ad51110b56d3665f8

C:\Users\Admin\AppData\Local\Temp\AcgY.exe

MD5 4cb220d8b95aa1b1cacf3ae3c7fa37ab
SHA1 1116ea6c0f06f7ccf7031d6db228b0fbea9ef91c
SHA256 377f49adaa2b384440cd0a9598fae93b5ecffc18a1e4039b96be4706950f6d3a
SHA512 ec9feb865655d043ab2703495a8045dd15444500d679ffe76daa952ceca2921ce602df6f6a8e14243b7542a978eb0779077da38065e13200283362ceda43bf38

C:\Users\Admin\AppData\Local\Temp\GwcUUUkg.bat

MD5 ef67c957dd22e0be3b462717e6286105
SHA1 8a2c7a0b98e90811dba3d8caecb9e43534d9900f
SHA256 8e6444e8c8efb1963934e884c07952455902c1321f9997f872f3d3ee19c5748c
SHA512 ac4592c1375ed680624643700e9b3db29b37c6286ba0739933755f530afb2cd20fca67a31f129439d9b83774e87cb2fc48e28c6348f941f2b6ab0a8d9357360b

memory/1356-1682-0x00000000001B0000-0x00000000001EE000-memory.dmp

memory/2364-1684-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1356-1683-0x00000000001B0000-0x00000000001EE000-memory.dmp

memory/1580-1693-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ksYg.exe

MD5 e3b8b886d185cc2059a342557daa5af9
SHA1 2bd7853f3b7ec7a5e7430a66a4759c78a0adcc90
SHA256 02da39f889b0076d78681be6ab2173cce1aaf7d59cc2b757947fcc64d2ac6a2a
SHA512 f7444b188087316c4fac56fd86630fde5342e2a30431f29d6d0afef4e9340eb2526326f11982a875630462b4e077a21819295a5b561ed3d61d26c4e3e1fa2ddb

C:\Users\Admin\AppData\Local\Temp\msAI.exe

MD5 29c9a3f2cf1a0ac7b094109bd9c0b3bc
SHA1 0af524300b2d1e92a42f8f087ebbd7e2ec3bcbac
SHA256 ec3259beada6095ab894cde42dbcca99bd39efbed8059b23bd3b7c94d00c7174
SHA512 dfb514e7a29fa374fba9ec0a38b243131509c08cef01e21386702e4c77bb010e44127d7aa0c4392e18a2183b04f9de6f2ecff89ecc8b1f4736b455e14a650047

C:\Users\Admin\AppData\Local\Temp\ggQs.exe

MD5 fd4c9440e86ba058f00bbca23367ac66
SHA1 9eb6167e8ba98eb0cf051d8393b0cc40a817a99b
SHA256 575360b059b55cf6b6693a9f5e2438f786a00f75f71fb5a7e82916103ff89c4e
SHA512 b057885828b574f3fc39270dc7871e05ea251106e70368e534495c8f99588bbfc7977153d23dc795cd828339a4a0495eb553ff1765644ff671bc62143eec7422

C:\Users\Admin\AppData\Local\Temp\gwEEwoMk.bat

MD5 f70d187d15c26bd4453d256bc52b781e
SHA1 c93f439d4aacbcb725907a094dcd79959d3faece
SHA256 d23fd6277b775f31495d9c5daecbbc0eccad8cd6d40dc099c24b7aa14a21bc3b
SHA512 d4ddddc4d37db94677a52338de1031281630167c35cb8e4ff7954de310665bc9d985b3b75b063e08baf10e3ca332648d219efa5eb4ff957793b22b1dadf9aa07

memory/2356-1752-0x0000000002250000-0x000000000228E000-memory.dmp

memory/2356-1751-0x0000000002250000-0x000000000228E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CQUO.exe

MD5 4929faadcac18ad159d50679b3eb2775
SHA1 3b778c52369ec72cd9ea241e562fe0f53ea1354f
SHA256 ef0b96909b9fbae585debda53dd91bb5113988b45410c716e944d2b22a89763a
SHA512 dafcd1e138a4e7f0aea297cbe8fa849e84eb58754a0ee40c34ecdff37f3e07925b92aa35640039c963e53111d140d06b68c28385bc4e82ddab0718238346aa07

C:\Users\Admin\AppData\Local\Temp\Kgce.exe

MD5 3a270362f6fc9b49b8410286cfed4287
SHA1 2c7a98f47be942734db23cfabe80216e0d940d9e
SHA256 89fbd4b1fda14472f5768accad6125979181be552599dde56b4b5704cea47a58
SHA512 4038c1cedb24bf1ab7c51bfe5e0e9f2742d1900611b9eb11898e17853cf90e7f9e2f4a88a8b645799937e9d747af431b01290bc01c125ab1a5985e17e7c29a61

C:\Users\Admin\AppData\Local\Temp\yuUEQkso.bat

MD5 e8471f5fd6377b60eb6c07b754f1c925
SHA1 2494cdda1d1e6b3c43e8add0a34cc2d127e0b5cb
SHA256 94d4f11b95b78dee408840dab12f3d2c60b912d5a741fd003bae4dbd462f8738
SHA512 51e6d64b4830ec8a9125aec7b8f6ffc6c30197794a692e57c0d01e06160ca3fee530810d0d09dd7b054398340cc06365ec3fa3a7c8a8b4cfbeffaeb982fc5f9d

C:\Users\Admin\AppData\Local\Temp\SMku.exe

MD5 5dbc773cc826e2e715e52315fe02dfd6
SHA1 2c298af1b14742ef48885608b76c189722c222ad
SHA256 72afe028c802dba49a2065c80d34e7555b6cb63ee341698f3517a365a638a333
SHA512 c57b42c9fb269660d36cf7395862c60c0aae982252085ab232db10128fb0a871dba5ac134774e3a5fafb0ffb403fa0e63c762675f675f7ddaf654c723407bc23

C:\Users\Admin\AppData\Local\Temp\CggK.exe

MD5 92dc58979c135a1f59dec41ed8fa9a46
SHA1 2352c63a3fbdbd1c3225e037bcb6713798ea956b
SHA256 e562fc892fc70ec096f05541c1849a5b69db089a3b7529a3c3cfc75fb5cee8f9
SHA512 7047f4f8d17d212b5c0447dbdb54641a7ace5bb790dd8c213b863c47bd36c053c63d2bcb949b382c60a0320e467c2a402d89d547290a0c164fa4169e9705faa0

C:\Users\Admin\AppData\Local\Temp\GscM.exe

MD5 d88c2b77989b37cd8f9443f4d7a1ffd5
SHA1 e112b4a3b895e58eb615e56231149a8ef9ca05ae
SHA256 de949a6e97b966f437b2af43c3d8152cf8f1bf27924eaf19055eacc142eea793
SHA512 2ee4d03c8e885b45ff76d0c8cabf28650a73b48520a46757f3bc90ea60e23d95e8660655eb0c5fc3ccfefef2f133f938d179c8a7e89c10eb08140baa5cf7ec04

C:\Users\Admin\AppData\Local\Temp\IkEscEgg.bat

MD5 3793ae7ab8e0cc15dc159c2cb9dbdc94
SHA1 7eeb56c11b2e3f3f4e2951341e3e129725b5aec0
SHA256 ecc383d9741e22b849b2e42ec601362312c8e67ce279a5fe7bcba84532ec1dfc
SHA512 bf641a128d2f0db06dd8d261b1001f38fc473d2fa2b69df97676d52cf101fc77f8b18e9b6740f487d24a967e70d5717508a489e11592f6badf169e68aa53380f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 6268e4809b9b9a01fdd307d33874f0e0
SHA1 a3a960e65b2392195beb8e604bd7081336ed6f5f
SHA256 d1b3ee3766566f3986260be18e235e0cfeba5bdfc7d0c6d52d5b31bbea48d767
SHA512 ac7ec585a362f25ce58c4c5fb056c17be5ee359ac19b71130e99d9331b038dcc8298b483dfef14290321a6bbfcfc45cc0f4233ca8070cbacca14811134e06b70

C:\Users\Admin\AppData\Local\Temp\ocUY.exe

MD5 98eef1aaa46ba339de0e19e428d8eda9
SHA1 ca8dbd3646b2443232b18aacc84bbe4e3b71c9b8
SHA256 d3f4ab312b292d4dc6e00a25c3aadd0d36353c0df23e071d2043a2d716c82bcb
SHA512 c2d9edc38909bd78a129bad41fa794b9383a656f9ae3b6b0a2ee3ad51196a3157d8224b30efad07a95ba73313e4731ab80b56c62babe2c776751182acf82521d

C:\Users\Admin\AppData\Local\Temp\oQUg.exe

MD5 ea44c1a07acf91984e33e612a83956bd
SHA1 977d59813d65eb56ffce760eab2d135c3b54eddc
SHA256 cc0ce644b0d4f40693da576af9d8411f4a4d132621f32a3410cbbf7de2e4ed55
SHA512 a13d0ea0352814968c80c51ea00e8c983bb087d2ebf8847abc4daf0751c92b1ff501bb25fd90d7780837d88ec9115c07718398a56f7c6104e54c6d0b9798bdd4

C:\Users\Admin\AppData\Local\Temp\luAQggQY.bat

MD5 e8345006bdf4029cfdfac62c22c661cc
SHA1 c541e194478c1ed2fd412538bce3696919de1a43
SHA256 01c8fa7f741f63a5311f80dad9486879ad51e22518dce0ac05c3ed54f21e44cb
SHA512 203becc80c5c3c57ff2ae3596279364cf46d560c592d399aa1f9812ad53406d8093e274b0cde6a27db9a0b5731dcb71f3fb24ab7771f9f5a418af7c1ff4e0827

C:\Users\Admin\AppData\Local\Temp\AEQu.exe

MD5 0a736999948e16021eeb0af53475fae4
SHA1 ba68bb8640d0f671274ce4807eae43e36d8d47c0
SHA256 c46884f804dc6eb3d111a3f9258454e7483934069da78842384efbd9a723ab64
SHA512 04929c4f80624272513f43f9debaf21223a7cb5eab6b2c846870b8b110d41239e6639c5aa09e449483f5a961b13c58e0f5538289fb35bc4501b76b0fc0ad1866

C:\Users\Admin\AppData\Local\Temp\GIEG.exe

MD5 b77f192fb2205f02857dda71103c2f72
SHA1 249712a1b7edbcc8c1f4430284bb598f8d16f265
SHA256 6b20e8594c1d467680b26e3b3e99d23902aabd97e857585b2727eeb6f85035a0
SHA512 92ad65eaf0d6d445748f232b1be1ace5e42c5f16c0ef7b2c1324c7eab922885b1ceaf93387bfdd99f19c9f92a35ba1beea13a2a986f66daddc67ccdb68f44a7b

C:\Users\Admin\AppData\Local\Temp\uMwq.exe

MD5 14bb62aff73b20ef9c93b45e717efbb3
SHA1 15cfa284af1ae61dd0c3f0add07c2ec44632d81f
SHA256 911154594b6a1b7f798a3edf5246737f42bff22f73bd7e40b814384abf9c51d5
SHA512 23ed51a362a21289d98b94c8121d9b81254e70e1d549e3ab31666c1e7bd0a37ae3c9ed5d270384740119d4febbe480ba6bfa37fb2ca9843df9f823e8eaf2b5be

C:\Users\Admin\AppData\Local\Temp\CIIo.exe

MD5 06ab5894cc7720c52a839c008658ec1f
SHA1 22095b95aafbd4dea4f17c38805fd6c22bfd78cb
SHA256 757b55ce3ccd940390c6e87af61b05f1722284f00fae837ffa0756ec5431e8c6
SHA512 94904d33308a86bdb86f61cac6545e6167f81ed7e8e14bb29851522a56fbd178ac5fff8f59278735ba461b971cdeed73dcfa84cc5bd29e1d03e705cd1d980549

C:\Users\Admin\AppData\Local\Temp\VmgUgQsk.bat

MD5 aecab4d0dfba2c77fbba802a64acc550
SHA1 db5bbf084140dc4670d10d8ed69e7d239c802e2c
SHA256 0797aa1792ed43cdc8677cf3bcf7c1c6ad4cf7d0e998c21080da64418aaaa10e
SHA512 ce306c56d7001e62835c846f46a17d843acb136cfe2f3a4f712b0bc9cef6049defaadc40a94e80943de4b89c6452d662c2afce52a7a426b35fc96b3d15d2c765

C:\Users\Admin\AppData\Local\Temp\cIwc.exe

MD5 618765840bc2e82242954593e4e5695a
SHA1 5126e871490358d16d43ec9ff55564a00425fb19
SHA256 587dd830e570679574d686e59e3243c3e5f2d023f9fd2da8674de9e4ddd7021f
SHA512 bf07990acc0ef454941c360f99668173f47e4861ae922a73d577d499e9c8051f9c3ace192666273c737f21a69803d47451883b211dd57c83521293bda9620fb9

memory/2280-2052-0x0000000076D40000-0x0000000076E3A000-memory.dmp

memory/2280-2051-0x0000000076E40000-0x0000000076F5F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GEMg.exe

MD5 9c3437bc3e4acaedb61ec19802f8ec9f
SHA1 e75d0479e82e1622d9c2811d7494ed3c4d0b4f2e
SHA256 dacc77fc0d8d555d2aebb72a92e66e712c608947606db31f4811a3eeafe09f51
SHA512 4b59eb36e84fdfdfceac9eca2362fdc9e1febbe3c6e01d2ebca4ee348484a30d8834f954dfafe63110461c1a37ad431b2524df4e3536a9a6cfc5f557a5077700

