Malware Analysis Report

2025-03-15 08:19

Sample ID 241020-vey5esyfqa
Target 2024-10-20_25254d694617c9f5e62baff92b13782c_virlock
SHA256 55e25abc5fc0cf49010c437a6770f44fb9103bd0034e2cb0ee40e8115e5c5b49
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

55e25abc5fc0cf49010c437a6770f44fb9103bd0034e2cb0ee40e8115e5c5b49

Threat Level: Known bad

The file 2024-10-20_25254d694617c9f5e62baff92b13782c_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (78) files with added filename extension

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 16:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 16:54

Reported

2024-10-20 16:57

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\ProgramData\qysIIYgQ\vYwAEMQI.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HQQogcgs.exe = "C:\\ProgramData\\HAYQswgg\\HQQogcgs.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKQAYwgU.exe = "C:\\Users\\Admin\\XgIUMksI\\LKQAYwgU.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vYwAEMQI.exe = "C:\\ProgramData\\qysIIYgQ\\vYwAEMQI.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKQAYwgU.exe = "C:\\Users\\Admin\\XgIUMksI\\LKQAYwgU.exe" C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vYwAEMQI.exe = "C:\\ProgramData\\qysIIYgQ\\vYwAEMQI.exe" C:\ProgramData\qysIIYgQ\vYwAEMQI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\rcYAsskQ.exe = "C:\\Users\\Admin\\HYMAQIMw\\rcYAsskQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\HYMAQIMw\rcYAsskQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\HAYQswgg\HQQogcgs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A
N/A N/A C:\Users\Admin\XgIUMksI\LKQAYwgU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Users\Admin\XgIUMksI\LKQAYwgU.exe
PID 2892 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Users\Admin\XgIUMksI\LKQAYwgU.exe
PID 2892 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Users\Admin\XgIUMksI\LKQAYwgU.exe
PID 2892 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Users\Admin\XgIUMksI\LKQAYwgU.exe
PID 2892 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\ProgramData\qysIIYgQ\vYwAEMQI.exe
PID 2892 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\ProgramData\qysIIYgQ\vYwAEMQI.exe
PID 2892 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\ProgramData\qysIIYgQ\vYwAEMQI.exe
PID 2892 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\ProgramData\qysIIYgQ\vYwAEMQI.exe
PID 2892 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 2828 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 2828 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 2828 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 2892 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2892 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2588 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2588 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2588 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2612 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 2184 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 2184 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 2184 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 2612 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2896 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2896 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2896 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe"

C:\Users\Admin\XgIUMksI\LKQAYwgU.exe

"C:\Users\Admin\XgIUMksI\LKQAYwgU.exe"

C:\ProgramData\qysIIYgQ\vYwAEMQI.exe

"C:\ProgramData\qysIIYgQ\vYwAEMQI.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgoUkcoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HcUkAEgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XOAwIkAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zAUUYkUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NooAsgYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YEkAIYcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\HYMAQIMw\rcYAsskQ.exe

"C:\Users\Admin\HYMAQIMw\rcYAsskQ.exe"

C:\ProgramData\HAYQswgg\HQQogcgs.exe

"C:\ProgramData\HAYQswgg\HQQogcgs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 36

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 36

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AGcwUgQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kmwIYwQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MwQcAYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PicoEgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tcQcIIkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\taUMgckw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIkUAMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UogoYQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YyYMEkAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UkwAwMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwAsIMAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISIQwcoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGoAQYoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCIUogkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMwYAMUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqcokcAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ICQMsgUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YqYkUkYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUwUQkMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWgAAUos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FiEgckMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEwAowsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FisksEwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zCcsEsEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\psscQgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQIEMYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OYkwAAMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MqcYocss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCYwIsUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UisgoMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tagAQAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwkYEYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "638628060-5542981371907355626-1142765711539390516-824665017-8530382831909486215"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rmAgcAwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TcgIMwIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\muIkUMoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kuYkMQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eacAYMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kKEgMogw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-661942398-279840266-472532879-489248595-1865297868-63311586530113115-556766140"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1985729524-835445459-583205538-7274497641107066562-1372715323-425262637-1762804913"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fwAsEcQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nQcsQUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "229317199-747237888188057360915614972351892436273-96194482-2027453646494335188"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAIkEcYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQoAAwMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcMIMscs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ScEwUsEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKMIswkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wycQwUIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUYwYsIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwIgckcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwsQwsMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LmQIUgcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-749532492-947386950-174545656-1518367484-647701025135568929035494974758462570"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-820262158-1745684485-1855034909-929145391892604056766943529-394345176991057483"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TUoowccg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "658262839161046168817237084720421499283926416681909168957-965385430743622756"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WSMUkYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-125282166114830334331455330329650725426-549287470-14556298221641176251961942242"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1857535210-1770916297-9809181421365504188-54311677112717400351673427901249716846"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1490219884-875258364-92720273-1411040331424004457-5067858721515940139-516544776"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cKQUMcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2892-0-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\XgIUMksI\LKQAYwgU.exe

MD5 89dc5e58bd2d75ec434c4af218f2f1ce
SHA1 3c9e11287f036f474907312f34d2e9489d6f41f3
SHA256 61a2b92ddeb231e1958a0d3dcb29508c90be485c053f4e31c58d3798ca52c6ad
SHA512 37920f1ea4ce75efdac0202d6a630cdf53b20217c8b99eea6d74c1087323be15b2eb1e2a0c05112bb9395772988c92d6f673e216ddbbd34d5cababaa55cdc60b

memory/2892-4-0x0000000000360000-0x000000000037D000-memory.dmp

memory/2892-10-0x0000000000360000-0x000000000037D000-memory.dmp

\ProgramData\qysIIYgQ\vYwAEMQI.exe

MD5 d3d48ba633079d69ef8e4668666b7950
SHA1 611f96561f227d347dd504b31a5c9882e6db3a2a
SHA256 77220af764eff39cc4e1eacfd858d889bf6ff084c29e3d8207c3ec3142cad302
SHA512 602dd1bdc9d8d33b25229c1616cdf2437c29c0f727d7f9bbee135e533a1cce02269be629680071d73006d73b835c5f2a796153cfb7aae97d783d9e907e34da51

memory/2892-16-0x0000000000360000-0x000000000037D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sIgYIAsI.bat

MD5 24709527baa6ae77c4472c05a59a7b09
SHA1 52ffc0adb6e2dff3580ccff8873dac9ecb00d6c8
SHA256 5dd3f44427e7fed597d9bc802a2dde06a950b9f2dbf2b6eb8c97649430d102ed
SHA512 9bd4cf1f820c25e6b1af074377b203ef8bd6387390147b9c5b2ea7ff1a8cdc0f4cd77612bc10cf031e1d04f0c05d4a28c768af6a4a3e83f1c8f2374e7408be07

memory/2612-32-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2828-31-0x0000000000160000-0x000000000018B000-memory.dmp

memory/2828-30-0x0000000000160000-0x000000000018B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xgoUkcoY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2892-41-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\rkQUgccw.bat

MD5 c5cf9e788f1dc37cb9ad444ea7f9f687
SHA1 a8db1ab96e5d34185e2e0bf76a38f9d062a6014d
SHA256 649d5de9c6d667a11eb5fff34b6e1ad7838640028e75aa20367d4d17c710b637
SHA512 48eac44ff9fae722cf7f282b90a7add93ef467474f76a4f37cb28e9d4fbf95d0d66f2c53065918dce93a68713559184050d56dc0183e24206d278a5ba0d0e395

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

MD5 5861d4e6983be2b92122bcfb7d239eb5
SHA1 892a1af54e23a9960f63eae6369c526ef325b77c
SHA256 b3de971f88cdd8219cd9bf4a1212107b4052f468caac1f196d756ddf095acb48
SHA512 af3ce9a9c4a7be34e1d75bd9e25b483cfadc18e50cdb3229c5bc70bf965f6c478a707711154066c446f84ae5b6216917dd34935ee69772c305a00bc6d5040178

memory/2052-56-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2184-55-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2184-54-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2612-65-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rugkQAIg.bat

MD5 d87d60009527e249b2a6860a40361b6d
SHA1 518eb1bf011ebe50491cf7a10914efb6b16077c8
SHA256 b9ac048da91260baa2c4db3a53747f69ae24c9f0f577cc6fb25b411e0e4a420e
SHA512 367972852f0bb4dca11b849aa5505f0ffd1e870a6609477ccdac28f224d25f466adfbf102fc1c1281a97288b295a6c94aa10a6de797795a8c39a53383223da00

memory/2400-80-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2092-79-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2092-78-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2052-89-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VEIkcQIE.bat

MD5 e6511937c2bfc6068f1f446aafd4a24c
SHA1 736df30cebb322ab967cf7f55fe8387ed2f29433
SHA256 28cbaf64e8bac2514642369c7f68b601adcef4cfe4d1a6fec141d0a37037a77e
SHA512 d2cf06458318151b9166c4eaec0fe9781a545aa66219d9877440c8c2cd3d98d445dd480194e1b648db2f8a344e1925530e4fb99bfe96931d9f04e06e5f7b0d8e

memory/1780-103-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3016-102-0x0000000000160000-0x000000000018B000-memory.dmp

memory/2400-112-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LkgAckcY.bat

MD5 13d47d1a93ddeaf59a2c2bba837b5eba
SHA1 08df35ffb5d5696e3fcc4cabec3c253a37406609
SHA256 b8b265ede1e3d53bf2d4ea0c1741c79a8a1b3138fe4e617ef0ab86bcec9658fb
SHA512 fdb66ea4a2bbdf84fca1e3f76665420e317c7caea3878cbbbeb4b8c41f67b5e017e42a26662e1cc9d1be7d9c1e2fb0b337b16389cdbdd82b89059b7264c742c8

memory/1376-126-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2160-125-0x0000000000120000-0x000000000014B000-memory.dmp

memory/1780-135-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ygEgsgMI.bat