C:\Users\Admin\AppData\Local\Temp\YcQK.exe

MD5 6623c8771f4669289961468f78414996
SHA1 b15391d05fc4312e3923b35d25fb54feafb3c254
SHA256 6e6eabc3ae243177e71dd1871cf3b4b2c7377a5649be39315dc548d52049b2cc
SHA512 8c7e626cd779d7a8e32658ac707d68d08e6f5df788a3c155b4ed01721ba8b8b4344fb5cc05d14929fbf5bcd448a5c71eec15e2efe1f8fc3d83d4bd3d72f1c76f

C:\Users\Admin\AppData\Local\Temp\GQUw.exe

MD5 31f52d8989d4b1b8e257be9efde6a743
SHA1 7af42575ffdfae79371fdf9e6603721a65067b03
SHA256 3e40d7ec31c11910dc0d5a2a1889211674c6b97b7d53ad7166581a0fb848a9a8
SHA512 b81b2b5dde004bda818aedff90dbbe7233577aff5d705bcf2c571aa24574c715282cfff023e8e9968f004697fc7c417adec37569a5ce6ab369407312831d5ce5

C:\Users\Admin\AppData\Local\Temp\zUYkYEEQ.bat

MD5 1a1c0f517a6ce67beabcceccdd2ccc96
SHA1 72cb0af6dc6c2a37454cf8c16ce92d2d5cf60c19
SHA256 3d935c1812a448efbc4a9afce92e725bcc29a75f46c76518ea739e679187cdd0
SHA512 0e29ae9224bb2168d5418ad0622a78719485a5e4b73ceb71815f50505951689b3879aefefdf1631fccbc3119d2d7a7e2b32287ba430679caa63b7f0ae490922a

C:\Users\Admin\AppData\Local\Temp\IsoW.exe

MD5 b0bed29b746bc2ebde7fe9eef89d2aea
SHA1 0fdde87b64a39b6a626559dceabffb366e641ee9
SHA256 e468d28d06a02c37b2ae517d9865c15a4f972a8ee5a24a9084434568e756c8f1
SHA512 49da2ee91615a4ed9d97bc7b3a7521c73085a398c8d595a3d7493e414f6bba5625307780008edb963be4ebb1fe2c46996abc88a002b79941cda7cfa22d65cc1e

C:\Users\Admin\AppData\Local\Temp\EUEK.exe

MD5 0334a19e88c4daf3264d903df852b669
SHA1 24a03b659d5bd3db737eee76f34f37e162013179
SHA256 6d55daa895222cb08b6006f56957e5bb01dc8c13d270c823c1fc2728925b2cef
SHA512 42d4e8fb4b4bc465dc3b5759ef9a3363af737321c0ad7211bce2eb2501bc4dca65cd0b9512a66caf23831c072deeea250ffe7090699ddfafee191038e65e8258

C:\Users\Admin\AppData\Local\Temp\LqEkYkAE.bat

MD5 c8e5444bbc07ebea5a518906e67824e9
SHA1 85c8db6bfacb35c287dbdacb32c5a8fa30feaa44
SHA256 19473d3a63fb2c4621f3aac26abb9a15553241cd1754fa4c39305a85b47db1ab
SHA512 a345a060b14514fede825ea24a649cf2103909765a13de56c251bf186c8cd9fc2e0f6b9946698829e5e07162c0be9fa1365db3af4d89c055f3ead8d3c3554afa

C:\Users\Admin\AppData\Local\Temp\mQQq.exe

MD5 500529c0b691bb85540f5759bff3b77e
SHA1 0b6f3fef44c1a59fdd60e81b98d03a270cc2dccc
SHA256 584e2a51c7b09c8f42cca0948c7eee025a8f29ca343aacbc67f55c47dcebbffa
SHA512 22a3812500ed0017e7dbf17ed41b86ed1fee876e91616b64ac18b20e86463a3ef7674fc2ed98a921374e17dabbd5bae8792835726aa4c01289cd41eb5c86ed35

C:\Users\Admin\AppData\Local\Temp\WMUC.exe

MD5 3feccf942250eb43f4a0c95a42f0fbbc
SHA1 60fed69bc66d8c877db9e522b39e4cf8d4a26ddc
SHA256 c680b07f7bda9ca56a18cc09c76e6c1d01fb50d0b05c597bca71f29ed4e10966
SHA512 53e160f6827f8b5268c906973e8a7bc055a1940b8a7d81c800218c94a05003d99e153f61c1d27e17435a03cff1ed0c164fc8243d30aace671b90ac6186955047

C:\Users\Admin\AppData\Local\Temp\UAcG.exe

MD5 a604ef1032b418ec86c5075b1489df1d
SHA1 b000b6879849f539d94f3459f3afd2ae1527b863
SHA256 8dd87b655bc7f01423ca0a6f07ed92bd2ecaf94f76885a3d4af00f9ef1557a04
SHA512 b7c336f1c7055eac509c2d314ae26e5add6fccf7477cd454be46a9ae87ad04c009f66e6de94c8818d0bb6053cc11f1e800d5a52dae85eb9213064e7ffa3e8ffc

C:\Users\Admin\AppData\Local\Temp\uSsUUEks.bat

MD5 b701f4c02a991debe7955344e72b17bd
SHA1 5f56320ae7c233aad3395ddd8c00fc679137f4b8
SHA256 4c56e642e699c829f22e2014271e36f70de044fb49618a219f55dbb4af488c4a
SHA512 7221d042e346fc4bbe883ff153e727ddf577fff46ef3ca7d2c2b1a255136830d1fdc6eb1ef15e57d850447ef391586ae47add4f640cc6b92499c6b5c993d29c7

C:\Users\Admin\AppData\Local\Temp\KcYk.exe

MD5 d8efcc715304fb011d862429c9d97b08
SHA1 4aee97676a90d525b8635377c80a8a458d680549
SHA256 26228524ea2623468980e50c7e8473b33ef930914bd2dc35efddfbe65f83c7ad
SHA512 acc0300fb6160f8f66cfd2304dc1943e4f59e5cd1615939cc5bd29c93a599e4763768516daac3203b84e252cf58167a2c3b6dd9f8268090efaa7923f4f4668c2

C:\Users\Admin\AppData\Local\Temp\WocY.exe

MD5 b06fc88f19d66a7395c609d1d12f8f80
SHA1 2dba41fc7bb49c26e05c9c482d39017b81840766
SHA256 0b825c517c889cb0dde6e9cfba6ea5aab87524855bf4ec597b78690d943c4e52
SHA512 7e41bd5e69455d55fe5a1062d733215d490d498ee02dc03b19f3242de8b62616cf426e2eb508ad23a08b4b532da81003951c3f73ab8cc7778083b65684c569b4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 0448f4e28479056f155a20f4bae42dc2
SHA1 fb37281707b27f1c98f2cd72d602b52986858e0b
SHA256 82fdb4546e1ab4c7938f9dd15bbd852da100b8a59a8d85e5e44cf46f7fcf6629
SHA512 08083da0a52b5b9eb841948a65bf008208833bd2b04adb720932aa6d5d9832d2adccbb1f377549344b658fec0b3dd64039194659a34ddb17295d9823b9229acf

C:\Users\Admin\AppData\Local\Temp\ESwkscoI.bat

MD5 d80f845f27f46e032d924e9dccc7dfdf
SHA1 fac46a97ddeebe725ef471389a73cc4d43c30b99
SHA256 637520ccb7cf8d13d77efad888e35fd30be6635f51f24bf371c25dd82af8eda6
SHA512 b1e32452a4d34f75d044050c1e113445dc2a6139d6e6ed12551a3ecf1b87e01a2db783cdf58f872df419f8d9a3aa5b584a60a511a9d62a6a30dec24c84192e77

C:\Users\Admin\AppData\Local\Temp\awoU.exe

MD5 8f40d4b30f4a8f446169886a77926e80
SHA1 62f4c0f81f571a28395acc94ea39586145491437
SHA256 a2c595c0d824cde8b04bccc94f03e8c2b0b3ff768b1204af936312b350e20799
SHA512 385dc264d116c8589a3288bfc42797d832b17d6d77f847acd0680c240f1eee97c3d78b8bcb830264274ccb0a5be5dbd44b0833410a5819eb54f184557bd35d4b

C:\Users\Admin\AppData\Local\Temp\QAkY.exe

MD5 8e95362a68e49c9cef6f7396d8c55b76
SHA1 a7b78c81d68cf51c5665128514fefb7d132bbd8c
SHA256 070728689bdc87c8abb5054073999f1f84f59581609840b79fdedfa468b7fb65
SHA512 9c0a9764daa86d3c794255cbce7faf81d601ff30199efba58c10de7db2c554e8a1e0fa47039618bc924b43aed7bd0d6e761e1f366a0539c72ec79c887936487b

C:\Users\Admin\AppData\Local\Temp\cEse.exe

MD5 3d473592c1ba9b8a5140b9612018a73c
SHA1 a475c0abc976c6b74ca80903efc0838cd20adbe9
SHA256 071485a071f0f985afbef29ba12e0411e3adf882ee81bc01565e46304ca7356d
SHA512 29e3c53f997407792b13b0c7f575ed7604370d3424cbe34085b89f472c72bbdd19593d3bac68263e1442a93b7f37333351a83a85809c2d0ee2e4a70213d1dfa3

C:\Users\Admin\AppData\Local\Temp\uyMooooM.bat

MD5 332665c2870ed5224951470500ee0a10
SHA1 8adcced3772e3675a6296c42d59bf29d40ef334e
SHA256 9eeda4a204312eb25f15e2af259a6bdfa3d94b4e275f3abb1eb407394acdaafb
SHA512 d68c1a1c38464ea79a5dff7dd9890226dbe0e8612046734933dafef5e80a05a3f12803ea630bf9f78df2bf7928510990dc476d3a3a4e032729b31cbb4a3675ed

C:\Users\Admin\AppData\Local\Temp\WwIs.exe

MD5 fed0ac9c89753f5ed9410a1ee5a95d2b
SHA1 5b0c7479fa93ae72dbb712a43b874741ae437dc7
SHA256 a2df6e32931e543984b32e89cb4d985a9410da892a43b928681d2c3c48506e1e
SHA512 829e0b9b44b3e822cfe55c1de9de62faefc401d02ebbd606c98dd50c7d63609a26a9d25c72f6e950ba1bf61b9a9f101fbb02ec29e5d55d1f486dcd8bf308d105

C:\Users\Admin\AppData\Local\Temp\cAQm.exe

MD5 7360d38502fb9ed8f53dd47553aee05e
SHA1 6575fdab42632b3e8c72fdff47fd79075fb81f58
SHA256 c8531794d38cd9acef9663dac48b768246d590d94388a548933858bd33d7c922
SHA512 2b3a4d349d100a5f1b7ded56aa37ce2afb91342d3b591c3e73eb62e469bbb05fc00f7db16ea6cbe689ab4761dc1863a156fd4737c2260b0dfce1140e3e4c60ae

C:\Users\Admin\AppData\Local\Temp\SEke.exe

MD5 ce60e051ce803c71331a5693c7648d67
SHA1 1c29a2d23808faee231bff70dc091c3d9dc89089
SHA256 cb95690ec427468728374cd3287f1b287dfed094b3158d0b14f810e44aa89a48
SHA512 695ac6f16f723f5c1f351356913f52f448ca07574632e7e8376163cfb9be4df39d98fc5fd76e7c7b2fa8cbf5c7b7caf24578920fe650ddcfe1c7f051724aa0ea

C:\Users\Admin\AppData\Local\Temp\CUQO.exe

MD5 c32ac53a3d004589ce5efc3d5cd5c0b7
SHA1 6057618c32cb964fc0e8fe21a3533bd444310820
SHA256 0eca376b44a2846f335f8fc83d2916dddd51e85b7a42822c68abb1cd83a03cb6
SHA512 154ebaf853bceef4d2aac77b6c3b4017f1ed93c53c26b985a0a1138d0ea6b56147a4c5aa4933eea7756a203a3a3980047f78920309075b58fbf25e7848b39a38

C:\Users\Admin\AppData\Local\Temp\aYAsgkcU.bat

MD5 06e1cbcba4da99d0801ae20f9cc6aebd
SHA1 3922f7cf8c23d8dd87a3d0a9ed3bf41da32c0a48
SHA256 1a72bebc643686c14d54795c408dab331f6e83a0e2159cb871aca160aa0ff472
SHA512 58753563f33065694cbf8cf8fb86532bdcfe8fa0aea43dc248e847fbe8b4ae1aa332c4a54de34f6c6fd25ee8068eff7abef08f9cf9c9408727af43c24697e4ef

C:\Users\Admin\AppData\Local\Temp\uQAo.exe

MD5 fdb231ae238e0b26a2cc0c15341f474e
SHA1 33331e6460fd763d410bac98be75e0443b97aaf8
SHA256 1a53741d281e83e1dad1e4e70984c3ae4b014c1890461c5a8b534fdb04c5c678
SHA512 e8735ce6b06f41b64a64f8bdd652edd46d735b181fa83d6e57fb6868fce79d70f586b8adeba4cc0c571b29ae616434df91b31f7a0642b4d478c93f5db58679dd

C:\Users\Admin\AppData\Local\Temp\yckQ.exe

MD5 f3cb5da41fcd44796e7648cd9692ae22
SHA1 1138b7234b21e36c243f4d8149a5aecd120079b3
SHA256 d3b2d1c4c3be2b1024dbfc359825839c5ac1fc0fcfce14e5ee7dbead98fd3ffe
SHA512 2b8bb51e0433b091a16ac3b3b2b7cd49c61bd0eff04ac996335c5e61584223539efbf2adf65ca11ae559af982944159c0fab2257c1baf56e514f72a5e60602b1

C:\Users\Admin\AppData\Local\Temp\kkUc.exe

MD5 9c053ad46b0e65e686aa64baf01a2110
SHA1 e808d7110e9bc29f489cd3a98dcd2479c80edc69
SHA256 75a2f35bbd10fb6c19d511bb46109c7f151eaa6b636a415a3b02eb453232e069
SHA512 ae6d0e842eaf83f89d072b1d7f3ca9306fa9575d8907f83d99c6c951cd5915b29741f9927eb39cea363a334ed614b1be4acdb03c7fc9513f24dfaeec6e4da930

C:\Users\Admin\AppData\Local\Temp\XwYgwEwY.bat

MD5 2e48b891488bc34f2f01b5983e13b2f2
SHA1 327abe2720c3cd3c6f9160c4ef1f5f485fdfa50b
SHA256 69c275a5e2935b5d73c5ec9eb64236708a979da21bfaa2b253163334e4aa13be
SHA512 5f2a8649c916a50dde072abe8abc100b46eb472d083ae84754bf3d04b514a5b9d2270fbe2ded52c16dd64f867968612ae85cf8d014dd1c3835722f7836d2e208

C:\Users\Admin\AppData\Local\Temp\BOwAMIUA.bat

MD5 8f8a1556c83826b63236f73147aad89e
SHA1 6db108f80a9a32cb546c5bd5bb3d59db4dee00e8
SHA256 c0dac684d6c3beb0a46aa5ee4680754535f22ccd347e56bc4497ef9994d268b0
SHA512 16ce29390e4a8ad507348c2bca68b621bdbf7d61f178625cbdecd48199948b7936c72c683c8d2b01d07248f1d0b65400c5920a05bcdaf5cfee43e645b7047dcc

C:\Users\Admin\AppData\Local\Temp\aMoY.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\iEMY.exe

MD5 62c849ef96489a61d470b7eee433447a
SHA1 3735b77646803555fbd4c9d1977fba763259b824
SHA256 ed0dc33deee3b1e5a1cf225eed68495f1aba481da0edc23a78daa32fbdc6f7d4
SHA512 273e79273cedd520a95c33fbc54f20636feb043628280bd433850d13439917ad515d36bf1ce099df659797606c6fd76a57d29106a44b589758e51bfa6b2caa4b

C:\Users\Admin\AppData\Local\Temp\CMYG.exe

MD5 c97576c38e8ade3a5d401d4564ebb690
SHA1 28cbdf9ebaf807141a33e1be268b5e70dd951217
SHA256 f44a82798a5eb3c524d0e0030db343932b75f5ec4adb98df487ba392e8a4bbfc
SHA512 c87e7e4431de3563e4b79a241a5db325531e289f33ab77c286d5d6c712ad1e61a3453c526b9c196a1a8578fe83a363b37fe28541c31ef00276c72ea99e74b46d

C:\Users\Admin\AppData\Local\Temp\SMoY.exe

MD5 c0683a28ba29b76118baecd403ee5ae4
SHA1 f7ba110264064c904f48e32c57be5af193fb5be0
SHA256 b616462a702708675f692ac254d08ad8c125f4d7d23e99dafb74e1e5414ed643
SHA512 ad5a9d4ea6211ad249e8d590a7d64de544c426920f31259975fd126023a307febce1d7ef2819b686028364890ed6daf32c7d00999f54e774ae7372aae28e3c15

C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe

MD5 29cbc961c4fe40c43998b6cb066bcfc9
SHA1 935db7705a5bfe8deebb4a32aa0b1c461d25c8a3
SHA256 35086c01980b79c88911f1d8911b20742d34c2e1cc649b4e039121d1057cba49
SHA512 ba462aa3d5839e45b56a2efb12d79eb8bef298bef4bd085390d1a07a3ee3af7b4dc6dd157c4c824544515e35e458a03f85c8eded4f87a112050a10a2aa7ac906

C:\Users\Admin\AppData\Local\Temp\HgAMUYUU.bat

MD5 dad96468d27c7b0521255072fced72a0
SHA1 5bc96ba2ab5d457d25bcfd116f681f6d9b61410e
SHA256 9e2419d29244069e13fa584f8f96f069d23a3618c88349308fd864a08cbd65c1
SHA512 aaf5d516f02ca334822dfa75abd8a6ca62866c1cbad735f2a34f6af0797865163057ef325ec92746abdcb54c6ad44d57aad6fafbe628d8f2790a2f518c84ef5e

C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

MD5 b52cdf793c3333882cce7e40b1703591
SHA1 df77adc5390622fba7ab13a909d8ccd1d17ea88f
SHA256 7fd77cfe8009d3570fb4651367b70062e86d817c92a93e6c1ba9be41618adc4a
SHA512 7421833863275caadae49db0aae5d2e90dfc0f371d267ef01a051275cef8eb53a20ac0fda3c71c7e0620489c4d18c9cffde67dabc7b96f284e62fd6f9c163ca1

C:\Users\Admin\AppData\Local\Temp\swMoMMYo.bat

MD5 668d5ace2c502b94137080053b9d9cfb
SHA1 ba44c6d0ef116b50442f7374fb477999ba685c8c
SHA256 8779adacfa3a03f3a3be10d44b619426f1d2722748d1dd8ccf56ed7632f0c5fb
SHA512 8ff3eb549be295cec9b725695d0dd53ecd41399d3c23110f280cb91d88612ef1e8966936a62eb8c9669b65ffe95d9ae72587b165bb608ad682e12aea1fa1c6a6

C:\Users\Admin\AppData\Local\Temp\gcQS.exe

MD5 825e0a077c712c1946aa539d6cc86cb3
SHA1 e29db1d08bc5cd5bee7c5e751f8f87ef9498528c
SHA256 d59601d2697775a9502f00283384dea9bcc20f405a7ebef0d1f038a15f879bfd
SHA512 ffacfe8f80a2a14edbb620d196dbfab480efd3c78e14fce617da62279fd1e387215fc44558066021fcd8fe6a5b1729000f61bc1a2bcc6c2b620436f391b1293f

C:\Users\Admin\AppData\Local\Temp\mwse.exe

MD5 5c32f8013ab598397bacf696c8856674
SHA1 a96e5438aa38b75472325e21270a26dba02c024d
SHA256 d02b512b34e74b0c1b4a7ac1b0fef00cf7f037a06e699399d309f9ddd88fe9ba
SHA512 28d73414a0af684d30c934bf739c34b1bf82c50ce76ac6d689cf289b4ac774114c86bc714ab52038beec4d64eb1a8ff646676a39980851bafa6498d1950770f3

C:\Users\Admin\AppData\Local\Temp\WcsQEcYQ.bat

MD5 7f7d43a4ae85fe1026fc4fae57223c4e
SHA1 6656d1b61f014b61e7c772aaf81d28e932e957c6
SHA256 b1e4fd4d17ab41b5947edf33fe523c6865ee7395af28e565d19c0698c3cea801
SHA512 8c800df1703219a33f419ae95bdc44655622b6f28d7fde23d3e154104c6906f09c3605187c24173176d3cfa12026a8fa5ace66fb973f2879be4aa7858761987d

C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe

MD5 7d7c2b1cf2aed1cec15675017127e9e7
SHA1 1c00d25eaf9f5b01e899ab8c3a9e3739aa027247
SHA256 36bf001ee5c73d4c011446d622563d047cbb45ac8eea61f7f850847863a38f5b
SHA512 615b3f600acef9bddd58c11ca52e902cbdedcb705002c220b4045b0ea850b5c79d47373bbac92eac87dc9e573a7668b673ac05c83e075648f575de936266ba7e

C:\Users\Admin\AppData\Local\Temp\aMow.exe

MD5 0537c69cb2c2663993a29840537d01d5
SHA1 73c9303160dcdc328f2c3c5866831d95bc116d5a
SHA256 88b0775a33c06fbcac7291a750523c7c3febafb795e45d8257ab399ed8e7cbe3
SHA512 b1948669b2fb5950973120a3788497b99968dc3282abbd42bb4582bcfc71f345a2a3b0ed74332941b9529e591deb85fdbb3b52aea8e10dcf86a282bfce96df30

C:\Users\Admin\AppData\Local\Temp\NsYEwAIs.bat

MD5 a648dababbc69ce6bf5f2d570793797c
SHA1 933331325ae7c056b741ed021e28981a27992f42
SHA256 2d3ff149c0e6c1026d44276e4da1aed863c233fb2da98ad54083747e2c09e9ef
SHA512 2d382609fbf2e7c55bf9ee1f9b98d2bed60ce314ac593343ade10ab82b04ab515866960e61e04800382d4b1871ba8faeb66b2f5edf9f0dac9100beb9d2790f85

C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe

MD5 68f89cf1bea6419000747e761883d2cc
SHA1 edb009d889837862a72b8d2c5cb7f9e6d806f5d6
SHA256 bd3ed44309def7d2c5c6198de0cac230d0f0f020ef97a264d3485180c5769325
SHA512 deb7d748c8b5e4b660cc69f71690554d49c358cf0938709870c3441ab1cf8ee2b9a93bc970358c6399b6ebddc07e9420200f91c272a5b22b6c40745fa5a89dd1

C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

MD5 484ada3c364cd26e3a6e2579a2f845a7
SHA1 9a4cb618582434dca040ea92c646b2ae25aefaa0
SHA256 d0d4ec08684d9b76ab864605fb177d0b6f39e2e8044d108ceb961fe6f02db7ff
SHA512 1f1837ea7854bdeaf0576077fce451b983cea7688fd8b2a3922c46382f00bdb662fda7f8ab0bf06d94a6c94982d37b3cacc17895d7ee5f730b4047423f498843

C:\Users\Admin\AppData\Local\Temp\YWIgQwsY.bat

MD5 021dde8d42dc4c04e7cc7acd18cf9992
SHA1 33ee12cb46552ce405af1dfcb543548f57087d76
SHA256 89397eed4ecefd2d3ab181ad6ac6bd2ab90b173b40a51c51809ca9d0d771f774
SHA512 2a74f7c45c9a39c9a933b5d859eb35f893176e6e329e48c28a9ef69abae863efabfb15203e5aa84f8e66373d03bba18c49f3caf2150bf6f441fd21df4805eed1

C:\Users\Admin\AppData\Local\Temp\MAgQYMUc.bat

MD5 af07dbe95670dbe0113ded730b236a04
SHA1 770b8fc7e33e528d25bdf4fc743d2f079f4c8810
SHA256 120c3428c66c1edc7133d1c41b09ea9efade11134a6ff3c4ab021d21074f6dd7
SHA512 4e1fc6c2fb9130f352ca61b7dcc66e36323e7276847946519c1922bccfb7df331c6fcecac26f91773409a97cb751d59a9380ad8068765dbb8af6283af41022ee

memory/2280-2831-0x0000000076E40000-0x0000000076F5F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LyUQkUgM.bat

MD5 caa3953e90dbee1fa1fa0702ac3f3770
SHA1 2d7294128365f9be3281e83239e813b58606a8a5
SHA256 c8a46d5a28ddae48bc755e9b68c0908aba40b9a626e16a36896f94bad30fbfee
SHA512 8cc9306d8f94740fde1829df48b8a646625845ad0f795d361b76869f355bfe80d64996c45db9aad38bf3d50337f3de43fcf06c25c8a0a021e72b81f08396ca4d

C:\Users\Admin\AppData\Local\Temp\BUcIsoIU.bat

MD5 3dd880f6ef2a273f7fe4113cfc960b22
SHA1 c3173f1d2e3844437c2a58873dfecac7a22096df
SHA256 0515e4ca745355409e9790ba26f04f49bcb2a797386437146fb57a2bc64a2928
SHA512 d2dbaabd718a17bcfe22d93fc803221bb3f782d049ffbfa728d608fbddf3757873ec90c4736459b161ce9223866586b17f7c5b4876a45c4f6e9f406c0320ee86

C:\Users\Admin\AppData\Local\Temp\paQAokYw.bat

MD5 9f785ff6c3bc41da9038ff3ae64c2cb0
SHA1 0e66635833c8e5cac377528213a7e205e9b1586d
SHA256 57b14e703f329d9d5c25df241ee843f25f4d599df66b2598119a6360ae40ee56
SHA512 5b13b2ec9cc4bebbf206a5e476f6e694c31d09971df4cada9c4dddaf7f68f676365134d61dffd7ef1d45b870f2a2956b0d62a049927a08d3f49927910d344e63

C:\Users\Admin\AppData\Local\Temp\lgscMAkQ.bat

MD5 c728d3ff50525c3fbe3b92181e66c79d
SHA1 23f6f46b3a5838ca48e47781620ecf875ef17a11
SHA256 82b790e37e37154d4e565227d9916e2e755ac8ac36f8b4cefce01f87b33f4c6b
SHA512 d51f8c03aa1cc3b7dd7a5598bb3b06f94c8d9e2ea1b1badf36f4da5e1afdbdb7599a1200abf9a2b3955709b221d4e314e26d5d2bc653b27a40d667cf089c2a07

C:\Users\Admin\AppData\Local\Temp\EQMwMcUw.bat

MD5 222c7e022f988792aa8353d6cb68c432
SHA1 bcfb5a31238a4050c4e419dc3374b53610c1b14a
SHA256 409662229e7335e4542ed87f3a33aee9f47562bc8b7b738c9799e5ea9e193447
SHA512 9b2006da99265b07b018128fc3bf1e199b08fc04be6b7fc7cd007a4dfe6c26939746ca91befc28c999780dc501b3fb02d5f2e48403d9915f8221f2e4de1883de

C:\Users\Admin\AppData\Local\Temp\aeEAIAAk.bat

MD5 203281e88cd0d02c2b666ceaf362fd32
SHA1 c9ca00d39a12db1b3c36a08b8490c94506bdd3af
SHA256 559a1f0c8096fd42e8a07adabd7ededfa7e7009d4b00fbbb5db5cf58bce0f4d9
SHA512 596e87520372c7160f331382fa8806a6d71e04670d58ab1dfba2418a63d71e81b68c05029f4b4f4e4b97310bd9ba14942f206eab7818095a2d895261c6a37113