MD5 ec51b51e52cc6be7b30e2ecf2def0998
SHA1 094277e2025be59a632aa91f60d4c28f793b1995
SHA256 422300d2ad82a1096b36e4f15e56ee11e23434d5ec0549c94c886fd3a2a42875
SHA512 481e20396d76df479a3a4055b2ec9b50838fc1cb6927582ae03c602da64f24aa4144e2682bc980232a76cf2b532ea77b771a233a78bfbb08ae898c800b158f2c

memory/2380-150-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1724-149-0x0000000000800000-0x000000000082B000-memory.dmp

memory/1724-148-0x0000000000800000-0x000000000082B000-memory.dmp

memory/1376-159-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2620-165-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2380-163-0x0000000000500000-0x000000000051D000-memory.dmp

memory/2380-166-0x0000000000500000-0x000000000051C000-memory.dmp

memory/2316-168-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2380-167-0x0000000000500000-0x000000000051C000-memory.dmp

memory/2380-164-0x0000000000500000-0x000000000051D000-memory.dmp

memory/2752-170-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2196-169-0x0000000002270000-0x000000000229B000-memory.dmp

memory/2380-176-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GSIgYUMw.bat

MD5 42430189060ddcf510a954415a7722ab
SHA1 eaf95c39fae442fc5e9b91de18b00f19dd230087
SHA256 8b89741f98fa9f246796c25dca47ab756b74f23c13861521554c750a3869db58
SHA512 9eb4adf9abe390143869d1005830c07413e2e038a5867c5c21a6fbb6ed24312bcbe3c0011b0b1dc7051822dbdfc55793fa2ee25e758d1e80176e35541f8f9d7b

memory/332-190-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1656-189-0x0000000000120000-0x000000000014B000-memory.dmp

memory/1656-188-0x0000000000120000-0x000000000014B000-memory.dmp

memory/2752-199-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScAcgMYY.bat

MD5 4cac3e09c7f122acc0b56dff9a840701
SHA1 7535330b22f6d70abc9a88e2488899e782823685
SHA256 84d55f7aee3167946854fd18288097c3c56658146b59220400cecc6b6bdf2b0a
SHA512 654f299cf00159c317d89c1289b2ff678c5d3914b88d7a776d63853af17b3cc7f76f0008a34a6f1c73a90e7a31ea61472d8d882889fb8b13f3fa4c998dd1b8df

memory/492-212-0x0000000000390000-0x00000000003BB000-memory.dmp

memory/3024-214-0x0000000000400000-0x000000000042B000-memory.dmp

memory/492-213-0x0000000000390000-0x00000000003BB000-memory.dmp

memory/332-223-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PoUoUwsA.bat

MD5 bbc15f2a80463a6cf2c815d6cc4e041a
SHA1 84e5074d97ddefc6006dbe3db5e6cd8994f32de4
SHA256 c0952a178996e2e6e9f66ca0b928ad260bc48e998385974e6f07a2c098409974
SHA512 d543ed45c2184a6a6ac0989d6a9bdf06ceb274bc6b31c537e9fc3f5e55712ca24f2473aafb624600447e8b913f1fb6401fb4c1b62626675e327846fd17409f49

memory/348-237-0x00000000001A0000-0x00000000001CB000-memory.dmp

memory/348-236-0x00000000001A0000-0x00000000001CB000-memory.dmp

memory/1048-238-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3024-247-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pCoYkcAA.bat

MD5 74223af531a4164c6d6bcdcb8317307e
SHA1 e825346982c14094bca2b32ca4020090d8f1e9da
SHA256 e247ae9a2aac59cb614a5d1ae4598366bcb7780489e97ef0fc1e0bb258b9bc1b
SHA512 56eee6e74f9de32f6675c781565047891af60bcf8817d6479a6d384ea99ed27a6a55d456afa42fa964268286fb7f9151ade7939b13ef118fa9c7fc83b606593c

memory/1040-261-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3064-260-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1048-270-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HmkksggA.bat

MD5 2183f6e131c1b0f7bb718f5516f7075c
SHA1 f0567fd2630d3bf52a268914501f4571d8e5c1ed
SHA256 9f2e96b724d3e8616d0546fa6c6693d0aec53475b626e4805c9f878aa287ce9a
SHA512 80022fb59651123b323a1d3a0e17712936dddc7c388bace43979befd753020af21206421185c500749f2231119a44fd4f3eb59bce6b42622df289ecb1affc31f

memory/2696-283-0x0000000000160000-0x000000000018B000-memory.dmp

memory/1040-292-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lqcwwAcs.bat

MD5 6c1d17260cede405b87e3e128fcd0b2c
SHA1 cd71812eeb068d0bf36c1e44ce75b66f8a45f299
SHA256 fefac2a67140c776647d8a6e14803ac4dfce09b3e3cc13c19954bca704b63017
SHA512 85e019efccd6148fff1a33ce23002ee27ac517709dd73036a0e9719b1daf12298b92f3b845f3582eaec189a78fe70947fc51f8ba4ec1d986ca3c158f31f2ed2b

memory/2648-307-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2796-306-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2796-305-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2176-316-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xykkEkkU.bat

MD5 6baa82ef74df362ee574ded6c89b26c8
SHA1 0e09792281baf939a368d9f1303a18590cca683a
SHA256 95c245652a1c4214911fc0b073076cf53aeadeab8895ce014d41569b505de209
SHA512 1c82d9c9c1bab529add18140096e97e6b4250aebcb3ba8666ae0c19762d08d87781908463b40792c2b977c7b865d1d94b850743d0ecf2cedc191646b9febba3c

memory/2540-329-0x0000000000160000-0x000000000018B000-memory.dmp

memory/2756-331-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2540-330-0x0000000000160000-0x000000000018B000-memory.dmp

memory/2648-340-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mwMgYkMM.bat

MD5 3dc6d1479e7aed44ec8675a3736f0280
SHA1 443dd65d05a39bb9d25d3db1748ac780cc1f4085
SHA256 5648d9be159ba380c34f3d104c45f5ca9b09e53810383cbeed1d267a2a035f3b
SHA512 db246fae3370541bf317926207f70f3dc85c96b8094f69f0deb73cc4a118ac64f1f3f3732090f8f216bf45d41f36f44b0de25c4442ed9cb0b2d39d88e6f9df95

memory/1484-354-0x00000000001E0000-0x000000000020B000-memory.dmp

memory/1484-353-0x00000000001E0000-0x000000000020B000-memory.dmp

memory/2756-363-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QQYoQIcA.bat

MD5 90bec941716b04a6dcca303e25f0f392
SHA1 74bcc9429ce9088ab9d74008992d5af6cf35d3c2
SHA256 f595e41fa1f7c88aa2a56fb365374621c6fbd57b703546931c4c5e0bfce862ef
SHA512 e3ad642763318231f65cc633db9e7248e1cdf66657c34597221a1e20b3cc09d1a1bbd52855f1a531302ce494d33407c5771b0b6ae624eca531b207b3ff3719f5

memory/2060-376-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1984-385-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ImowUkow.bat

MD5 7bf89c6e08cbe99f036cf6196bb3720c
SHA1 a992f64ed889fe74a9d08457cc274dcf4a2c955f
SHA256 8e0fc114a3d914983dab8dc9c225364184d4ff0292d169f8f8d0e41d67badd9b
SHA512 4ff67498853f4576098d60a2fddc1d570946aeb5a6758b608b3221b54e34e45b1f184d7060d0746d6aa2ad6e6e037b5dbd7bdd33c77c11c2e8fd628f8ae644d9

memory/344-398-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2060-407-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uWQAQIUk.bat

MD5 5f3dce56958d6a3c722418af9ff70fa3
SHA1 ffa54be05a9a157160917feabe04ac4a95f38dce
SHA256 29f3282d61c7ebf3762526379816dd17906db8e4d48e24ffac5cf9257526836c
SHA512 24ab1f8846ccdbf9fb5b0ec24ed5347a8030569607b2942956813371d81f2e2a90aa0d855840ba6b49bfc010d4c4f20624af7fdd2c46c617ce3f330b0288881f

memory/1512-422-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2576-421-0x00000000001F0000-0x000000000021B000-memory.dmp

memory/2576-420-0x00000000001F0000-0x000000000021B000-memory.dmp

memory/344-431-0x0000000000400000-0x000000000042B000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

C:\Users\Admin\AppData\Local\Temp\vEIwYkMg.bat

MD5 39d2fb77e1627c0d2f203cd658d8213e
SHA1 fe6adce1b2e72e9005d9324bb5bb508081adc650
SHA256 1a4d5bd44576e6fe0da79a12d8d0440f4de6303ebd3db1fcc2ad318e4381aee8
SHA512 39c29ededf077244ef0fe7a09fb8f12b1d54b10cb89e2a2775f69f44756bd489785cc990f3daadaefe3716fec9a0591d87f2d9942f958dc9ec97d7a911d69c4f

memory/2216-445-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2216-446-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2900-447-0x0000000000400000-0x000000000042B000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\oAYS.exe

MD5 3be786610eb8b4e8054df598ba946775
SHA1 2e22d86db1ac43f772afcecbcafb9fed8271d9ba
SHA256 1be07fad0898fd04681e61868c7fe2e0d448f29a1eb1c32967d08a4d59adfc2e
SHA512 113dc8e03a073c03da4b4beb130eccd60cf7bde843c2ef0dec882255fec698b38a55fb07df1f98b49c4c52e74e0c291e22b0c4911c0d31e58cbc1a618fc1c324

memory/1512-463-0x0000000000400000-0x000000000042B000-memory.dmp

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\PcsYYwgw.bat

MD5 6509429b131c3ab5e7a83d41bf3dd0a4
SHA1 988fc1032c49013b856dd5867a43e0902df9d87e
SHA256 9e811fb7f13f81df71cacbcf5861b3ce326f484a5314dde1541d46fd496fda8b
SHA512 59bcf99f37036c1a3089397c01f2d2b62bfb74c6cbf2ff1fb08d10c0fa55fa8c0210210e4a3914d8ab3c9bed659d39c0674e40cac02b5eb16150f42db994cde3