C:\Users\Admin\AppData\Local\Temp\WKgssgoo.bat

MD5 1e88e62b6aff8619c8d9c7564ff105db
SHA1 30643cd3b2b1660e421c9a0cc17dfc31f0497a1b
SHA256 eaf8f45a0437e11a1cb77f20450a11820753924194acbd151a21f8155b581814
SHA512 35128b029248e8621661a2620cc01c48b58f8f0ef544518f45b38e9de980fe43662e7eb494a77a7862d172e40e6bf31b4c40d3f1ce1906d04722f662610208b7

C:\Users\Admin\AppData\Local\Temp\iCkYosgk.bat

MD5 53d7fbf2b79308f023dc3bdeb89ec755
SHA1 d1832cdc86eacdc3782efc9f57f93d0907cf908d
SHA256 ed23d9e3d08104139ae2570aaccbdc1902ff8e3a1d293f256fb48c87993f1cbe
SHA512 c8f0ab7a6360eaa3b30d452605dd3c264e075791be37a676b7bc3f345abcd396aeef825f71edc2442df8480150f7e5959ae95778eb31945a6bff42fc0b933630

C:\Users\Admin\AppData\Local\Temp\DAggscMI.bat

MD5 4b7132f830337726c14880a8e999bd85
SHA1 4d6fbeedeecefb1a6ac64e54dd94486d1c590464
SHA256 506fd74803a301c137b2ea221994ee3346949eb0195e968968dcb7f78a327588
SHA512 a5ddd51b0388500d481e726ca2f42b28fe996aa62c60d609bf7e93641381415f9132e79f434477ec7023a530416a0d3bf3e7dd78b6ed6e5016e79989eaa70045

C:\Users\Admin\AppData\Local\Temp\hQMcwgAI.bat

MD5 0fd570981226fd4117036cce4657dae6
SHA1 a5fd530fdc0f0092fbc1595dfafa685de2cabd17
SHA256 d8fa8c28ecb9b69586c603e513fe6465612f3f81a56f41eb49aa9ecd59d90b24
SHA512 ac3a5a544cd0418d0567086e358992833344a450acde4347beeef68265097c26491399bafc8acdbdc41d6b77f2d2f817951af3cc3dbf61a4262e65b77227da5c

C:\Users\Admin\AppData\Local\Temp\dgsUAwUI.bat

MD5 e527056cff27596118c8bcfe6dc2f2b0
SHA1 3e6259b5b0767eda04a924e5a83f6dcddd6f9dfa
SHA256 99e488765171c4eea683b536711606b87954e0cee9efbf2ca6c206e8fde382b5
SHA512 a38ab99b03a61b228d8d212330e51a22e0d2bf90530deda05b26557c26f4f3940f3d52ff9403e5d23e5fe07f0b74d85c1519dbb02d94c0372975e567f4afbafe

C:\Users\Admin\AppData\Local\Temp\pYUsQgwU.bat

MD5 740b4296633c350fc6af00967667f663
SHA1 a668e15f11ed30fbdab9b5515268d12ff3704672
SHA256 2676d4249f2f04b0a26bba79780867ce3546877402efd88d1cf44f954b62b1b0
SHA512 1547643a65c1703fbd09a7b338e4e3e0fb3b5811fb9995ad7e05f8872fa773e1a4b0fdb4e75f599e7ea8292d02228b420a65265b751969f70104d13f695ae8cd

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 22:21

Reported

2024-10-20 22:24

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (83) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\ProgramData\CCgYYgAk\baoIMQAs.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XggosUsQ.exe = "C:\\Users\\Admin\\ngEYQMQY\\XggosUsQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\baoIMQAs.exe = "C:\\ProgramData\\CCgYYgAk\\baoIMQAs.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XggosUsQ.exe = "C:\\Users\\Admin\\ngEYQMQY\\XggosUsQ.exe" C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\baoIMQAs.exe = "C:\\ProgramData\\CCgYYgAk\\baoIMQAs.exe" C:\ProgramData\CCgYYgAk\baoIMQAs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eQAkQcoo.exe = "C:\\Users\\Admin\\YGoswEoY\\eQAkQcoo.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Veokogws.exe = "C:\\ProgramData\\qIgcssEE\\Veokogws.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\CCgYYgAk\baoIMQAs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A
N/A N/A C:\Users\Admin\ngEYQMQY\XggosUsQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Users\Admin\ngEYQMQY\XggosUsQ.exe
PID 3512 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Users\Admin\ngEYQMQY\XggosUsQ.exe
PID 3512 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Users\Admin\ngEYQMQY\XggosUsQ.exe
PID 3512 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\ProgramData\CCgYYgAk\baoIMQAs.exe
PID 3512 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\ProgramData\CCgYYgAk\baoIMQAs.exe
PID 3512 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\ProgramData\CCgYYgAk\baoIMQAs.exe
PID 3512 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3316 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
PID 3316 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
PID 3316 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
PID 3512 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4932 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4932 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3184 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3184 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3184 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3184 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3184 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3184 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3184 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3184 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3184 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3184 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3184 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3184 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3184 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3184 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3184 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1544 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1544 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1312 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
PID 1312 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
PID 1312 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
PID 1508 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1508 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1508 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1508 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1508 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1508 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1508 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1508 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1508 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1508 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe"

C:\Users\Admin\ngEYQMQY\XggosUsQ.exe

"C:\Users\Admin\ngEYQMQY\XggosUsQ.exe"

C:\ProgramData\CCgYYgAk\baoIMQAs.exe

"C:\ProgramData\CCgYYgAk\baoIMQAs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiMAokck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiMEAQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwwkcQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaAkAMcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raMQUAog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAocAckY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOskYoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUEcYIMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgkgEwck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roQEYgII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RosQYEII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcowoowA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAIEAQIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owkMsoEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWUYkAkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqEQwMEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scEscQUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMMsYYgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsQgMoAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMwkAMMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oeIQcAso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcEMoEso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAcgIcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maUcIcYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGIIEYoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmYUAYgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xqwcggwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyYMAwEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWYgsMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\YGoswEoY\eQAkQcoo.exe

"C:\Users\Admin\YGoswEoY\eQAkQcoo.exe"

C:\ProgramData\qIgcssEE\Veokogws.exe

"C:\ProgramData\qIgcssEE\Veokogws.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3292 -ip 3292

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IewwoMco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5100 -ip 5100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 228

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYsIwggU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCwsckYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiYEsQoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEcMIEUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tegwQUcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKkAwooM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsIcUQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcEoMgQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOgYwQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqUUkcok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEUgkoEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqYcgcYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asUAYgMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esUQAMYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyEQYEkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukIUoYUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOMIQgcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaYYUkYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOsockEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwEgEUwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyMEoUck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOoMIokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioMYcswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okQIUIYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkEEQYYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQsMowMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hycAUEEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaoYYEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUEkggYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQowMwsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WsIcwYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEogcUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmIoooII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuEgEsYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teAEgAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UawIsgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQkQAwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiwkIwkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmYUckYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCEQMYkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiQIQwgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOwwkEcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEMcgMMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uukYUwIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIAMsIEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKQIwkIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiwQQgcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huIQkcAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCAYUAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiMsMwQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWYoEMMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQwEAsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqMEUIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMsIwooY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgcowAAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCwMAwco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIgkksMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMAswEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuooAIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmQokgAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgUAogcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYogAgkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMcUgkEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwAgoEos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGgksccg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCQcYIwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AysYocsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWgoIkwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsokIkcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgsgMIsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv xSWlaYUSmUmu8x67XfEttQ.0.2

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/3512-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\ngEYQMQY\XggosUsQ.exe

MD5 7e8ad3abf50f951435f53d67193fd84b
SHA1 f101531970a1f94fafe54912b77a6b9227740d8b
SHA256 cbb0b0e61c6209266e011a485f0a09b99549f0ee66191adf553fec55abc1848d
SHA512 1263e017b2773041b5fe31f02d08401f6e1c3398cd257f588d0277b335712111ae4490e8b872fbb6a5a70a4689add5ce4b68cbaa6c1942dce05d7e8cdb6e8666

memory/3816-5-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\CCgYYgAk\baoIMQAs.exe

MD5 904a723e58d740f86e9e2dd2b37cf531
SHA1 2255d1fbee26e53d55da261ecab559dba77b65d5
SHA256 e8925066a2d5036636ddb0bfd52a82683fa5ca0c56b8978a2990ea29c528a72f
SHA512 e82d00081b4248d3596f76531cf72b881813aa8493a0fa20c9dcaf46a82cdc477874acb7dc9ec93005870ee7098eacd735caa0182c93d9849e7d30a46333d4d2

memory/3284-14-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3512-19-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kiMAokck.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock

MD5 9adaf3a844ce0ce36bfed07fa2d7ef66
SHA1 3a804355d5062a6d2ed9653d66e9e4aebaf90bc0
SHA256 d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698
SHA512 e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3184-30-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1508-41-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1060-42-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1060-53-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4116-64-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3680-75-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1088-76-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1088-87-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2292-88-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2292-99-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4752-110-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4584-121-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3748-132-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4612-143-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1464-154-0x0000000000400000-0x000000000043E000-memory.dmp

memory/744-165-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4620-176-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4888-177-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4888-188-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3616-199-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2476-209-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3016-221-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4052-224-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4052-233-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3400-234-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3400-246-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2756-245-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2756-254-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2704-262-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4040-263-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4040-271-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1008-272-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1008-280-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3212-288-0x0000000000400000-0x000000000043E000-memory.dmp

memory/460-296-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3680-304-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4052-312-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4724-314-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5100-315-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3292-316-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4724-317-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3924-325-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3292-327-0x0000000000400000-0x000000000041D000-memory.dmp

memory/5100-328-0x0000000000400000-0x000000000041D000-memory.dmp

memory/688-335-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2096-343-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3320-351-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1464-352-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1464-360-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1600-366-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3908-369-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1600-377-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3308-385-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4292-393-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5028-394-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4012-410-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5028-402-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3960-418-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1756-426-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4900-427-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4900-435-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2348-443-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4568-451-0x0000000000400000-0x000000000043E000-memory.dmp

memory/744-460-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1476-459-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1476-468-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1096-476-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3888-484-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4808-492-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5016-500-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SAok.exe

MD5 51019e0772ce85a639f1e92f610c109f
SHA1 21319744097a577a850e6153abacdc4fb17533a5
SHA256 2277192f29413e5b100de4df1fa2afa3a0429865c30ccb365c705dbc1d8348fe
SHA512 5bd6fcddbb527420e32928ae74dd45310cdcf42f30d744749ea6f543acbe395df8bde37f6e405208888a138d5fdb64d82f21ee09ad807a9316f754d1cb51528a

memory/1564-523-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4008-531-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GUYo.exe

MD5 ffc0339d4ae8348c82eef9a6e7dfdd3b
SHA1 c7ae8d26894887e3caa8b1e311df6facdc244122
SHA256 fdbfce15694803d7458cf9a7f1135caf3f295da1d60f066d8647522d0235a4c6
SHA512 6888d01c14ec8ea57cd0e4c1b6f9b166a0441aef439ffa8bab12cd3b32bbea3eb79314f5fc4bd6a9d5315fa23792f048c3e1794ff16757f9869d72f68e725156

C:\Users\Admin\AppData\Local\Temp\KIUe.exe

MD5 3d65562cd6ac96928a5752dedf417bdb
SHA1 06f572abc66f193d880d9c8e4d8ede2df9d9bddf
SHA256 f8541d4ce27f91a228b8e8af7b2cad4438bb59c8075c21b218819cdf33b94322
SHA512 17ec3f5d8cb71299de678f22929c0f552d8ace66baf8fa0303cd03cc6320a507c0038f8aea74dc15e6c612dc3c6b87283fc8019bcf5a6922e8320a3a7c85a513

C:\Users\Admin\AppData\Local\Temp\mUMC.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\sMcO.exe

MD5 4e6276009a82ef537147022c5dfd17d5
SHA1 1afc98eed8f3f9ebba9994191cf98c41109eff21
SHA256 1e0058ac3d48e3d6e3aa8bd19f9edaa10d05fae0ce84d98f9ef572e36a9cb465
SHA512 fc0ba634ec76eecc2e42f01bcbf6a635281e1a74476f1c113501442faa4d4f79aab1c97648f58d35a201c16469a854cb94c85da39434c75ae953125c44d9daf1

C:\Users\Admin\AppData\Local\Temp\QoMU.exe

MD5 6aa4be97b418bb9bbc3786f282e2aa3f
SHA1 68e170798f1da1820c07c43aad489ab98465907c
SHA256 ab89d82162f1fbdd8ec46732f01907046c750d6f3e7c18362e5dbb773fb62bc6
SHA512 f1d7651ba89cd4614371bf681c7e098ae07e5ce9fcd33c2f0324e51bc11b6bf13e25b7b43b9e8945bdd26979bdb6edaeea63d8a2f4ddd0e2688f72eb6189f5ca

memory/3176-595-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UIgG.exe

MD5 9d7d4bfa31d6b51ecf05815c91ffc516
SHA1 149857767bdd0cc1f0862a1bbe8541af56d4a1ef
SHA256 399c7389f3660538776987748588ee7fd93566971480ea6577a9003c5b1b55e1
SHA512 92a9cfaf7b1f81095b74cfff5f39bce6ea016813cfd9bbea71d71caad100dcd95c60c687279265b24430f5adffa6cd975f6825dd241f03862d64f3284d075d37

C:\Users\Admin\AppData\Local\Temp\mMca.exe

MD5 fc911ddb0b837bb3a15ec9bd2ca74ee6
SHA1 5bc897ba8e2fcd6f7d2efd640c404d8683e41b89
SHA256 2e6c3496af0fa0b28964667a383b2b262b293432d2f3c8758f13a73a1a5a009f
SHA512 a38d294d727f36a816262d95fe15fd3f72a84d2ad8690a8b9c33981e27bd6b12bd16fa8d31f6ba4f3585710ebe0a2c099d8c3d06cff27cda0eafc556d8919c24