C:\Users\Admin\AppData\Local\Temp\yAcE.exe

MD5 05152f6e7a84795c25bbe88d19ef199c
SHA1 3c9af660fa3163aebb10e1f7274ed14ac554f762
SHA256 a6c891d38080117d724a79f0635930f868b49fd41c2b5384c4ad02a5e6361cef
SHA512 b14a848a70ea3e1d734d64f18160d47a0119f2eb02d0905c4451be355b27d5e022b8deadac7cbe91f615ce9ae041fdf0b94819833e2a2a5e1b66d9e883328624

memory/2432-510-0x0000000002260000-0x000000000228B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GMcI.exe

MD5 190c566cda5edb310ae2b28b4b6396cf
SHA1 2234dfe4634d3d744475c7bb26cdbceedbca9781
SHA256 12ec2e304ea5e183e2449ebe8279af546e9041661a6f615e403b65a12cdc53f6
SHA512 736c154e111b3cfb7c4952ee261f31438ff602b79b23d471fede8a7a5e9b1481536ebf11ac915ac24d02829eb81766dcd02a9a4e91672c3071dbf63c88a8e97b

memory/708-513-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2432-512-0x0000000002260000-0x000000000228B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gQMQ.exe

MD5 403b16bc6811bfdec657799723a35a76
SHA1 61ea95b66f2f9332c5a47d0e8dffe06f2cda676c
SHA256 e316db28521a8a66051d6acb1fb490cd167c325d34e12409dd004a9b36452995
SHA512 c33e8542c986e2be35f613e8d64d4531f284acb1d1508ee025e213dfd984506eb05de1d232fdfb51b2f8b7e11d0459be48cbe5534382a8f253c798d42f12e47a

memory/2900-534-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ucUw.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\isAc.exe

MD5 a9c73bed0ab3fae8fd27cb4bd9340fa0
SHA1 4ab853202d4a3446176bb5be036b39ce44a7b6df
SHA256 08985004dcc1978544f6b6e66c2cd9aaebc355f4a10caa1f7fe6b5f578f9d6d4
SHA512 d2422b465d4453c9229f54e0259999ef3ef9971f4592742c91b5f8b00e7584e896dcc32e9b296186ff1cdcf769b01c1114f76a5a6f776e9b9866a239b28db26b

C:\Users\Admin\AppData\Local\Temp\CAMg.exe

MD5 d37b4c73ab944f56809ef263da11f7e1
SHA1 73486112991ec385b9f8bca50f7f7065cf41cdfd
SHA256 cb4dabcb64f7f89b1fb565cd741c18a3667c6ea4a639ad678908cdb12ceaf229
SHA512 58a19fb44bc8de93976c2955d75a11abeef3486014fbeced03f544b70608bc767aabb221b870ce5a1896cc82f13a7408f9d155617868965e9772d4844d80eca7

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 9f9370fc4e385899cfca72eb186b9d9e
SHA1 cb7ed57577d4276be411bc83ef8b303d3a2e3c48
SHA256 7f144670fee5f18e955a0ead4070b880e184aa069fff55480985e8422d307072
SHA512 89b330cbc85cc147e38698e10154b1554dbca45de1eba619dd6e4f4a2508dd3b0f57fc98d0b3417747355c9017310a8084f9c0c311c5b415f9ebb6408220e5e6

C:\Users\Admin\AppData\Local\Temp\bCMAgocs.bat

MD5 8a1a3bbf26fee8718736193fb5f2c748
SHA1 88fff55b67366ba11c93e5bb87b592f428a33068
SHA256 cd265b00f1a23559c75eb0d8235a28c48d2d3ce56e57371bbcdc044728677204
SHA512 482fdbb240126259bcdc3bc2f8f5dbf5739f03dea8c7ea6cebf96dd99a877a74b6e1abf6072f55e391ad3fc18552a1c011fe122cd94325c4eb5ba62b7d1ca3c5

memory/2616-596-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2684-595-0x0000000000120000-0x000000000014B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gIUk.exe

MD5 7c624b4cd61713fcf0756bc59fe31610
SHA1 e44fe63249ba4c6209b5aa57a59576fe87884e94
SHA256 2593c41f1561f31b8022466a92d06bd2532242d50f2a20766b3f7912ec4ae6e3
SHA512 25c704f606ea46923cfcc880c251c13d3deae5ac5f944b232e4f3f810b39fd7d6a79dfe3ee313abb869b571a3b550bd3f498551214dad9c5aa5e2c49bcc0c0d3

memory/708-618-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UUka.exe

MD5 28d39bd49abc60dd98728bec6d732caf
SHA1 eeaeab667acdee891c3bf14abf37f7963b762583
SHA256 fafef0b51b3be83e95a62b2a5aba4f02c964782599d00c11889075f652d08227
SHA512 f026924458b09252b172948aa9d56f63e66ef1147dc6a2550412fb9dc8ce507b5987e452d8250cb4e76ac1cccb7e434e66ca3d8802a0b74c2c6af51edd70201e

C:\Users\Admin\AppData\Local\Temp\cccM.exe

MD5 7c8b4282a0afa87374932a275125a9f6
SHA1 8d86f566f6aed7401daeacb871b8e7aa586151e9
SHA256 545f3fe5ea369d2a78723e89363642fb678e606543af32c378236a10de1a5f18
SHA512 edc6699a372cc496923d9f6804f35a746e346701678d5e57a252a51e2c0a634911c16376407d59a7b0efcdf3101e619651d522ac50ccaf9c964645a2ca9efee3

C:\Users\Admin\AppData\Local\Temp\LeMIkQQg.bat

MD5 a70f7754c1f0f11a15d2f7b7709a6e70
SHA1 2398d4bab03a052198907061c9e24239487cba98
SHA256 da954eee2601a5d944ff79d964fc9bb64864962a3fd5c43775926ec4609d760b
SHA512 7b049f96b917536e22f834bc2480cf58d19760b844442bca527b9151a2e6b83627cd2f955445eb66c6436819f918c84a11ef8500f994d6add0e87a64369d027b

memory/2964-656-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2964-654-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mwks.exe

MD5 0e9092da4b6923ceeea1974dacc49730
SHA1 d1f5228bf3070b35f19ce58e850447889574c517
SHA256 bf21df97ab59ff783e7ec710df71c1aa79769fed4d5a02ac50308d93c4c0786d
SHA512 1b2c05a91f0efce75b6e926bff3bff3062183a4dfbe1fa8c5e763c21567f54481d30c5f6f1c8892f52a1d644075c0533f8751e1260110a0416cc6f7293964215

memory/2616-677-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SkUS.exe

MD5 5970770395494ada9f6f2981faa834a0
SHA1 a30d98ea4225b3027144446f14c32fd8fd711dec
SHA256 dad3650d7e92a01058b85e592488f81c63c3c5bfe89a28a9a017718edfaa9039
SHA512 d23ec773ab16837f1e511102fc63e33bf10ef32ffea4ddcaceed98ec20211fdb8cbbc9d8ddfdf8cc6ff0aabef5bb14cb355e3a32d14718f5c888a41cbe52d692

C:\Users\Admin\AppData\Local\Temp\oEks.exe

MD5 4fd41b332dea7444d2895fa6d70fe317
SHA1 22addd9b1b173390a2edfcc11a3802c772b321d4
SHA256 9ae5c7fa37072bf1da1fcbf937ec746344fa887dd891b969d37020873ca1d368
SHA512 8ba58fd0647456baf966cee86deea02438697c38d60ca0fd072d68af8d61f2ba2d8812493671bb1de14a7368b3d1e52e9a3516780eda4c43aa6f8f4e25d2b089

C:\Users\Admin\AppData\Local\Temp\ascs.exe

MD5 341eb144e7db487a87c64416292f3282
SHA1 7a463b58a9ce71c88fdbe1f0ddb59cc0ab2b7480
SHA256 b7ea877d8db84b878c59894c7c58e763b88fff39ae86deb5520007f9a8f61391
SHA512 2c2c55681962590d84d1c35d044a19c805319136e8e9bdbe19d15dc4c181fcba474e0fe3456216b59db97629bfe27e7a2902364ec1d3a37851f88bd9d5b71581

C:\Users\Admin\AppData\Local\Temp\uYQk.exe

MD5 389f2481b7b8f53b82751965982f6d62
SHA1 fa5457b741213240a15ad5ee963aba7c6cf366b3
SHA256 0240852982a56bb7c893f7258844369f6c04e55d686d70ef919b1d17db69daac
SHA512 5c8fff8ff3fbbb4247d4d9d9734d72b25bc7c5623599be2e87289c57c1f8d60fe435aa02aa041e4f4e1783d2ec0ce545824f519114caaed855a69c422270539e

C:\Users\Admin\AppData\Local\Temp\uAUQUcEs.bat

MD5 2fdd7149677a813abe3792d3ec2253d2
SHA1 73314630b3c22707ff80530d73d97ed10db583ef
SHA256 df4c127b731e6d4ec90868c34f66d3671eae5153d54eb94ea0618f5019d744af
SHA512 29b881e69f2b720cb1a7bc847c2961ab7617e28d76ce39c8c980046e1f2b3548ab8a0c084d7d06cb0d56b3a3c70d461d5e8f097daf196d98e22e28390d1ac492

C:\Users\Admin\AppData\Local\Temp\Kgwy.exe

MD5 403e7d9e9c4abe3987984486d9182f5e
SHA1 fcde6b82420fc8c22b0b0c282aac7fa2e59c7899
SHA256 0e04a527f01901e607e0e16b4079ef1a8818955b2112f6a245edfb209b25ee11
SHA512 61dfdfd6bf6fcbadd65f274f657c0afbd59278aa2d8263f4d12720de6ee4b4047b71454459bf9374a8e85eebeab284c4e55f71be51d8fb5aa2f77c7fda9e1721

memory/2276-766-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2860-765-0x0000000000180000-0x00000000001AB000-memory.dmp

memory/2860-764-0x0000000000180000-0x00000000001AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mEow.exe

MD5 232f625a50a1ae22452ff5e93f897322
SHA1 759a2ed0f43461579c2608e58e65cd94fea0f9a5
SHA256 b1a257096fe60ec91c91d579e17f41ffb397356787ccf761ed900dea2c5f4804
SHA512 f14167d6143b0df85d208333ea09fe18be7cafd1ec064d2d6d209d6e03770d0d32a28172a3ea0fc8409df7502ec5b2e2d0b45cd908fc4353cc603c1b2bc1c7ae

memory/2924-784-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GIkG.exe

MD5 689e5c1657c33672ba310f7fdbc07967
SHA1 2e2b9bab1adf1296a57e84b078e82707e70a8bc8
SHA256 0d4dc1d0d5c45b8fb29c546c2e9cf8fe00e5f5adc3701b38e29d0a64bc00adf2
SHA512 6ea133646aa535f0cdfdb671f17649f522adaf2ea68499147fd1211cffac44284640be0da438710b71d2ffe345f4b7be620a8e2cc25ac0f26e036595049b8b58

C:\Users\Admin\AppData\Local\Temp\AYYg.exe

MD5 aaf47c47263cfc2976d7c3c51adde0b0
SHA1 761f510ad210290292ecb8b0f20662f44d3cf00f
SHA256 16c78a686b15157f7afe17e5088fc82a93d51b3695c117b305e70d473fcabeb2
SHA512 1989bed24ba096ab2e6e63a09652749eb81bca05312cc9eb1e35e074987bd43a252ec0fcbfb08ef68d9d94e78f790bd9c5f4538dc47c3c59b352b0ee51355863

C:\Users\Admin\AppData\Local\Temp\GsoO.exe

MD5 b38d7d893ccb97b107754a0741147d2b
SHA1 9c37185c714562ccad4a7944abe698f6352ca15e
SHA256 e7c250c7c91293ff5ed330d3a212fce9c4d823d8344380acd1ca4143630c2ff4
SHA512 cb06773b2c3d5e26a5c1a96a999b8fd60836e864a923aea504c0d95a22ad2b03f2bc8f8aa841d479131b8ff6e1068ff6d3d623f75f2a61d3c8b404e2a12118d3

C:\Users\Admin\AppData\Local\Temp\sWYMgoUc.bat

MD5 581d0c9e41a13da743398a6a542b5bc4
SHA1 9d6724e7bd85aeb861fc5e2681dd3526c563da02
SHA256 a25e251b05e49b1c1ae99451de20a73866edcd8e93d07a2e32d69262c7238970
SHA512 6a14032440868b7aa89b28de2d3e69c89956706bd168f8abe8b702c95957246b9363c74537e7605c01d7ade40a4d5dfa2678dc407b0df0388b30f4cb9bd915f2

C:\Users\Admin\AppData\Local\Temp\yckq.exe

MD5 5315eed4e5b292dfc00ec39e7bf04cfd
SHA1 7844fa1bdf1ec72ddfac42ee6c796b729b92fa68
SHA256 07fff6c2602fb601571b26aace99908d4b15c0cd15b5e067d4cf3a49f9cc560d
SHA512 de3a7221da6cbd423ac4b5ff80a2ed77e43742ffdea5f658bbb6719b5eb001b486486080899c675427423ead52b2adebf330e12834e7daf87677ea2b30930691

memory/2720-852-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2740-851-0x00000000001B0000-0x00000000001DB000-memory.dmp

memory/2740-850-0x00000000001B0000-0x00000000001DB000-memory.dmp

memory/2276-874-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KMII.exe

MD5 5e220f906ac35340bb9e7138978fd7af
SHA1 fd40b937d8cdf9ba0ee83425a37ee0b9e1f2e48f
SHA256 5b61d4f14332c5ef28f58c096a5245824071972df452ab567ec9bfedc419218b
SHA512 c2de91054413d6c7122dd49bce9b9e40b1c6827c6ced5f62787c2c37dc1694134f00b3fd00dd1bb93dcdedd0d82267a3445231c2c262c122f9e1f974297babd5

C:\Users\Admin\AppData\Local\Temp\UYgo.exe

MD5 a0fd0b8a56d332eb2e19b1ba6726d3f0
SHA1 987437ad39f4772ade6609160d0c37de3198a5ba
SHA256 6a5be3c137234bfaa4afac9f663015393e18a709eef4e5af814eda5cfcd39f8e
SHA512 0d74914e0100fde77ef94ae9691fc649b2dcf78f594c3413bfc6a33db1f0fbed27e45157d2f62fef9fb9ac8eea5ca39b499e4ad307fba871e10a0a0088b35a28

C:\Users\Admin\AppData\Local\Temp\igAg.exe

MD5 c747833b74943cf01ef00b29adbefb32
SHA1 7e937c16cc29ca1011f84dcc0bab7384aeaf680e
SHA256 7f0db7f321740709be523fed3424dbc871583a1a16195812cb203687b10a3fd1
SHA512 554dde46b626a769e65f41cf0716e9391d6513108e07050b4bcbee302b006ca168225bbc32b1743d2235275dfd11d9fde8dad7ae0660a6eb0e6bba6e7652b982

C:\Users\Admin\AppData\Local\Temp\QMwg.exe

MD5 50c36a0779136a3dddda84b700f4df1e
SHA1 a2f125fe9176ad202297df63adaed078653a2442
SHA256 b10bf183d75a6c413feaf9214d003add32238edcc274b68e67fd2804bd9ee95e
SHA512 974b7e9ad67d98ab15919d35d7316c2da0268e063c4c8053d1ddee7fff10aaa8a902f694d36d806c2859cd5b5207cb1eaaeefb6c0d615e7c3e7a882f2dffdbcb

C:\Users\Admin\AppData\Local\Temp\EgcW.exe

MD5 b3f6adb2ba2b06f09605b15ab54cb2ee
SHA1 e6313d2611885429ec3a135cd1fd25382536ff70
SHA256 294be28ab5d1d68fb7582edc0437cff03b3880c1b906e153cb552b7382f67a08
SHA512 d8566303a4082271bb1b2e92b3ed6ae15c4c7e00f63e37abad15aa5c5e3c1b112ab78d92d2395015593aef6bfddf79102fed671b20cc37ed0a40bd86d41307f2

C:\Users\Admin\AppData\Local\Temp\mQkoUcwE.bat

MD5 e76eeecdb292a06dba7e9706867fda03
SHA1 e3c7683863d83411785de19bfb9dba099b1419b2
SHA256 cbf87ffadffafc4a4c312df054948c125009ebc61566dcb0249796e6ce20e6d2
SHA512 3ee554404c5bfc768f54864a77ba11a2540e1501ecd1293a069ebf61575c7a460b7643e18aed6bfd7766b9bbd219112f30ebb920fe3594b7eddc5aedfc095cea

memory/1160-950-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gggk.exe

MD5 6705f3cd133a0cdab919ea0a5d50c6c5
SHA1 8ec9dbc19eda7ac11ef45751f073e9cb596be103
SHA256 5cfd64340a3cab7177bce48ecc4fb023e598ccd46898a1e3043ff4fbdda3b8cc
SHA512 977c2f4d5066f35ce9f481bbd87b320d374dcfe003ddfaf13a5943596658f1c9b0731efa2040f26ef372d488f38e011a4f7c2f66af2fb78cbf3355e3b477d910

memory/2452-940-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qYMS.exe

MD5 6f738463d7f0e3eda2b9774923c68e43
SHA1 684038db05fb3c69566ee4bc540c97636e267605
SHA256 0cd8a72047cb6871882dfc0106452d5dcdda1a7056d47d08e5269fa96723479d
SHA512 277b6f0a2b2d7e7ddf5a47e9497452755354df74f9976053d0646f528d05d71d5973dae0552ab9b1d09c058b26dd9de8e2c3b0631c3a7861773ab748a8d302ff

memory/2720-959-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QIAw.exe

MD5 71eb2d47830e2f04dbc41bfde8ede95e
SHA1 2a52df3f75744bdd9fecc69bebe9bcad86e4385d
SHA256 c7e74f9d53c66ca0d94172f99a64452d6f33ae09f053c22debda28416ab66922
SHA512 27584ce1f467b90563015ea1da21bfe073536bdc2fa46a232b15af518fe5d49c19d31b860d6691d39790489a8ffee7d0b012770d1b35a7bd943a44cf33e8d102

C:\Users\Admin\AppData\Local\Temp\IQgk.exe

MD5 c0111e7fe7de9cc55eff7d6a9959cc86
SHA1 7f06c69e024a8256725f91a39d7183e4e91cfd50
SHA256 ffc6b330ff6b8c2d207e744f882211f0c0fd364f8aa828592c54184281f4a2c6
SHA512 a48d3e189c9de4e88542a8d86b60b55be9ba047e0618e8bcc0915eb34f9dec6c205943c72f6dc1228e0135d5a32d54190c0fd60a4bd7cbb69c2e67ee9718ab92

C:\Users\Admin\AppData\Local\Temp\MAoscswg.bat

MD5 6b20295a82eb05b4d849582c7cbad37a
SHA1 bbc4e98a756a2672d737ceac8071e21e2102887f
SHA256 3976c7a4306ab421f3264f409a26cdd091ddb5acfeb55f039055ecd57ed3c879
SHA512 b0eb441b4ffcddd2cdfacaaf7d887911c5a1c9683a81a6106174443595f3caa14f95e59cba565e34a214575a053ad1260bd0a5290883ab6e02a23d5ae65d7fea

C:\Users\Admin\AppData\Local\Temp\eMME.exe

MD5 2c7f4d203340c839bef2e2aa7ae04c65
SHA1 f06a00331603704dd22b6aa6bce45655c33c3edc
SHA256 8b1c6c46d7be2df94158553601a6e21d0c1d695defadc00d47d4aa84248296fc
SHA512 ab26bbdc4b96f58797d115373cef6de51d4b04ae3f6db2c38492c15e268921de30e8a9bfffe3864321724e21677e436106bf42491d5028afd03b8f49158d86b0