C:\Users\Admin\AppData\Local\Temp\acsC.exe

MD5 6a546b3e56071ff90853567fb18ee174
SHA1 10964cea0cdf9b65cdf2ee2fd1429b40e6d6a343
SHA256 b46d5f32401a05ea71ba4c18813fadd57ae88772b59f46b478d8fae3454c83af
SHA512 ccafedd36929606744d398ddf55f3f925a11dac367f9e924a2fc03ea9be91c084672a51486fa2de73354d8182752021fab833b89da749216438de872022e241f

C:\Users\Admin\AppData\Local\Temp\yYEQ.exe

MD5 9f57f969bd8fd4dd86b6af56827be487
SHA1 b11c32fc2713e345b71b759525e1749f993aa1b4
SHA256 4c72b94cf980839b24e6e79620a2cd9d1b31d75f42376a4e073cfb87a6fc21d8
SHA512 a63345766071dbde40fcfef936e083bb40514718ad460ca8f1c117ed03e3558a61b2e0aaa25a689c3c24bc5d7a1f8a75bd2e343a7c4ca78c2b21497aa9e402e2

memory/3004-650-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kIsM.exe

MD5 9d3d702ab96ceca1630d1ed40fb11720
SHA1 ff7367fe71570a20a69cec0b75436da1e4860d86
SHA256 75ceca7035a4f9148ea7f80c64d9a50d5fb8398959d6bc344c22e90344ecff1c
SHA512 cb61e07d60e53e9cd6e7b205b0b677e86d4924bc8dfa6fc8ae6e0aa213f9d4ad5b304a695fbf10b9502d4ddf3d64af92bffb8756bf03128dfcd8f55dc409d611

C:\Users\Admin\AppData\Local\Temp\Iwoc.exe

MD5 4b23fa8dd8ab1b76ef9cc8943ced914c
SHA1 36db9ba821fdc6cf45f3044ecf976a881ed37512
SHA256 0ba6a477439f8020117abfce4dc04aa2fadb8cff0a0208a03c4d8c82938a570e
SHA512 a8af7fcc1a8cc91b8db83178ac865834a6e5597a5e70c7c4d9292755fd90f745f1f57344f16f66593b8ad8b2123c1110f61ddefafa44aa0519f4cd926f6f4a60

C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe

MD5 aafdea8e6270f832c97030bb6ca4865a
SHA1 e4c0a41f6539c222c012eb2c63c4bbcad1d630d9
SHA256 63553fb381f067dafb886ea32d07498cf09ade2efb0f4e9f4870796e5f7cf35d
SHA512 45a0671258e4f6fc78d5c660282e495e6c0d30235dc7f6e6432d0171cabc998bbb149205ed19cb0c8c986647009b2aa37fe71ade6dd9d8f6a6dc2e1bad3906a8

C:\Users\Admin\AppData\Local\Temp\qoUo.exe

MD5 50147a99f140768ad258d1f8ab231b72
SHA1 85820fdc1b9b6c117d44770c9cb842251a88c6eb
SHA256 aca4586199bdbd270dcf353a4fb42b4f1b74dcfb11e2e35e0ca4eb2e403ecbcc
SHA512 b2fcd2d8703eea592f9a22f56fab1333f1f92e15f980ee9f29f78217ba9e137315a4f354d389a0f2dbeeb3782f09c7893de4e26c73cc84e670c4d4ad90e444e2

memory/4880-737-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kwka.exe

MD5 dd77e0bc5104e6bbf434c4cd6674f543
SHA1 e8314d7cf63c78c8a910c3b0275c522dc3e593d7
SHA256 d91a6769dc9982237b03052fcc47b1c84d680a5775cf786a7f328a335e2fe33f
SHA512 aff128be78d6b72cc34183f99e3580fb0a4fcd03047b8489f8cb196791a2bc4eb2483b2a2624459ab6a1e8734cdc54293a4f4b39a377cc0a850ed6bcadb70b65

C:\Users\Admin\AppData\Local\Temp\IMcK.exe

MD5 7d99b91a9bce3c061ba82bfe24f4ccaf
SHA1 a376913470dcd2ab7214fe4f791587bf163193e9
SHA256 c3b482bf6116c13353a5a8e78009927eb90293230eeaaaffc435a058e9dc027d
SHA512 bb09b98f8552290455a122102c55b12e2d38c0f417a731540f4e073119e858b972e1fbf0d6a024935a86ee2c68783b3dd319ef09e6fcf4960a531b278bafbfdd

C:\Users\Admin\AppData\Local\Temp\MkEG.exe

MD5 2b80a08669c98aca3ca38ed620cdb385
SHA1 461d7c0362cd85d5884175159bb9add9f2e90973
SHA256 e49dc01e1b9209f6765e5159cc4d2fd89abd85ac9254f2c88a627816c26b5cee
SHA512 f51da101c7dbb96c82034424a71ff37d9d08f93cdb0d9f26fc0f930bac46cbd6e90bdbee84852ff31e836fe9095a5a63755f7017887782d9f86700cc759f657d

C:\Users\Admin\AppData\Local\Temp\aEsA.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\ukIy.exe

MD5 856afa43ca95b13d0887abe39d199314
SHA1 a8c3406cd2b40349e4ff7643c7c083892a673abc
SHA256 65395994487e4ad28d231ffc26fe36e33f67d35617cc5c7c107e2c8fcc7617db
SHA512 8eddcd6a8f77480b3eec42c4580b2208fa6d3295d73d289f731c3673ee7195cfd12b7d03d8ea485ad2f5ebdd71c667118b1589a5dba00465f34b18dd2c2beddb

C:\Users\Admin\AppData\Local\Temp\GMMY.exe

MD5 187c03f700d1ecd3ed6d4de027c00df2
SHA1 4e02d67d13366fd99909a66348850c89e4e34696
SHA256 b207453a194a4f8d091f4e7e315bf72dea1fb68d84e5dfc9b5b034c1284a30a7
SHA512 0a7efc13e16526812df6b8a3b7b3e17c75ccb6204827fc8eb1888fc26244cbc7dff87de15b6a6b60b08447e4f44014a43cbea171358f25b632671f9c251c601a

memory/4568-802-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AsEW.exe

MD5 f796c6701e81d316e36ed7c469c27146
SHA1 4c43431961620e303ce5cbbb2f893e0ddc2f86f1
SHA256 fa2ce89790fc4f4bc100cc803d79bdd2b130e86385a84f547e11b72ac4068ed8
SHA512 822306519a7df91e48a3ab34ea6d490a062e7148763a0f9f6589dcf01a9b8ea7d2e8f06220edd287427b99fb98ab73c9f0e6e5a8f88ce91b3429cf1eb0ad2eb5

C:\Users\Admin\AppData\Local\Temp\oUkm.exe

MD5 a3a1a7c72a4e4daf382971ab01b053e4
SHA1 5ca353c194a48af9a62256225b5ce93f2aa01d03
SHA256 097dd7b58453d83c00ebc36587365b5d457c0b95cf6dc25f8d635709a09e4eb2
SHA512 a0c64450ded2127b3165e5810542dbb3bfc4a2a5be8d425588061eb11ad67cbface087ab2ab4c53c3536039c3900e84a2db7c2a3aac9c8c5bead83cdfd0e8643

C:\Users\Admin\AppData\Local\Temp\MMcW.exe

MD5 636c8a600dc289a965737dab3a346645
SHA1 a130417a6801432e303c3345f29c051eed248dc0
SHA256 558297ffffff62c83a95b330232eb1ad4753f49b16116ed7ed6e1d0b21083ce9
SHA512 9db867470c2499e355c1b63f1719bcfb1ec806deedf7acfbd9b87e08f04c355cb6fb8513aed464acad94f1560c87eaa1228deac13b1a0541380c3eca77ce9f1e

C:\Users\Admin\AppData\Local\Temp\kAcq.exe

MD5 808391d37a616eb895610d055255500a
SHA1 3a483e961a408b31ab0021460de306c61493c384
SHA256 03c9ae11afe2c6a9f64f1829a601c8e74ccccf566e1d9ff6269eee79c41c40f9
SHA512 bea0384c5d4c95703de700bf074bb4511ba93f20cd6ab67a12872f5f9e6dac0beb299dca254fb4b3433d67a37af8ebb6558e86547b044dad1eaad9e6519b1825

C:\Users\Admin\AppData\Local\Temp\MMEy.exe

MD5 82254a2b6df22ab85e587230ba96503a
SHA1 aa83fa64ccb349f7ff7b69c21cb8625ebd36e985
SHA256 721922144c05ce5d9021dcd32db316f4481b2ae8a228583a7252b343c1ca04f3
SHA512 a639106db86418740cdc063b1a0c114dfe1e7e5297b5796fa6b136ea7cad6f859ed16fc1aa360e0c3da955387af3e64ad2887d9972f0438429adbcca813208d1

memory/3132-879-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aAMY.exe

MD5 96b9c10e5e4544aa9075fab977deac91
SHA1 5157d58cb231e1e9db8a891d28490012f3f21148
SHA256 9dcf94005910bca0565f478e2de3de3f694f50bf3a73845433e4b6a3ec7bd41d
SHA512 45a535632f6ea0b4afb2a4a46b2019baf5e9be20c1d45b0cd684daa3a5931951bbff201704dc143d00f833000c6ef2b4a58b9e49ac5d9829b63ce63989f910dd

C:\Users\Admin\AppData\Local\Temp\sgUS.exe

MD5 5099db625a2fd919e6ed83007b61e60c
SHA1 a9a8fe351a10a432f1ede8c5835af27b3d42f896
SHA256 ebb92fadd944b3dc6865bdd16a36f32d66b7182ae559b89b46e4e17da24b8059
SHA512 1a35ab0f7902776bfdd49f47e7756677326c45f2a8b60c09b103195586d8a4145f7fc4bf0041079d89897d131e0ca57bccd3f0d9d07bf9677619600d64f41305

C:\Users\Admin\AppData\Local\Temp\gUka.exe

MD5 604c0656b446de75a317cc47065f33b4
SHA1 e908c1e6aa0d29cf28d9e47fdf2179c685fb0dc9
SHA256 a7c8ddb4fa76d63b643cf706b2f4615fadb9a7a1bebe0ca5b7a85042bf672ca2
SHA512 24f17518746c2fb09e557948a538e26ef5e76608abb227c1a5d801dc19dfd7fdf837747fa7d1d1e85feb22dc35d3d44012dcfc539734793f7bc423e6ec5fcdab

memory/2064-934-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gAkq.exe

MD5 9a6390b5dcafc45b08166fe008ac5b24
SHA1 75b1287b2f06bd605f4c7b71eca47476e1aee059
SHA256 fc4a11aab312aa39fcafd023d650475767d03bf29c37b951fed811946149f19a
SHA512 395644f1e7b55d11add7e6d9060966bc492a8ab4ad7c65d119bdc9bf55a0d237437586ed5476f908248ce9463bcb87f241d1a239a03c33f177427549af9bfaa4

C:\Users\Admin\AppData\Local\Temp\uYwO.exe

MD5 b1e95099edbf3dc88e7b740669326d94
SHA1 bb5686f91d322e9ebbfb20b18814a8398a9c823f
SHA256 0debfc629137eb4c3491b45572fcb8857af8580a8037de6adf0cf33718aa1cf5
SHA512 a36020f77db324173a373cef989e717085b65099e455a2d0df2afe33c5d6052283784de1828cd01769a5fd08e5fc9911cbac77bb06d468266cbc7739163ce792

C:\Users\Admin\AppData\Local\Temp\WMwC.exe

MD5 9ecbce7c726f7160baaaecbd18ec89a5
SHA1 4da4ac6a9300180029c6950142ab8fb414ed2f48
SHA256 ba559bab1dcedb86f01d0dfa4bd8d55c45a575e77fd7c0f0beed0c8bfdf0e401
SHA512 0a332e277798c2c3dd0491f69c40d824178155fbe3c54d7818aab97ea228cecad71a7709404106fb75e1256e7a2bce4cc9dc24a6af56f19df04e7ec3a8cb7523

C:\Users\Admin\AppData\Local\Temp\sEAM.exe

MD5 e4ea1b122d4bb62894f5b9befb6cbbf4
SHA1 1578739418c7dd1adcca6f0c8fced19906d7f69c
SHA256 893e0aead1464019fb29aff6be82f8eee0449d5f2c7acfbbef251192c3934704
SHA512 19ff408207a62a6f807f8e319eec5fb7fde0eaf42d00459b30bae31161f39a7c1cbdb13025946ebe40447983f1f2ee576e3c999bba945939198ad6503f1a0b9e

C:\Users\Admin\AppData\Local\Temp\KEky.exe

MD5 2487f007e96bf52430d933b513cc0997
SHA1 bedfc09d1b295037403a1579744b1d2765894bc3
SHA256 681a844003006c0f0b9b6e71f828cab9007bf671d0d3842c1962c5cb95f33316
SHA512 1a6687379c9c2102e095394419f8e0bf58eccd01568466d3956660e2bb1d7fc095500ee043235074523d91e9cab95e49ebcbf55ff067ceadac0c45e9d6590a06

memory/3688-1007-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yIMk.exe

MD5 3f81b29472ab33b0b1448270381891f2
SHA1 740d48fbf392a5d57928941fd9092a74135a5536
SHA256 ceefb1a156631ce3913c361af7e5f3836dba200604fbfc3849758b23489a562c
SHA512 f4457a02d6a5891fec5210543d1121d3799c9f4a5e068aff1c819aeab85a43759a7af58a4054bb533c3d527873bc302391728ebaa46faaf4fb5b29d5b1171e9a