C:\Users\Admin\AppData\Local\Temp\Cwwc.exe

MD5 c733103b6748d4a25f214df3121fecc8
SHA1 3e5196559decaf16259f9f28826eae380ddadb96
SHA256 1d649ffcbfac7b339b9c1b7ee61c36dd1dde4d0ecdc1afe217eb9b7fe469671b
SHA512 28ae2ce6f3cff073b51c5d22f346e68a8c2da7af2aa0938a630e296e04f36fe6e2d12fd9704d01b03f30f4fe23d7f4dbd391659a016af0260974582863377bd1

C:\Users\Admin\AppData\Local\Temp\iocO.exe

MD5 c56b1b9801c9efcbbf304d69bdb59a3f
SHA1 a0838a503b48c9c0478fe8470d41e4dbd00dbf8a
SHA256 a8fd1587a10c602cc04e2614e9f9d472dce0c4d5700bdb42907a1021e1a4add5
SHA512 369e363e6ecb6219e148c3f1248123d0742799e807660d2aa5f3fce3b64684a4395bef64a797d6b658df1ac6e3045255544a08b67482fd09ff30644033b84205

C:\Users\Admin\AppData\Local\Temp\ksok.exe

MD5 a52a229d7c39b905a88ff68ebaf9c7c2
SHA1 cdcf19bf8d0bc2ad9dbd46f0c2062377944ea2b4
SHA256 e7f9b54e69557ab8218ef07a545685db818ee133ad15744313ef532b2ed3fec3
SHA512 a97b54cb708408b2ed219e0b8d32bf87fc525d4ebffaefcbb3dc63b3e970bc343865e9d08eab4e6db46a292700c570b78a603f83e1e303844732060a0234831c

C:\Users\Admin\AppData\Local\Temp\isge.exe

MD5 5616d71782d6962b947efcfff19ba7a6
SHA1 868ebe850d6df4a0c2c7aaed21da48fedebcfb19
SHA256 2a4d224ca4b5332984ffc5569e1f78916de6526567283299f5197d2da294cff9
SHA512 0588d931686b486cad7c698e64b7fe66cc7d31730e14453a97a7e978f8df517ace7fcc06a89070d637fbfb9ea34f09790373ea11c2c18aaf62e0f2e392aa1425

C:\Users\Admin\AppData\Local\Temp\eQks.exe

MD5 c32ad93d375aa2736273dafca93dbe2d
SHA1 ea665fc5c2ede052b07b47cdc76a5f4e9501199f
SHA256 250a854bcda2dd7ca9b313cc41fc2518b38e4d49979fa0b8f76049b688d62790
SHA512 bb059571778c0aa71914a5aa4bc5171cd5bf06f8e01c7cc6c7ec3406d221a5e0d92227e4a3c9d0434649bf6d988e43fb0feefaf9fc68dc0d26e8456c5a533d51

C:\Users\Admin\AppData\Local\Temp\WywgMgAw.bat

MD5 06a2b73051b0a251f8f53baabbfbc07f
SHA1 46a0b7e234b07d84c6571b85a309a7d1ee0e8c80
SHA256 12bb6cece4035ad4b58addbefa4b4e510b144bdc0131ab33cd2b9f52bedd8aa5
SHA512 4b83d648d16a3c523f0c75f838064e71881c4eb99a55266f0134f0aaa9f5c9ea5e2e40826637547e55f489c5ad4d7e5194d4c7fccc0b1d22325ce8762231d818

C:\Users\Admin\AppData\Local\Temp\kAgq.exe

MD5 b6ae5cbdc56e9191151d1ad9e4ec389a
SHA1 d4ca7c0c101a44165f5bcb183e6099074342329e
SHA256 4bdeefc49d6ffd690dc34ab3a07b5c79a4a7bfcfd147192bd226f1d229c8d007
SHA512 c2d4033ad93fef298e2699b32f9dd9dd5a7c3d949a9fbcae7ccaf2dc17549fff0f02e0d8965c0adb00efce95acd1ac5168e013397bde77b0a879c44dd3d41344

C:\Users\Admin\AppData\Local\Temp\QQgu.exe

MD5 c9253f8b5a0c8cd4b65fc4f1017a226e
SHA1 8c40ccc6ef0fe6b6b6d378b94b1ebb4d5aded22d
SHA256 364c2c5bc94de4e51be882a8f8d684ec8728497b3d7791d9b72936832faf777d
SHA512 e439c1d0f56e60a9cd3c60c996dcae30dab4cd022989d039b710296129e9a6dc9df6b14fd185b7a8b15f6f87b59b469262920738c9ee60ba6794ffacd656401b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 d8038ecb10c140ef8092a2e6e3402edd
SHA1 58d405f954f76ff11fed207b40a2455af5263e6f
SHA256 3c91f410970a74e38637269eba6b206198629ccd712c533f113ea12373af8a9f
SHA512 e037dcc58559ab107922c8cbdf5fb0b5630c29a145079611b28ad331a4ed60f64597af5654cfde5312f0e1169a62f624a40ee1cf23775d1e7eeaeae8e74a04b7

C:\Users\Admin\AppData\Local\Temp\FgoUkwwU.bat

MD5 327e0b1731167036bcdc0c1f5335953d
SHA1 83747aa29584f89c1bbb30afd08d8010e7cc64a0
SHA256 5055f57c2295bd80f73fb90c127ddaca1e236b2a55ea21d8e8c06a2c0d021ab0
SHA512 34096982ac0e80efe58c61cd03dfab7a5eb4ae93bb6219ed52ba743050a1bc488fa5a3df6dd25bbcb7c68ec588d7b7ab05c576edfd79a42f33a949af4b08276a

C:\Users\Admin\AppData\Local\Temp\AQsG.exe

MD5 d7a98c353eba6db073b1e20b35f979cb
SHA1 4665d8340c853876e51abeda6bb9a80c4f12f217
SHA256 3473d469b45163fe6581f9258b8611b7a33dacdf0b9375104a7dcd6645e6fb01
SHA512 c273cf68aadf489bb58d324d7c071a22cbe65ac554e7dd3eb4e7ee7440105f0bf63915c76a7a09c2e993e4d42ef111e3f84cc3f7c9ea85f4e4cd10dbb8cfdcbe

C:\Users\Admin\AppData\Local\Temp\QkIc.exe

MD5 e16c939cdb8a232242a8decb4602b96b
SHA1 5cd3b85a9cfcf5a1531af4ef7758c75bd9fe440f
SHA256 9d04c3cd5019dca95ca655bfaca9de2cabc7f25533bb9f6c3b4e8559a294fcd9
SHA512 bb8bebe52bd618c76a01d4e139e96e994cbcf850c17a6d3e90cc061a1ee9166e4c8b6c0ca0950362fd282237a90d120e80bb5d7aa489680eff4250aa512b843c

C:\Users\Admin\AppData\Local\Temp\OksY.exe

MD5 f199bff9ab4db4beae96e7183d830c6a
SHA1 43e28074907994420e35f14bdd0e468523ebbc70
SHA256 0ab3dcf1550fff82e86816d4636d59c59a7d1373f5c5c21df140304477c3be1a
SHA512 fb8c966ce29ed8efb9faaa371e3164bd0960f35a04b5d2fb73f679bc8e849b70cab3a3fab890b339599dbba7c7aaa9a4b4f3b1c1836cc2c328694586bd62c509

C:\Users\Admin\AppData\Local\Temp\cgoG.exe

MD5 9b1fcbf5dd6206a4dd9341061f43d542
SHA1 71a17cff633272c2fe1b14fafbd6604070e3bb22
SHA256 65c1e8a9bccadfaedb1f90a374cfb7f6c98985590dc203395a5768fd87ad6f96
SHA512 33a24d113c1eca6b3971a01a5f25ec0c74004cd9e122301a1351eb7457a9e18bbeb1658f6ae63b9a5f265f887bbbbb28d5c646838aa4e6eb5de73eaccaa80b04

C:\Users\Admin\AppData\Local\Temp\yUca.exe

MD5 4c8979499098ab58571a04bd8765903f
SHA1 03e9543e361bc7c0cebf98fbf09a394db52c7be9
SHA256 b6e1b57f8c105999653bacffcd2036a55beca8a130ae6fcdf2dc40aa6903c4ee
SHA512 59e9f3cc85d4632b7cfa149a0d88b15bddb59ca9e8c4ba77636c116eb6607e689eb2148c54426dae0c16f3bbfd6ecf4123c9b874006097d031bcdfba69fe3cb7

C:\Users\Admin\AppData\Local\Temp\kEYc.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 0f75a39b4a4490157ecbf7c541f5a285
SHA1 6d0cfff1e8df0dfdb7d3fc0f90c040355e926d8c
SHA256 d5e34091e4155a27c635dc3205e7923c5deb88a5209fbb1deb0cdc4e5288b1ba
SHA512 216ad2f567e16856731c13fe422ef8dc988b8d2f3c6aee6ce803d36a523af455411e13a1b0a26e50e74d1761c52c2ef3c999d00774d724583e7b0b30a63950d5

C:\Users\Admin\AppData\Local\Temp\ZYsggEkY.bat

MD5 0e2c27cb093f311360c47543a8a454f6
SHA1 02885e70dfd38e52eae3766fb197cbe08c0b164a
SHA256 02a3a19c91259d45ab32d698a9fc456d779570fe065fe2dbffaee4165e70a813
SHA512 844d729f96b882c6658ee8e3d8a4d365bc49ef485b1de2e8d6f8fd16d9bc66a8cee7076c9708623d3223afb2a24c843c22370ee98cb945e71e371a2174fc96d2

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 07bb08e4da5b1aa1d294acd6d434e822
SHA1 8c4d3add31da4ce4d6ce85b8f7173c998b9a39ef
SHA256 1433497fbf67f3068922b1143ca4a5ff7463e2c2abebbee31a9a29cb9c7906d1
SHA512 f75ab3dff4a1f444ad35ecf61b3779f03cd36edc4468cfd38b2f77c6aafac0c18481ac40d20768c206f4bc5b1cbcada0e0d8ff83df3ada9c85cabba0dc95ffe8

C:\Users\Admin\AppData\Local\Temp\QUMa.exe

MD5 2c9b5b5c78b3ddf9b7ade3de435c1b59
SHA1 f9bcb8039a485f58810ae3467b4afcab21353213
SHA256 510397c12199d8fc9c6651a96ff61f9f65f7d219502b0be45a9456b32ce46f8f
SHA512 524ac21b4f846d334599d08405315a712e7a0e392a160646844b049830a8365dba80187769fddc1e52d44ae97f0fd65e05f5ec504e3f0bbef09302dfcd9f3090

C:\Users\Admin\AppData\Local\Temp\oIQW.exe

MD5 d69b1620e095aa1e62b8c155ea3dc6fa
SHA1 1d1a04c6e9cf77c41a7e63c95930a266a86559dc
SHA256 54e9d0bad6ebdacaf63f82f585291dc5e84243eda62eb71b238664390486e809
SHA512 6b068b97350208558379bea48f0244f9795179092d7006a3cdff129941d8eed068a2f06650e2fd907e61ef1c7e91596cc76a129a33930c566a9f9048e38aa3ab

C:\Users\Admin\AppData\Local\Temp\GgsM.exe

MD5 9207d257f7743f0137b97f0e61b3c1c3
SHA1 f2b08628e87c52b7e220588b4e7e03a9c998538d
SHA256 2d2b08c9889f7726a8a2c6784cb5d59a9a9a2343cf16695ac59e83850356c6c4
SHA512 6ca78e9fd3b06ba66412eac2d7866b079ae00b883a9a528908b014712757f5cff930977de1bbc12de8d7dcf5c86fac270c947762261456fb61abc0b9e2a20813

C:\Users\Admin\AppData\Local\Temp\mYAs.exe

MD5 d514da10af0dcb614058de85fb9bbe7f
SHA1 95fcf02b0f4d8a04307b038371e7b82b604a89d1
SHA256 ef3f1b0a8cf28a6f5fd37f1f1f735d5d57eca6a83dc3de81a7467b5ca19cc99d
SHA512 d43bf56d477f9733fb72ea5db1426e66a7546c418e0b04e8a21b317e549165662b0a115fd2f703ac0acd5db3ce4246366085a73265ef03cfe97205fc3bca2ae7

C:\Users\Admin\AppData\Local\Temp\vAkUkUsc.bat

MD5 2b5643693ece9117fabe07fe93fb96a8
SHA1 d815a95db41806f00782eb53de83960c50a0f3a9
SHA256 5849cc463c22ddea0e416d4510c21cc88dffbe0bf574ae7f62a66bc1b242c585
SHA512 f2f3fd411030f205276e8a0c76378a1e92cc7228545cea32eb003a91f70a490fa9e85e76fd87752d958f86a8966f48c7e1e4d6195125c6cabc09cd8158891135

C:\Users\Admin\AppData\Local\Temp\ioMk.exe

MD5 00b403e64b3e63d45a3e93348fe9f6af
SHA1 807f2ee27191d6745aa73f967cca8992c90974d0
SHA256 89e995ee171da57046ae2d294bec027ab100cb951abe25adae7c6af5b01a9603
SHA512 d891a26308ef45d52a9c9b5492f8805a4c2064d826810a8232667b43fddd3254c0edb1e32a952fc6ca34b3621bfcd8d753bfefa3e6e63baac55e9428214bb0aa

C:\Users\Admin\AppData\Local\Temp\oQco.exe

MD5 7d309110105c8ee8a8f5058025bf3ce2
SHA1 f7d45b6051c04bba97b888daca0c3cf9486a02cc
SHA256 9d1296afd0b6306cfb687506cba821608cd83afa0ed26711e8972c49bb1a6ed7
SHA512 17bff045b79ad0fc6ac0de1700eb27df3b149bda10a5b4e094c6f5b99a1e4cf8a99fac4bc24f3a3ad4bb6862ce3f3bb94c3baf4581af9bec4e9beb60158f14c4

C:\Users\Admin\AppData\Local\Temp\moEc.exe

MD5 c8ffbfb9e824d59cf12494d02b412ded
SHA1 ec7b3e102d5a8b27ee5f203e2f756b75dc97e965
SHA256 56ded647833424455874c1998207612ce54fff43ab9b7064c963ade8c5b395f4
SHA512 e48fa9f09098b4aea5cb5789f87b1f14545da0fc5dcc8d55bb9578b944c10375559816779c9c6205cb755f85bd1e5dcf3d3d0c9b49e530573d6a2293de649fe8

C:\Users\Admin\AppData\Local\Temp\nUgAIkcc.bat

MD5 8311a771b1d54197bd0089a72a2a2263
SHA1 b6febd105ab898426fc7684233744d1a80b99802
SHA256 0d3b666f07ed1fcfe2bbc72bbe0e0c0f2c69c0229ed75744a31a9981859f45f4
SHA512 ccae7db1e8d73126c9800daef5f80dd8e434357a493b15419476924be42fade8d8580870287f014410d3b531602b93a9332ef50d3ff01dcdd3f3772956c103cf

C:\Users\Admin\AppData\Local\Temp\WoIu.exe

MD5 3320bbc71d9f1434a427977b7df8e449
SHA1 e65a8b8358e312e0a8167d457c01d3f5249efdf3
SHA256 1315f83ab0d64d4f75b71b8c7f0a338d395b6d42d298772e87cb84ad5bf96eeb
SHA512 5fea5be8aec167bbcb2effa45f4874a590504987f3eda9d8c4b24bea3ef49def0d770b394fa7c5b06c0a91256511bca6db810676356fc2b4b1b70f7649ac8a17

C:\Users\Admin\AppData\Local\Temp\iMAc.ico

MD5 0e6408f4ba9fb33f0506d55e083428c7
SHA1 48f17bb29dcd3b6855bf37e946ffad862ee39053
SHA256 fee2d2cfa0013626366a5377cb0741f28e6ec7ac15ef5d1fc7e286b755907a67
SHA512 e4da25f709807b037a8d5fb1ae7d1d57dfaf221379545b29d2074210052ef912733c6c3597a2843d47a6bf0b5c6eb5619d3b15bc221f04ec761a284cc2551914

C:\Users\Admin\AppData\Local\Temp\qkIY.exe

MD5 33d934988717561891d8739561fb8f43
SHA1 a428176665541d074ce01f72c9e374c078144cf6
SHA256 f53738714627951aaa632f647cd46201ae2369c9e545e1308b99c4862722a2ae
SHA512 21baf8096c411565e91a7e7f2e22839e360b3f61f5d57d6984727e3fe708f56c9623e6ab80bcf1c4b9253c8b6186288934596344971a10f02eba7c80372790cc

C:\Users\Admin\AppData\Local\Temp\wgQm.exe

MD5 d14fd90885f491cc6a99486216f43b05
SHA1 95155ff750d08b661ce52899f30407d2e36a11ca
SHA256 91e5a2ba2be3ebf45e5d4a44aac16988487d83fc84f34a51813f4e23e0c63812
SHA512 2f9879722bb4898ab4bfc859501b199fcaa6ab8bac10386fd6d49f473631942620b66ca59c63257c62720b81cc4eb13231598e30747212f150771e779819ff07

C:\Users\Admin\AppData\Local\Temp\wkkswowE.bat

MD5 94d86e828c1c55059dd38a49bda52030
SHA1 0400f0cb62cf33ba220efb478f76a6877995235a
SHA256 f9ccb4dea06ca681db531336a34086bb298e070b146531c01fb8c3004b6d20bc
SHA512 740874fd202e34c5a59cf960b43ccb2e2ca67e4e7d1e992761d99323e3a5f5de6f60691dc73664aa2c68362ad98a859f9f231c211ac82897c748f0b790921955

C:\Users\Admin\AppData\Local\Temp\aMkG.exe

MD5 2932374c781dd16f1bb2a9478c3fb553
SHA1 2bebdc469acb341fa93ad9dc00e206efe4472f70
SHA256 3dbf79bedaf730efe6a7fb17826ec1c672b0d987f65037bd94d45170735e3a42
SHA512 0cb1c946c088cc257c80f00f72b6a3896d671ce8f02916d309550180c5b353a58f82d53dc32cb358f4e7be022c0ab455471c7e45553f4775cb60d5b6633b1d02

C:\Users\Admin\AppData\Local\Temp\QcQi.exe

MD5 e41c4d7fe0b82153a4b3e5a7efda17e4
SHA1 d1068119f920f43ce95808a0e364e69637cdb18a
SHA256 7b53f034021739bfbbc0d61b4666dd137f8b55f137f05bfa5988afed6adcbea0
SHA512 46a7bc019ea77811b8d07ea9d6ccda4f38b3edee7828768ce2cb05aca44dfd0a23122eb09672f699824bc4e9c04629338848bfa22f95c09f0e2a85ab4bbdf02c

C:\Users\Admin\AppData\Local\Temp\cMcw.exe

MD5 d8237ed56d70b06bf3cbb9c27660491c
SHA1 6ddf53262158846ce10b9a79a36a527d7efd977e
SHA256 2e4d6aee45331fc77617b60ff9d22dd465dfeee82e1d328e63eec5e84482ba08
SHA512 87b1924575f62923a77881660e13993691354c5019def8f37e3220da34bd57ccac6f51a03ac6e18b2120ed5f723711c9a660825b0d0d9f5f9cf69c5eeb950a4d

C:\Users\Admin\AppData\Local\Temp\KEUU.exe

MD5 910a5cab76dbdb90cd1a919e62f989e0
SHA1 5881cfebd850a384fadf04563a0d0234e0851a9d
SHA256 09398ca29e05944884f8aa0445ae04b33bae217aaa7b6eec172776ed09b8eb18
SHA512 2c9ded434ef4ad8bca4b995bf40f75412ef81b37fcb1953364aabc4e396c5111c6f9a40b59e6bb5384c1c7e128b57a1f016ede04dd1d140cd98dccb72452c137