C:\Users\Admin\AppData\Local\Temp\GEcU.exe

MD5 7a08ac42c1d3fc2afaa6f44d9f502c18
SHA1 2a1c96f88d92c92c3a229be4f8ab903685cffe7a
SHA256 6207178118c35db141fb1a98bcdf49b064d69c7365ad817183fd5a8f54684c4c
SHA512 56e0c7d0dd21220cd85837337e4788ad3879a6178b91bcebcbc9db8c1820d20729b3f276e874d8a363054acaa0e8cd68b43f3cafc6149a140eb9d89b6925f1e0

C:\Users\Admin\AppData\Local\Temp\Woka.exe

MD5 11240a66a9d6696379c1aa62bb7876c4
SHA1 17c2d3ceb54ffb8eeb8afbd7b81c07153afa07ee
SHA256 45cac3b4a2ded4f0ac11a3bcdde2cb280b6f9110188938f3d54c66f1e09fc3fb
SHA512 751ff154ddd540563a6691f967d42990bbc229861fb5d0981f909dcc92d39bbded91cc71be581a2b8e5802d51c4786414aa1598b724888e95088d339e41cc20f

memory/4228-1071-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cEge.exe

MD5 f0d245eccba90750b6ef1fc7cb039086
SHA1 13ef322d5ec35f740d64319d7c853fcf330c4bd4
SHA256 d3a340e5deb780ea19b50957c595fb5945efe95cd7cb65d254f4813f8df83ab5
SHA512 691be96b198856f876d16386a6a13cee160ff6ce23d3b5ce2be8897fc4ecf89a950b4fa1a6921ce6ae78fac6976dcf1efc9b72360fd42ec28e987513efb8abdd

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

MD5 624ef8e008a69762858ff0ae043b4317
SHA1 a89ecab2ffa540b65ad469237896e473aa6a2ea7
SHA256 bf6dd1b4bc98e9759735574ee780c4815e7b41ebd0c5e6b4ab816c341ba4cb7f
SHA512 7f5c83a2e60ba05d8e7c49e7acadae39dbb0510d54cd5c8e1a7fb91edd1e863bf602176de74679b105f90399c52ec65d28d8241509d9270c5edb22651f52dce2

C:\Users\Admin\AppData\Local\Temp\mkYS.exe

MD5 03abec487de80d0c0fd2f5016ec99e2b
SHA1 7ac827dec77dbd4d50aa0ffbf86658f1da79dea7
SHA256 22dfcc74e8db874d777829d8c2b4755a49f93db29c1a8546a3068ab0fe3910d8
SHA512 2d47a65ac4ab768906c1060b5e88520d284f11305beb70cbbca095bf0629e22df2270dab422fe855aec0224b7e4b33fcf3c026e628d1a0f6a925dd80abe61549

C:\Users\Admin\AppData\Local\Temp\igMA.exe

MD5 7e3f81146246fb428dc748222091b70b
SHA1 72d60ff3196ed96368d74da3f50c67678f079430
SHA256 2119e57985ba7ddcf7017a652a808e4f69abf09322e631d2865e9c8faffd3da8
SHA512 fe93bded2d2413a652496beefd8949b2baf874cce985876c8befb2f39bfc77e96e08b1807ed567845477c04efb16f4b7b04f79e450fe34692386af512a2a8d0b

memory/1480-1121-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qccu.exe

MD5 91528b5bcfbd585209b805c5572821de
SHA1 20e2ec43eead996de3d70f1e00d5c7d4d0a66926
SHA256 616bafd2a41f3d6b0da1d164ee1e0bc6a2c7dfab2295a257983b43b5bb85a94b
SHA512 9dc109110b6a6d061ff7ca9f75c860c44f9fff940be96a01d61dee9248c99d3d24cc11150861ea98b5d2e76fec9864dd44e2718847989f305e4ab753f404b15c

C:\Users\Admin\AppData\Local\Temp\uAsA.exe

MD5 b2a948335efe59c31983b91031d9e261
SHA1 563a836cd780d71083a159c41d22d0568085aab3
SHA256 fd92394c6ad50211bd82bbc127374d425699924aba414547760414544aa0b15c
SHA512 19878af1b7e53bfbd384078ba5cf0129ced5413d4919496942c610137cfcfc98e1511eb094338cfb69a050e0d99ffec7e56e7f7b34cedbaf421e2c52f41a77a1

C:\Users\Admin\AppData\Local\Temp\isYM.exe

MD5 c3560815784836ca7fe1b6284009e950
SHA1 a1218ae3746706853fbcb7e479bff57fa5353551
SHA256 589414721748b1781990555ec626e5c20b7f22b825339a556907bfaca0e50f08
SHA512 3f958017670ed523b67486d473e3610de636d772320c3fc00becac194a49369e7deb4816a523891ab285eab612c279c8a28ad1a85c48005da32ee94332b23ffd

memory/1520-1172-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kcIm.exe

MD5 af4b9a82d66d13f473792446f2756331
SHA1 7cd5c67060e729603c32f02779ea68a1be3d73b7
SHA256 154695a7d7a279fb15558193243d826e9e6ad31ab66fac0eb630ec0d2a6c0816
SHA512 7f1f5f7b9c4a45799fa84a4f185aff18464050dedcf336cf0dff05724754b28d0cb4cb538c17eccf84d21383117bdb189060d409549bbae7a30696a4592bc029

C:\Users\Admin\AppData\Local\Temp\WIko.exe

MD5 a8022d25338e87ebce8b9688f49f1f81
SHA1 cd460ed8bc22c1092eb19ab48d05520ae9481fd1
SHA256 e83ca5368f664855054d1103bb610d37bde58e307b14bde4d64909ca1824f384
SHA512 7f2ecd6e1f47936fd966a70668b3d467d6129904d0027d0b346a36f63ba00405e289b5ffd5e86c5e369ec0025edb6786a10e4239609c79beb16d31414103fe5d

C:\Users\Admin\AppData\Local\Temp\kEwW.exe

MD5 6b1b83f08eea7db47631525ce42a3484
SHA1 7a5c2020fe9ae2c1f04c8421848ea1dd2585b942
SHA256 bc0cc877e618e862e1519a41c569ae44b8d2ef17032f57e4c436b6241d939c78
SHA512 7a71a6c34d8a2bc9df7c3944657d4128208f55bed6b96126c9d664f560e1c973604a31b3f41a0827e17f41bc1bab21e2514d6f94887db6496652a9486cffe26d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

MD5 43715859e7fb1c0a6e06878fc0cba598
SHA1 ebbde86245865cb439c1e52c8015d0f4775a99c2
SHA256 8a56b55508b24852f34a93ae38efe8dc93b6a06a12a55e69e2873cc3f970d482
SHA512 0b13ca96d7935ec5d4555f1ba8dffb7d85b24ef6f8477250bf4328c5200cb8d6e17be0c98badc0aec1bc4a7ab8d9ce3cc3d3e0e3838340da33f7c2291f956711

C:\Users\Admin\AppData\Local\Temp\igkQ.exe

MD5 24aebe6dbde5c23132a775945e980aaa
SHA1 dc44146dd38b67e98f36d4cfd4a36eb6b161f137
SHA256 e3c8395911abc55ba74a235570c9b970661b379b03e1186251efed882afab424
SHA512 91ccd8fb56698dabf5aa7853b57e2bba720ed8191537c07054c1516056af36e5048f8ad9aec5af3662918d05b96bd45216adb076fce837a8dbcff3b59a007b16

C:\Users\Admin\AppData\Local\Temp\WkQc.exe

MD5 38f0ea9839e3d42ea1cb4d1b144f8df5
SHA1 7a8d7b0142233a7f7ae459181f29f94f4ce77c2c
SHA256 a040a14b4ec3d48e17f611201458ec946c905fd188c9d2643c8cfcd4aa360991
SHA512 af1f70e0fab6796d1b58afd74c275a7183c298e645a79fc0fed55e5cfc0f5943d7813db5c1cd7ec29f0b93be66369ca9412480ecc2abafd26fd4d9c61e27c67a

memory/3648-1264-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3556-1263-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oAAW.exe

MD5 617502c0e9ff2c55615c749dd1591a3f
SHA1 f109090f8ca6ad0cdb5e3fe48553f8c741450c1e
SHA256 f44f27ec4b8d0df828a4ded6e38b424090935c3c607f33bc00eea03c9257b309
SHA512 5b5b375363ef4f3e25b3d34ca9e1f3c6a7c7b595f958842112830c1bfd04ab1b866b29441368ff8f886d726a5beb37ccaf3d4229ae1f741aa25a71323d46dbbf

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

MD5 a98ba26ef98f05adf0d8afe3e748e5fe
SHA1 efe07e3a73a9b6bb65821f623d698256dabd0d1b
SHA256 b542337806490ecc053e018bcd203ac07fcf8dde34a4da4844b1226b4528923e
SHA512 2cbea51ef34f9f71ace911b039801e3d877b7f4a8f357cb13e22ed0a12b706ca9579a65d080cfcfbf1ce5db7a23e8ecdbb530f0d0fa95811c8bdf6d087ce7930

C:\Users\Admin\AppData\Local\Temp\MEEE.exe

MD5 c73086dcfbdeecbebca8dbbd6926b772
SHA1 7fea34be762fe5f738753b8b2fe62e248f8ee87a
SHA256 9bc3603d593698c5eeeefdb5188b8987488039f95101c096545d001898e7885a
SHA512 100db0375fff44a35fe8cd6129c94d15234b5a449da41e491c04344a74d4be8e111dd738b8f39fe8f58b7570d0491d4c8e6790d56c622ef2efe88befe99a9d02

memory/3556-1328-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4440-1329-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coUc.exe

MD5 2b3cf813ebe20100f1e731af11f09805
SHA1 8ba64bb64833a8db3fbfe4f791509a7ca117dd5a
SHA256 c87225e9e051521e914e70d1a0c40f9a4cc8b144932be2d6453bd8d742464e1b
SHA512 3878ee0df7ad8f548e0a6a503699235389e91733ded97dcc55e34705f3fcb792c227225b5121361b044d6f749b13b1ee781d6422223c2a0c7f9748b55ec58a96

C:\Users\Admin\AppData\Local\Temp\SwkU.exe

MD5 4d15e9ec6335e71ba5c2395811504def
SHA1 c9a4a18b1a93e4597fa67c9bd597f13caacbd065
SHA256 f65167c784f4732c5b23262d49a687c4b17327eae042d6b849c1c7eadcb6fae8
SHA512 b4b090127f9bbce50fd3bf223761bc547ece8fc74d0c19e260f15e317db75326c992250144dce5aed5e9092593834766e488fc4de476076ce87f981a8239c71d

C:\Users\Admin\AppData\Local\Temp\mcsC.exe

MD5 ec3fdda486a7b3071f4873905f88e976
SHA1 6106ff7d053fc2f3ec037743aa8119db8375e5bf
SHA256 0da4337ccf65d1a990c534abd6677752fef5cbc440ae02172224b70e17c20937
SHA512 540329938317dc60a6073d505e6859b55025905778c0eb4bbc849298408f81ca3db8d15e574da5ce3eda893e85b9a4d3ff7ee91f0318341652254a21d2625c7a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe

MD5 8f8b4dcbd01313d3d423c8126ce8fed9
SHA1 d13c831f799cf4438c6c3614e111f0f132858d7c
SHA256 0b125c429326d134eb5d14b2cac5d0cf935219fc5366c96d710b6be005df5dcb
SHA512 860d22f7ae647d7f50927fe338c17d5d4a06b82fd8d6e9587ef1cc23cb1e7d75171504263bc904cb926da5af4570c91e2d37ec960defd71a768060f64fea6e25

C:\Users\Admin\AppData\Local\Temp\WQsc.exe

MD5 7f7e008fd5d38b13719c569d17ad3baf
SHA1 b6e963f1e1396c056fe0e2bbdb02f4aaa21b2c82
SHA256 8e453ebb6bd410f05d5f061fdc4b55bc0f70f54de03314347a10db3cd4949693
SHA512 623ba4825c3eb7880dbf4ea735d838874c0bc74dddb6fda7ed42f84efd2cde2b41da3a017e7cba46e0c9686134a2eb072c2bed0742ee98f5cabea2a6d6a275ae

C:\Users\Admin\AppData\Local\Temp\OMQU.exe

MD5 941fb819e0e9201b93705b73984eb418
SHA1 3fa082c6baffe3b76974883c26dbfcd6cbbf7cdb
SHA256 a5e03cb656004f1f5415cd102cbe5b7530a44e142f7db903653e0afd01045e7a
SHA512 670a6d538d688de4e63a735bb29110208faf5e56dd2c23944d1b1eec1a0bede6de187ab8f3e3a5f7290cd60fbb7715d9ee8b3b97fe4d8c1109436c71cf81f4fe

memory/4440-1407-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uIok.exe

MD5 f3fbf44b5b854070a3c3dcfafd4b76a1
SHA1 af38697e586c8cebccd30fcd25c80704c8bfdbc4
SHA256 5982a62a3739a1eaee381cf1f110f77dfc92764c9196d60563f775981f11149d
SHA512 afd98b57eb4fc6a78521ff2724db611cc70329bdd44671a75c94d6296c7f20579d4ba410dbf2126789f79e014a4cc15b52ad4d8ce3b593a786f16bb5a4019a87

C:\Users\Admin\AppData\Local\Temp\qcck.exe

MD5 d6c295b729d0365b0be68cbf38c5db73
SHA1 6bf28f983ec7cde1eede1fc530b52e42ce7c6618
SHA256 19530732a74aeda75e7d0f4ae7ab50e80d587dc4a158e2798f4decafd93797a2
SHA512 75a9dc9c871f5100b66602f1afa6a638c0463882341929a86d363fe83322bae9c5e559b932947728e80cae4e2fd44d096b57cc514c42078b1fed96b4cd8acc41