C:\Users\Admin\Pictures\SkipRename.gif.exe

MD5 d02c6a462726de1f6f1475528381125a
SHA1 823f6bba6dea0690ee55955687ef0bfd0185cd9a
SHA256 0d9d47265b41b02b672759a702fb2ebd6a766d6e8ca0c7c03f21375d075ebf40
SHA512 3e51487acb5774287764436c45b5063c1f92b85021ce7f7eb813fdcb721dc9316adc9afba8b794b655a146eafa62096d8ec78bdac9a8041d1260a3f4ee5ea431

C:\Users\Admin\AppData\Local\Temp\mWUIsgcQ.bat

MD5 03fd9c3a723bd97924a725ef5eadf3ac
SHA1 1c7086cc42dae8e1fd0ebce50e7113f848895bc6
SHA256 3e35dbca7f82f5621d379a9c33c2691851a5b8d499f1052352ea147800c248bb
SHA512 bebc7c01d0435a954123ad211dadd226233c0cc13a6018253c987c2049f9a262798e8126b2f24d152d78690486619ca6143b98aa5baa6be307a0bd4a62e035fe

C:\Users\Admin\AppData\Local\Temp\esku.exe

MD5 2c6e240d9cf854af53d1c5a7e1bf17e1
SHA1 088bb2c1454ac9eb6ca81fd67d9847e00757615a
SHA256 de8977b5edb5e0cf1f305d6621d310eb4500dc86b05c360cb8ed65b1bb0898d2
SHA512 44ac9da118b442806bf610a12443fd583df2e442c5cfd88e1c9616621c90b08d16c60c691aa96ae0b511b0cf8cf6e8a85925f32baf6cd2f8611caf2057dd1d27

C:\Users\Admin\AppData\Local\Temp\awIG.exe

MD5 425de2bfeedb19d6a535b82d2676fd7d
SHA1 a32fdf7c058872e159d012a38e84dbde0a94d043
SHA256 46a465ee4d1f044c359be6b05309f82c6cdcff75c5e50f8c3bf16c94ce402f59
SHA512 2c87dd9ebc1747019e5caae14f0b98a824c7b1cd641143906d1780b66fae547e985a61d834516cc590e7139a446292cff2bfeec37a79397613cfbb12f15eb176

C:\Users\Admin\AppData\Local\Temp\OUEgEIQA.bat

MD5 3714d5e23c044647ce308a1ef4fdd471
SHA1 4e9cfd37c519cff6745101ad2fabc6f0dbecfd1d
SHA256 52efb75029114f3bf16d15d60b9866cd99997dc6d2ca37d77a8394767ffbc187
SHA512 d916b3a83c619d6f69758fd9ca206c3d93fa3355a2fbe1d0bb6035e84d34b9676b223136b591c8e512f390ee2454e8a37506b8ca490688b8b32a335359b2a6c3

C:\Users\Admin\AppData\Local\Temp\aEEq.exe

MD5 d043c8de8cd2b42f05ddbe7ca66d90c4
SHA1 a761a8596509a79484e650451c57bc13a358af4f
SHA256 f1c32907e66286d9e4a932af4c34442a885886a4746427dfbb0c71266dacab03
SHA512 849835b0cf22bf88bf745d353682d122a7ade95993c16bbf7432af93039e914a1fd0cf944a031c9db7e00d3d6f02bab66539fb2ade97bf874ca2cfb26fb55468

C:\Users\Admin\AppData\Local\Temp\MkUS.exe

MD5 baa106bc55bad2e015930a0ce8e90784
SHA1 9ef2b7677a958720c2ccdf01cb1bd87dde4b6ab1
SHA256 f30b57512afbef9cedeca6525357633468fe7143bd13c7a52601e9d77ac9ad18
SHA512 43f1d748c4b636f4f7abca84f9aa770cd23140e39fcaa23293017373f536fd2e68b8f49d12f2e2d326aa1ca99f6109e472cd0a11d1043af272def44babe0eea2

C:\Users\Admin\AppData\Local\Temp\asUgQYQY.bat

MD5 47d50c6d792a9f86cd2e1f238ea4081e
SHA1 68fbebd5b7bff2f0cc1a40876a751ee5d3c304d7
SHA256 fe61613dbd51dda5d6035c37ea2d55c7051089febd108dc306c900e30a5528da
SHA512 2b71a55491591469434ffa1402fff72826c4e011ea9bb34a9858f0cb53bfe5fd7645e767c174d895b05b4c2fdefbb7a7d783798cf691e3afa5ead3e697576f76

C:\Users\Admin\AppData\Local\Temp\AsQk.exe

MD5 736cc46a0c9912c94da973fe7c26a0b9
SHA1 526cd8a8e8db91cc977b34407b189c5b5e49a8a0
SHA256 ab16905f7e1b0d87cbd54168a297c0ff797429ba4d39a1638e0e7bf58e25a2fd
SHA512 b000d39e9f9a9e8c4fc6a094a963fbcbb50e388267681e4487c19d3242badbf5163e7f25e5d7be289adcc970ac39d4adbd6f975892e101d5a2953ed6ecabd54d

C:\Users\Admin\AppData\Local\Temp\CwwG.exe

MD5 792aaaef342be492cb18f5aa4140f5d1
SHA1 13d5b8eb1f861e5134c394bf38988dcacc753bc2
SHA256 97ec2092da0e424eaf837ac0f60c6676612f81667d1c28d77ae171d81afbe88e
SHA512 0c6d5f94c6f99dbdb3f415587ec64b75b4eb39ee29a6c2725bf3612bef019d48b90583c66f8da6f356fa640c868a88426c2891676964f60faca6166691056bfc

C:\Users\Admin\AppData\Local\Temp\KmoQQIAA.bat

MD5 741d6cc4ac2cbc710e2bbce8e0dbc4be
SHA1 29097a81961c501a7db95b5968b9cb414b4d7f58
SHA256 71c2f9c9dcfbcb77bddff7cf83c5e575d76742e0cf4d77ad16ece1482e5c3f33
SHA512 8405ae461c84477808fbb12d7ff61725a707e84613b2285664ebdb1e623fd6d2628f12565d64bfac1c22d22201d8326f3f2663eb4b9a952bdc6f8d1adbb2d580

C:\Users\Admin\AppData\Local\Temp\OEUW.exe

MD5 7de50f80582b35523c9374c8ae58ee80
SHA1 da3db235140d341e16f3ed0772d4213db6d2628a
SHA256 05aef5dad2802cad2dc1efedbcc9c40744a7c21e1afc3d7d49bd77257636faac
SHA512 d6b4f5076eb884b9e75473fd6195962afba52f9f64c8bd84c33d5a4552562aa6de94889c90b069a3da5f4f0935caa1b339d0a97cfc7abb87fc913df53a0badee

C:\Users\Admin\AppData\Local\Temp\cgsA.exe

MD5 84090378f6e0e7827c486d99269a18ce
SHA1 7e44a68c062df50933867c6ea4b52f23cf02d5c5
SHA256 8935e9b2c4ab0af255b7eb6fababda65cacf442326d78a96023e7d55166ca002
SHA512 dd94e10425cbc991d32ac82122c2e2b0d40885defd522cda713a67ff1439175e14d89d67abe18bf6bdbc243ec0a5451be891716c2208ddbd68def5d170a71966

C:\Users\Admin\AppData\Local\Temp\fwAYMsAU.bat

MD5 5a98e3d3dc13db07130960e3b27ffdf3
SHA1 50ea32d6ed29216a175e6c5a5865a25afe8ac6df
SHA256 8b272e4f1e8762bae5e93aa576d4b1ca4be6cd8232faaed6eb08963e74dc05dc
SHA512 b8d7c067ef4e3a558878b2f5f9bb0d570887c4914ece60a049554f4e3638a5eb6d4b96b8f3d323911b983fd200164085eeb64de57f86d3bc1a7674b130c33e8a

C:\Users\Admin\AppData\Local\Temp\YkYs.exe

MD5 ff2e57a91e36d0e6650383de2da7eec1
SHA1 3de75583e4cb1e1638057eff76c751672b1ea53b
SHA256 93a0af3633c8be64fd3ce743bf25d1362ccc62bca916cf3827b05c7131db3dee
SHA512 72a10b4abd0abe5507513ec9d0f19dcf5f91fc57737a998938d2de7ccb38668ee45e08082a715d7e76d85f04e0f85724e6942cedeb7be11e9ac2806bbc4468c2

C:\Users\Admin\AppData\Local\Temp\QAEI.exe

MD5 91707097910a90748d7a1c659ca094ef
SHA1 95d790836ad45118192d6c9d4456781a8dd62f3b
SHA256 1152ce1c186c0b79aa6e8a6d40936ff6e7bf0a63187fdc6043440a2cef251d3a
SHA512 e18a6410afd48dc14eb9aaf8a099db6f2d247c6d8d88629ada8d9375e968e4b0d5dbae746c358ce5dc4d040a92d167cc7da09cd33c85c5d88f7291d0b353d79c

C:\Users\Admin\AppData\Local\Temp\iEEO.exe

MD5 99b892c140a1128f10b5c650d6f5c38a
SHA1 44f232d109d08703ab9ec3891d900057326fec8d
SHA256 3d0b2761e28f2730e30c3799df4e0441f160eacf6c1fbc6417af45efef27bff9
SHA512 0cf1393f474290eadb59bd09d3ffc28d20704e1a2a15c9054bb4b10e4d48394b38b2e2051f7de6e0e939c494c056d4eea1f6542ba6a34dbfae5d0f470f691372

C:\Users\Admin\AppData\Local\Temp\DEscowQA.bat

MD5 a739372226833c023b6440f448fc6589
SHA1 998c1560f6f08dd0ebe0ec3ed6540e7c24a4b24f
SHA256 efa613b821c340def1a617ad9a5ac448a1eccbda3c9c5e9d8f335116fb854866
SHA512 24a58abad9eea49b0578b34653ed7a4d26232d398985c13ca4c8d69e29be5072d676305f5e14a6ccda7d3336e7306354b6805a01e13858ba11e9d3319d9425ac