C:\Users\Admin\AppData\Local\Temp\MMES.exe

MD5 ea557696c7eb1ce93f52a8241ba42d12
SHA1 7395b5f7707c0a71ae8d0f3cce7e44d0a4ecc22a
SHA256 6db5d20166979deec9c0df6ecc4182715674797d16ed6602a69c4e69ce8d6ccd
SHA512 ea6e7540fd77e5e1ba378dc160f8e33c06da6d5bf7d3f6307aa1f4252c2aa4c1ff6cc361159e7672e828fec02e952131291fcab0157d8614797dc7b46d8f48d2

C:\Users\Admin\AppData\Local\Temp\SYEm.exe

MD5 5a70ca350956554d928f4860ede40dad
SHA1 da7310c3a7281b694e71809769efb106a02b6184
SHA256 6e14f447301b6f2869b9f0e8563f8e02748d84c9653a268ab624715cd2740c90
SHA512 079b64cc212d0840702f03a032f874e208f674a1e5744c35eae5e9697f177f2c62ce9d3bfaef0768418c174eabb9b42d36c4e369e99b378437417fc6fe5a2603

memory/3548-1469-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GUsk.exe

MD5 22d9af67a1eebebe25c713c39286968c
SHA1 c3d646ddaad8de5f23460370d08d7495c402c532
SHA256 28c210213fa5b01adde0508b92647840abe1d182c7298475a936caf806c8c766
SHA512 8e869870da3c887ff387942adec07f0fb7fd32a3f18e9e1edff4eefd45d7b41dc37ada83fb343ad0966d82c98bb7564e911bdc91b5d8e06a628557703d0dd3e3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

MD5 14f075e19e0d6d5bb7b515a34b4e5c19
SHA1 23951168566be59cb3e171efde0ebc3f1fed0471
SHA256 af3683f6e9d4a8b8576b94700463779ea2d721603ea2c4d81c4782f304cab162
SHA512 97a0851207c62493966fef873ddd386b7146cea3236460ce670faa71fe4a345a4db79cc2081165828dbefe1a1a815bf4fb44c9ee4e598d8fe5742bee6079465b

C:\Users\Admin\AppData\Local\Temp\yswE.exe

MD5 ab92a4c887c0c1a5e4dc7ea8ad45d22d
SHA1 caee7a756f235c659bc2c994ac16e8d2aa042c3b
SHA256 571c746b4b9934beb6b422f1eba942d065634dc3ca6d08a63f77962afdbd20bb
SHA512 86843a1594ced76897d8e214ec243f10cd694002862d37d40949d342fc80b49652fa72eb174eabc56b9ade48ca3662225a652265368912fd6efd7ad794763f01

C:\Users\Admin\AppData\Local\Temp\IkAS.exe

MD5 90ce4ceb263b811d4d057a6a467effff
SHA1 af2ca8747ad90237553172bb8011b7a201419b10
SHA256 73a85b081daf670a80bac4f76fe7ce92870201fdf5178566d93fb2c871591fb2
SHA512 03496d945e0c83a19b606f4cf3cb0b5eb7fbdb39b39875b8539c85c985615529b971ea9970a1aa97cfe9e2747771b275700bfeb8f36cf26b44abe35e700c6d10

C:\Users\Admin\AppData\Local\Temp\wsIS.exe

MD5 b8c0048517c5d9940011688da46d48a5
SHA1 d06969e5fc86ccfc4f365e506c7eaee36eb5fb5c
SHA256 4447c15233430b833be9302dfa9624d87051263dc2d982bfa04fb598a20d96da
SHA512 96d6d0dcdc8c862545456322d25a17638dc22ca6128adb7e799e105067f297805ffff2e1ce47595a6913b7c3867fde788a1cc57c1a6e79ff9307332c713128b4

memory/3912-1547-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qAoa.exe

MD5 58d1f018dbd716cf5d2bd5de9416f7d2
SHA1 191b81b1cc21891df39a47ce2ff07368ff5fe2c5
SHA256 b56f961a8f18694dd75a58ea02c7d2c2701e4f5433be506a3f7b353482f811ca
SHA512 a37d51e5a9b44e06827cd7ed86e519f92484c43685bee53f9aaed6dd6f697c7ca8ba62762c0fd4a642d6ded55f0dea1a18836de2a651c2f6d60f50c83224c46a

C:\Users\Admin\AppData\Local\Temp\Ycoy.exe

MD5 9a17350eaffedbb68e1380459b4f60e5
SHA1 5120e77b044529eb2671069bb8ac719131e044c9
SHA256 f51a1d742397f7586c00f0d0ff1ad4029ef7dd7766f7cfa33d564971f873c2c4
SHA512 ab4cf96c1e7e6f99cb6c9736e3750db5da122eb6ac4c54ca07b93c1afdae312a61d163ee8868b1c389a149f6cff96159d28627c1de67a53a589afa05ae08e8ab

C:\Users\Admin\AppData\Local\Temp\uwsI.exe

MD5 56ac796c3428b6feba9ce0540162fc9c
SHA1 93895a3069da0809d04157725718165ed8f17189
SHA256 2202a04528c4867f021da3c684b0046d5762a53e4271d8415be5d93ba7994e38
SHA512 a3274d65e701c8a4c080ffb336e88d013804d6e0b85ed038d32a42ef3c41f845a1234d56f3a4485a7ccabba96a18dde5019b63244e8ba11b9a32f0ac98df949b

C:\Users\Admin\AppData\Local\Temp\kkUa.exe

MD5 5046034b0304b7eee220598acc8d79ed
SHA1 8e43a674b3034da08523285b50e01d5d9380ba83
SHA256 0c4dc511a13f74c50f78f5f3b3f5d1fafd32e8ff4ca8aa48002e7fcc5aa383f5
SHA512 858065cea263bd9b874fadb847e7894c5bd43cbfdcbc710e5b116b90e23e6701bf8933c650fa4d17447b837abee787e9055c4ee2633bffb5736b0507ee89644c

memory/3604-1611-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OkwQ.exe

MD5 7a304e101b6859df97afd69c34f17596
SHA1 77ad3d2a92c0c502b4bfda687a73273664fa6540
SHA256 90e887615ab57c0d834fe2dc692a0aea30a8a32ba82ede6857b8aaaeac429039
SHA512 be025cbc8319b19401170034696fd229aff027f9b1b91c90bed2073fe72e07bd35cc09df08a5242e45779149bef46b84169babd09c0085c9ad750597b5a58120

C:\Users\Admin\AppData\Local\Temp\gMYy.exe

MD5 3649b40543eab7015bcd2175302f8878
SHA1 ece83f10693e401819946ec9503c25b3f495ba3c
SHA256 5548b04c8682b8b8494e84eb1ece8a8bd1e04f2c24f943033981baf824fdfe9c
SHA512 e6e0eafdeb4bc26278919f301b6da82be2dd6ef9023878dd73386738a3219e376673682a0ec1a19bdcb065f237e0d7d0d722e20dfac102d45112d787d1323aa7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

MD5 db09b52bd1364457196a75180bce7b6b
SHA1 b2e5f0c8df43e90192ad16d59dd53cc916c761ba
SHA256 fb3c397a369fdcc52b5f92d6c42bb21b716f2764740ce8530e00177e8b8bece2
SHA512 4789d6410f706944b3237181716712857ed301a80f129874e64c22e124efe58cdac8fb5faabcaf2d5ff0bb5752535cf9b1715047babc0b26dd0fc0aaa821796f

memory/1060-1661-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qEkw.exe

MD5 755d0b38c359d304baccba5af24ba767
SHA1 60150ccbe0161f690f2ea26fcf118f57e34eb3f2
SHA256 4348b65ada289cd55859fbb5f7d3c1a622c44ded8533a48fbf59796102f8544e
SHA512 02e108922e2761eb0b39864b5076e302188c5aa0d2b0f56e7056ab18149c83f8e06a86d54643076fa3f969b21604bee621c44909bac78da6e3d65f32debc461d

C:\Users\Admin\AppData\Local\Temp\CUwi.exe

MD5 7151dee1e551bec79b0ff16089aa2bc8
SHA1 86b48dccae95b6eaa14db154de43b94c47cf840d
SHA256 abba3647b31ac94f0c74570be99dd3edf97cab57bf44b20a9f62b09619e10114
SHA512 fa631f8575de51a5c56be8b6b06669cdca14dc40425327760d5056f02569b154ff8b29d90058412799e412a04cb8fdeef800531a8967a745b038fa0120d83168

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 7fdfed60c5cec800b7ac10dc24cbb50e
SHA1 a41027ca6d822bdf7ebaeda7ea5d5d33af7bf601
SHA256 318cd63ecb1d179fe402a3260ee64b78ae9984eda6c137c286c5e45c7ab798d6
SHA512 d9767f9090673db33abc5a286db279508d11d85d3b9aab723dcbfce8daf4794c31e2afc4ac709e9d3f52ecfd113883ca1e00c007db594ff3f7e862d778dc7d65

C:\Users\Admin\AppData\Local\Temp\IMww.exe

MD5 bf988e365cf4ab2672351ae2f209c180
SHA1 05e7dbdf229323a8a39f3e2d373e1810f2b8172f
SHA256 fc7beb0520efa63f1bb6eff54c99d42b8be3c39db78c87ebbac6eb4533639ea5
SHA512 b567ceae7664142d50146579c6f414d25d9e806e0bee48c950d2918da679323841d53afd7069d676aac329ff71ee356e9857b26cb636437c19cf3bb403858b19

memory/4860-1725-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GAMS.exe

MD5 e4ef2882e8a767b1aff63bd214ec1335
SHA1 a375d753a38a945650b6faed06a99d65cc2c6e2a
SHA256 8215a7d6f36fb616036acbba9293bcc58c58704c85e7cb97f64335ca4678c719
SHA512 a11edfff8850e78aa490e58a425b3e623ae3886b31dd81059daf8e89ece20421b0e618553d0f3aa2229da60228aca0610b2434452306b63d1134bd59753ef903

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 e62b130b1940ae2246adc86050b5b9fc
SHA1 4fd25629b485508d921872fe3aae0da036dfbd0e
SHA256 889930cd0d0ece56decb881d4b17ae330e069342fc8059fcfda6d5e6c7de5eea
SHA512 cce7501d7bf4ad6f684685e5208c3215188f26dbe024602123c5a3d48b59afcd7c6ddd8cb2b7664cac651b06a2bd98547364020832eb94dc6cf708d27f8e790c

C:\Users\Admin\AppData\Local\Temp\ogka.exe

MD5 578d17572bcddaccf88f0e6232b76253
SHA1 c9e431ba05fd91f6ace7315f6aec1f5d53159681
SHA256 0e133b0b099c68569c1c4183ad89ac68b19d7e93244c8241e1e2f0f11609891e
SHA512 420a8961cc7770c434e01c9cb555d1d4e9e180c7f2150c9adb1a13e284217ea5c22152364e1f072f56326b3d3088895e214310e69c6320629c5a2095d3ed64b1

C:\Users\Admin\AppData\Local\Temp\oYgE.exe

MD5 45a65254e36f703d5aa4d23aa994b633
SHA1 84b419a43f41dba4b5e50d1fcb4baed8bedd1746
SHA256 c67c156e0f4238bcc8bb21c814331461e9e969c6e02020284929e590185d10f4
SHA512 23e566d644f13af725142a582004ba56baa4731a9e73f2f7dce11afa1be5da20585814d3061e606dbce589a3b8c23c7ddff5a16f77e92a553dde8b963a01c4cd

C:\Users\Admin\AppData\Local\Temp\OIIi.exe

MD5 7a3084ff6830b7113386c0f628119ed4
SHA1 22bf0e4231783cb201c73b308ec5c067bbba9fc3
SHA256 953a8a7e1c2fb787cbccc7d69baf827039bf2a48c81b01c5c8005f7df7e70fe9
SHA512 6b7e59ab893b62c68908a0ee11cc8ae55a224c2670459e9fdae7e182237e3f837100f13526febfa31fc423fe354abf4213494ce0ce0e93889524a4c157f0427d

C:\Users\Admin\AppData\Local\Temp\mEcS.exe

MD5 64563997ee7c50219bbe2273afb7a12c
SHA1 cb1917573d96841f4a992012188c0c8658a42747
SHA256 1f4d83cdf9f2f12fef9dc65fcf2065835ba57b0c42cfcedd9bd0dbfab8553346
SHA512 a6217dae89db9a40a62ded3d2b847490c0755f6dfb7b2ba29cd4f3c371d7e0b36a90ab06f327c4b5d9a6f2a529367d2e8d36b88f41cf6bad19b4b9a30c72fb0b

C:\Users\Admin\AppData\Local\Temp\GEca.exe

MD5 b846288e47a636933cbffb4185118990
SHA1 928b138e8f905b11b4eaff2073e152e1f2bebcc6
SHA256 aad906729210549dbb09907cae2ad5dab6fbf54724741a8335543fcfc0f124b0
SHA512 83293630fb354ed4f6ac5a959bf803ef9241667bc178f594d11b92066ef80baa0cc535e051dd03a69dc047acd1d16e3d4635eaef5f7a6631123b13be2503eb68

C:\Users\Admin\AppData\Local\Temp\mcgY.exe

MD5 72289a5fd515761ad7ef5af73a9d6801
SHA1 6a6d26165ca069ae164930a487cda271e3a6ba40
SHA256 06e535496a7ace8f8936055f51c433e29a74d4ea70ea4b5370ed8ba63a182c1f
SHA512 909635cbf4ecfd332c18e45e5f64f7f0ed2d7744f09f467c3fc79093690739930c453ccc064ca93433d1a9db059e3de3c37e6a2a64fb03958882455ad2051701

C:\Users\Admin\AppData\Local\Temp\GIwO.exe

MD5 86f0e2c74adbc48e8e9ee49180cd4096
SHA1 a9e4185536f4482a7eaeb871327029c1f1dfffce
SHA256 62d29e8f9a9a5f22bffb450f6b75b91cba27c62484d05e1c9e1db96c2bd60651
SHA512 5900e45a4dbd203bf31d7ced962172d83e6b53035ccd334351533e26a1fa039fecc68e1ff842ec9de2b57996174856696a8ae4fa975b211f5bd19ebdc0609fa5

C:\Users\Admin\AppData\Local\Temp\eYwq.exe

MD5 98dbfc6c128dceb23850ac97af5e603e
SHA1 d1b6a6c098f2b054eda65f73e3b2ba967d4d44db
SHA256 3dfedb3aa2375a6efde11ad5fd086f703ca0b47bbb39bab54a1ef0091344448e
SHA512 48fd3119e7e713b55662c50f8dcd96f1cb1db384a3c10bd9ea370ba7a9c1c46a3aef07189008e0fed9392c26b6d664f77a37b5e362e7a8588a4d886051f92efa

C:\Users\Admin\AppData\Local\Temp\oEQK.exe

MD5 27502aec9703f231012eb08a53f23171
SHA1 aee4235ba1bd1948d1ad7c9ace1822367e5731ea
SHA256 4b63f10281046df7ad73553f002d2500114e94d825f7eebbb4af6645e93fb166
SHA512 1f3c627cfc428fda837c22f4f066ee2613558259d3d76fb9dd8f6437ff1c0dda8fb9770f64a37de730bdb49d8ab222c17abab3d6bce4eb623e42cb1d47ea5189

C:\Users\Admin\AppData\Local\Temp\SMQK.exe

MD5 c828225b4862539ed18f453764055853
SHA1 99e3a27e2d1b27717f83eb2f3f9174de4663b6c0
SHA256 43360493a5f4aa98e90f45f4e2c96bfe79dab93eebd1c2a180b2ef90c9c5ab07
SHA512 51b83473dbc489e7ee21ccdbfabba9bb15a4e0082750d4479704909ee472c618bc952fea99fbb6a3cb5efed485ba34925c3b6a7009b46326fd3d8e0167b9c0c7

C:\Users\Admin\AppData\Local\Temp\iYUK.exe

MD5 1cbc604a8c3e8d205f32e20084a9a131
SHA1 62464c4c27082deceed6f7933b5ee326c83cc28c
SHA256 270160c0a165097e9f89a84bc691a7999fd8872670c28dc76714610b34d48c76
SHA512 7ebc136188dd7dcf7bd1d0f7e566f3eb82aac8aa015ce7935151b1d03965c6da34a7d9cfc99801246c8cd8425071ed76ce16ed81e249fe49df0672b3de9c3be7

C:\Users\Admin\AppData\Local\Temp\GcQC.exe

MD5 a8156443414b66b0448337dc20ded0e7
SHA1 1a18e2ae6a088023574c9b9c87b9c13665507574
SHA256 f92b48eb7667e53d7474593995917b71ac376941e0433ca9d483097b940e03e0
SHA512 536c2220470f2a18d267037dc6828b8301bc9f20c0a334da826c8e7e3e2a1764b87c7871949e72815ee624d8bf0599920b45b127861159c3954da4e7e5fc6849

C:\Users\Admin\AppData\Local\Temp\qwsu.exe

MD5 bde7535d5b79fc97e73c20f05cd32134
SHA1 b4dc2966c061f6186f9b3baaa1b25d3f75bf5eb6
SHA256 da2f1793da14ecb68c644642a0e316bb4b0fec673a3f086be77f6fa9f3952ced
SHA512 009a8173733b5ccffaff83285726b0b6e680826533e7ed18aaa4777c2ba11266b8a3fc293e0e86841037e3f11604258115ba9ea3f4845c43494976d3d59d4b81

C:\Users\Admin\AppData\Local\Temp\QAsY.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\swgQ.exe

MD5 3984dd63015e7b085efd7d690375ba1c
SHA1 57c0f9308e3cc50bb6a41e1285e8db6104a4b646
SHA256 27d26f29db3339800c2464f2ab226b51c9eded5838bb40ad8f12cd134f12fa23
SHA512 e5d24a055a8ef2fdfcc1435dbb47eb9d2f61cea6ce206d9c871017732106a3303c842db93d0dcd191f6a4fb8f1bde16579735fd7f15def6ecf41be4f6a78d6fe

C:\Users\Admin\AppData\Local\Temp\kIos.exe

MD5 6df71d137328d51877aadecb63c3d7f2
SHA1 e2504cebaeaced73572ed7b33e7126d9a6207b4f
SHA256 b4916e236ba57fd8613d7fc9a8b85f37f3405682bb1ecba5966c360286de68d9
SHA512 2d89034b144b43081f359c4b66aff1f824597aa383c0cd2119043f131f93ea1abfdc88fc34087bf04b9b8ae5e87b83b8d63610a4436fa0da48034deee3c112b8

C:\Users\Admin\Music\ImportOptimize.zip.exe

MD5 89783e13a0076585c8f4306c0fcecbd4
SHA1 e7d9f2d55085cf1b5a2e9a9f9c08961e1a62ea0d
SHA256 62a386e9c67ae2e448870e382aae8d281d24bcc409f0f7f2b405d5ffb516b4ea
SHA512 482a93f686c3f5179bc13edfdd2b8a6e41264f49b676c9cd7aa7b2190c20c5fa073c77f0fccf9bd5fee104ae60703e9ff0ea688b273dd7e12e65983b447034fe

C:\Users\Admin\AppData\Local\Temp\EcMM.exe

MD5 c838c2a7e97e95795d6acb1328eba625
SHA1 8db8020b2c287c7b669353bbb75b8f9fd42cfcb0
SHA256 20189a8859762b67478ff0c70f6771fa099b7cfee430a0d18327baf50fce4aa9
SHA512 f4d8cd3a5bd39bf27dd97d514adffbc930e179779ac0cf54e3fa0f9d6f0c4b359f5afd1d5b2bca4b519a877a04d580886708438b9ed3cc4e7cf791278c44edd0

C:\Users\Admin\Pictures\CompressGrant.jpg.exe

MD5 9766ee553d339f6035ec6e20b5a95ad6
SHA1 473888d6903944cd8a5b1609da15aba82c3f0bfb
SHA256 84a55dde657f0f5ac644c6ee4deca54c2ed02921c2c512e4f95d83b871a24ce2
SHA512 dd7555eb4d4e5b5ceccc66773ed6fe81de3aeb64495f2712ab2bb257b3a4139933e5545098074e8b0adadbee910bc814ca724ebb37833a0286adc8406170ccd6

C:\Users\Admin\AppData\Local\Temp\GYQs.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\KkEI.exe

MD5 c483e05ade4d41651cf00483c36a4d01
SHA1 5c3c4a550dc466471b960a371b6e3e951f24440a
SHA256 571498dc0e02f47368ae1541edba9e76225752e297f699dab30e28190c43d359
SHA512 52b63ba7ce783eb2dda5d2674344fc904baecbe85cb00f4f151a2b4fd1db39e2f52ed65e11d5f804b6bd37317af0a72e1292905da0b7524190b196d15fdb64a8

C:\Users\Admin\AppData\Local\Temp\EAoG.exe

MD5 fe069512691de3b047963b68d19072fe
SHA1 b0958f8f9ee1d763175bc9c610cacf88cc59a5f6
SHA256 80976857f906b30d3b3dc56838bae30db7f980fce5de621649c51d90c4a4b27e
SHA512 83b739da4f350fea52dd4aacb3b8e6df27a207a62583f3e12cf10a23ed5897cc932dd6b317124097843389089e4c84575f792bf85e97f9284289078b4f380b9d

C:\Users\Admin\AppData\Local\Temp\YIMs.exe

MD5 4956c7d83a01c1cf42ca9d05ddfb036d
SHA1 72d406e7968b8b8ef3b25bc8782a50f304c38da3
SHA256 c21b39a4deb1ab5dc9d33262710739f1694426795ce04cb4622de07e3ce23100
SHA512 1d97f62cd8f650fe7902aa6511db0cba75d42aa185128dc96878ded2f0015469b47163a22619c09c996c4d51963c2dacc7e10b7eee7d004f1b35c9083f102526

C:\Users\Admin\AppData\Local\Temp\mEcE.exe

MD5 a108993c4d42913a0fd0b63606dbd0c6
SHA1 690a003c513c7c680e53004b17e669b760860c6c
SHA256 bc3cb49a1c181d3ae3fce9da854de4e48f0b0f0f19a109ef2d0136285e5c6922
SHA512 35125c4a644270f76fe77e5f6f09f8e7b5ddc0e7b09bf9060d717380ad05ed917d36bb205f02a007f1478cd6fefc391efbc9311a4cdccc5cae7a9b89b6b4a313

C:\Users\Admin\AppData\Local\Temp\CUci.exe

MD5 2416d4abc4101949f435453dc22db192
SHA1 4c53b78a97bb2a10995c8c0b68047d54b8e0dbe8
SHA256 a2ce053393e96cfd477b942a4c3d2658c1068eef14ffdf635ea55f85ed113d2e
SHA512 6c00db039f63a50a4745f1c4efd6be62f38e3a2d16c077896e3dc88eac12400df1cf04bb7ef9a46f23d49dfaf691e669005280153e4d7ade39dd6a0d03f02c70

C:\Users\Admin\AppData\Local\Temp\ggwE.exe

MD5 4e8189de9d2f66e6ba303c4ab8b15818
SHA1 8d355917b175920bf362f5c46678d8d678d6825f
SHA256 4f7f5bf9c6a85fa7213d045ec69d5f0cb729b634e06881fb0ce11047fbdeb66e
SHA512 d19d07cc93a9695e6e35e9d11a60571511333660742a625c53456ad700ecb9f099cc727fd57ec2147b14359b122a4978b3e9f49a358fd322783976653dd10619

C:\Users\Admin\AppData\Local\Temp\CgwW.exe

MD5 c9c23df1f8cf0d46ec4a94cab6de364b
SHA1 47fd86aea01f42abe9c461ec46d53c6107f112db
SHA256 d4c6d804b8f3934932113b6d8df9eb22a560acc32054bd2097cb3222b515dd9b
SHA512 aa58440ad2125cef142f9e58e5d04c5a55181c89a334c2fa8fa0b63b553f7518d8a2d36fe35e1be0916841e1cf1ee06d0444288bb648425d72ee6c9930dbe9d2

C:\Users\Admin\AppData\Local\Temp\AsQg.exe

MD5 ba996bc3e098772ea9d94a171ad0aa48
SHA1 8473035638b645eb3300bc5153f46691105e477f
SHA256 b50c498e831349ede6df6dd0fb56fab3be99a638e57c4f4cb9d0f536a2bb771e
SHA512 6563e295b3228bf7bac3f9a5d9c33671dd10dee8ad67cc745562e34c87bd4027fa9e8efb5702713461061c1b2a827384f933425a7be4795b4fdb0936b80f7a9e

C:\Users\Admin\AppData\Local\Temp\sMYs.exe

MD5 658ec3ce3165eca1b95b25774f7e29a7
SHA1 42d074b936706fbfd321705622978a7082eb58a5
SHA256 7e370b5090e713484440fbb4ec9bf419f7ae2e6a7c7efdd83f8aad30ca32b160
SHA512 a7e50b0215ffe38e575d23736334a44a09b3872158c77d593767645f34207d5b5fd0b4c4498e25cfb6471771f983f2c5650897473b4368e41eab61831026930d

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 5806af5789c3a92afed845f81c1f4107
SHA1 83dea29fe50fe87ccc2021ff77d5b249124ae8ba
SHA256 0e4c4fe3c97b286ca87aaed80ccf75745a67b247940b0ecc205ec0a6a648277a
SHA512 c154727336d989f5e383cfefd95cb7fca7411dfad9b012c29d8dd4af6cc3b78a2a2e709f40fc75e21723e570fa3951dfb5dbc0f54c299cc95363485e0f3cb589

C:\Users\Admin\AppData\Local\Temp\EkcK.exe

MD5 9c25a2085d0f93e09e69cc4a2c85c41e
SHA1 d3b1304ea8bbec825cb93b1e52eec31736c0391f
SHA256 030ff7d70342d6c07af8fb29060d85a8a6f73cdd2462aa7bbc493c258f90dc92
SHA512 bd7e8ae9a6e27c8ca1d791d4be3df2329e5c6b6a8d3d6898d9af090e77ea388f7ba76797b6a7430998f2e738cf5ae4e1903e94b93b1983d9867056aff6fc12ae

C:\Users\Admin\AppData\Local\Temp\uMkO.exe

MD5 aa2d490a82022cd8d2be78e54ca54749
SHA1 1613bacaf18a97899fbe39dbd2359c6a798eef68
SHA256 8d75cbf556d3ca2e562226f67ea44f53ff80b5aafd29c719dc48bc23db588362
SHA512 84a25b07ca1c95502a9d29da11e07dd69b44f687802fc5a20de5c46de883b2262fb80ed3dab7f2c8d92e3c8121019bf8db352685565e48055a74cbe01d8ebb98

C:\Users\Admin\AppData\Local\Temp\yQUo.exe

MD5 fd4f7ac4d61abe26af3896bd88646d89
SHA1 b2827eea486d45b0d63c74191701630e3e289599
SHA256 699de1c0809e5d9ee17812fb73c2b2454e38bf84f854fe611558caa442b8c7db
SHA512 dfc676beb9ccc1854432e2a61922b5a2bffb9aa41015561d5a54207c1f9b1dcf554bfe5ed7f74e455442ff772eb19e7ef7cd3d90ba978467644e24dbb6adf68c