C:\Users\Admin\AppData\Local\Temp\ioAy.exe

MD5 26d97112867c5f768cf86a9cfeeb2a3b
SHA1 62e38fe2ae0314d1b9a36fdcf80f9ffde105c56b
SHA256 324448c5c92b7778ffb3d40ed512498f306c4af6dcbefad3afb323ad9f619398
SHA512 5b15a0af1df0417b8e2fb0dba700054c1d46d7a57748f7a75e3b4e3737b39d548d8459d60af902e4600e58186e6d72293b8807c17cff14d99e86d010ac4abac9

C:\Users\Admin\AppData\Local\Temp\mksa.exe

MD5 34de152b0952786100d3ac1b21ad4d6c
SHA1 b7f87b377e2c6060e46261a0a3e72a59589ac361
SHA256 3ba8bb13734d8943f49f5680c3457ceb05645e50b829488636a5e0bf9218ca0d
SHA512 3aaa9a8f47770024314886e710b5df440f9abfdf854f6d155b77c8521f2c9eb594d993de64cd91e0e9854ba61ff4182079e30bfe08f8fcb2d2a1a785a5ac1538

C:\Users\Admin\AppData\Local\Temp\ByogkAQg.bat

MD5 abe8bd56e8f424f44bfdcf5ddb59e815
SHA1 d0bc16c58d0b9e5799abc3331a29022271a302fd
SHA256 1ec9e7d460500c07ffd3768c2518f1feb25d538cfab31015a69bcc4ab720eb49
SHA512 52e99785893150699e9e875de2f494126d8dd8302129a1020bb7a272adaf1b3309fb37983a2a11d0f04f51721abcefbffe5f26884995961ce2db3e074df42912

C:\Users\Admin\AppData\Local\Temp\oIIc.exe

MD5 699cfeb552ea9f44f4408ec0b2e2e132
SHA1 3b5946a03a4c6d20b9f3a731c23f207a1b7ac944
SHA256 0f8bc331fe0333c312e9cd4e254eec769ff2a7f0a4c55c870b846180fba14a5b
SHA512 02af7b40c27ca0e663dadb41182a82c7f69f4b7e30fd32fad33d16361daf56ab938856c1ee8e32d1ca732678203fa205b39d1687673bda5bcf27dfab9f1b30f4

C:\Users\Admin\AppData\Local\Temp\AEMw.exe

MD5 69a04597f15b67d551c5cd9c764613bb
SHA1 a90901a87eff3b0859793a66d8379b83c19e5d34
SHA256 d755a5bb553b5087cbd4523a0c1831da22fdd63a8deb25ac20c3bcbc4201a987
SHA512 1c861cefd3f59f1f70cb17d00e7bf62c2a154c6d415bd0801babdf16c280ab2f3f4eeb211a6e79d237a71306282ff5dacc138c8ac432a6933bda8d3d618eebda

C:\Users\Admin\AppData\Local\Temp\OgIw.exe

MD5 3bd9566cc240bd61a4451922c240494f
SHA1 48c989dbf5c3e105ca4f52528abe964e0a49a2d5
SHA256 56682929f9e6978d78fe1d2b59744e3eb3936bcf78d0fbf757bea875b9af316b
SHA512 ee14d3a18ba23d0c9716ceb7db9121ae6a8546813b554b7e16198abaa4b73caf851e69aa18f355d266c3aed62b59411cbbf8b9b38d93a19b21756db82f0bf59d

C:\Users\Admin\AppData\Local\Temp\IEwo.exe

MD5 2a28fa8df894a1940b5b317bbf9e40da
SHA1 f09267a4a3f00f0b1bac7726e9a340e9e63114ff
SHA256 8ca1fedba3fe285c5e22a43e9da668da04aace6b7a839df81a96abe53b21bd1a
SHA512 f8f1691c178e65ba6322ad0532dcfc2805ffcc32519562f7400de445d5830288fc883c2747a5fec43d7746782a69a4157622ef1289f4ab9df3f1055dcb4b0fc6

C:\Users\Admin\AppData\Local\Temp\pGskcUEQ.bat

MD5 a9b3d6a83c8731d2f55c60724412d2fa
SHA1 d9c62d49088fb9592cdb6f55c48a6bc61b5be626
SHA256 6832b35a62ccc50f798ee6b53cb58983a5ecb3afd3a919d6e8c4457c620c9776
SHA512 8c393fd37fc7deaf5a9298ce6ecbc9ab586efbed4a3fbf5c3e474ff21f0f40ae62a432cebc417729906a08c965f2030107cb865078f978f4caf3459c0a262b44

C:\Users\Admin\AppData\Local\Temp\CkkO.exe

MD5 6d5302f73e4fd329de65985c63225121
SHA1 0bbbc3c2f69fee07c434a58b4bb8b057cb3b3b0b
SHA256 460c55604f2197cf97004bc707bca2a080c41ef707fd942d054fa16f12fea426
SHA512 410f2d8ea2f8725a080edcb58209aec99d8d0088da99bfd2f2d16e8cfd8538a0fd192f22e666d05e1dad1f62818c1c67d1e9963be179420c02b599ea00704dc8

C:\Users\Admin\AppData\Local\Temp\qMIe.exe

MD5 8a514518efecef3df371e50119987102
SHA1 9a665c6c3e2f5eba87f33bdd98b42e8b34098fe8
SHA256 d325851b5a426bdcbc19df2305244cd59fa78ca6011be08bdd413f26e64b263b
SHA512 0ce4593b7c6aab298ecbc3c1c67d65c9fdcf97ff4af03b3ea7697490dedc9c499c9f6711a95cdf45e44fb515b186e338368dcbe453b1c45a1ea92b30cfafceff

C:\Users\Admin\AppData\Local\Temp\RSYkooMw.bat

MD5 4f6f3a00f9cf471998b50a5618d184a0
SHA1 d29c3a56bfba0347a5e1292711ffc3822b571ff3
SHA256 e0a866586d152affacd825d1d20e8f74412d7edcbccbb437fddebdad14ef4847
SHA512 4e06c2c33398488090582e0f5d791d1c9fcae82f1e2cd56ad05ef6948afeed1fecdd161154c58aa1c6b77175488c03f466faefca6290865833f40549af3e1813

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 1344cf94be08aa9661a75170cc704e08
SHA1 f7aa46cff9bc9725ef1af6030f4d2849f42d6eb0
SHA256 204b087c0bcf92378f6caa1ebed4dff62a494dc56f6838ff266e8fe31ad8ce16
SHA512 216483e6c8463affec0b6982ef2cff75abbbbd1de5a74a4d9fc1f5a4f55fa8739aa9182b24bfe077b46f43038c3c8528b1b4b29ed0656c5159502a281c8b39af

C:\Users\Admin\AppData\Local\Temp\cEQc.exe

MD5 a9a1abbecbd4cf0d9003418178ee08ed
SHA1 592da7072cbddfb1119a42935c4931397d1ecfd9
SHA256 848d069a4422357f7327a0dc45b417c1452cb4926f064fe1ecc248d164fcbe49
SHA512 cc00116def21f049791dbd1ed91d956da23b19235406686162de2fd0789d9497ef1ab516dfe6daaf7116f80021d358d3fb20598cede131187094062735b5ef29

C:\Users\Admin\AppData\Local\Temp\QokK.exe

MD5 0d743c5819fec6ee12a408497efdb37a
SHA1 f82849f840eb2fad8afd474fb632f785b61ea9a8
SHA256 6381d7288769d785e725ba39dcf307ed8012f4802b2d94f33cd2b39eab5248f2
SHA512 e34fb0c24db47060321c771a392c237006812da7c95d015f5e7b380e5217fb1de823fab689121d68ead16585b43f83763ce6c9e6350222b6ed1e264909e53df4

C:\Users\Admin\AppData\Local\Temp\qokE.exe

MD5 f0f899527460e4a659d347ebabd2b4f9
SHA1 a076d28c7590317169753fa0490c859ba45c848c
SHA256 7f34e12453a12b7a326682ba7369504d3b823d8045a632c614cb6f2c20a1ef69
SHA512 9a15044bdb1ac280230d93d2f17ece84d4a6d090d0ab5bf01f6f8701c9e4fd206663dd7e2764f5a6af5881357b4c22610be6e202a91dcceff57ab9e9e30e4bb1

C:\Users\Admin\AppData\Local\Temp\uAIw.exe

MD5 b33b635a6f27db131bcd8b92433d08c4
SHA1 cf081756dbcb837433865967d09a64667452c328
SHA256 355c5d59c2730a4095315f3dc84fcfcc1212828b053a280e287e231bc837603c
SHA512 d328c1bd256bb07bbb4881ea3e79b55b78f6643e47bb8cefe0c27714caaa4d551256812828e14ed682ae20a90a91137d2e88adc90a7789c5463313c322950f41

C:\Users\Admin\AppData\Local\Temp\sQMssYsw.bat

MD5 1c0e3f3957d1f8fe655df64ff83caee1
SHA1 073dbc69bcce68c451713ed8817cf22756da8df6
SHA256 aee3042d3cbdef09ee81954829f897fd5b13b4d72315222b6b958b00d7a53817
SHA512 0d403c785194f1593a456e8aadb2e05f76ff316cbc14b974e690be9690619d2776f4580e199ffc9afe776f443f0ca254dc0dd82449e72d9be54f8d7ce28d3be2

C:\Users\Admin\AppData\Local\Temp\YQIW.exe

MD5 c9e717fea98f27788b8aa9d75e92e6cf
SHA1 8551a873dace9cfbd911eac1030ca187beca4dec
SHA256 89d7cc1f3be2fde806d0196924484f588334b91bebb11ad3df7d3fd1ca9c8ad7
SHA512 b583e49a932ef8bd6f644ceb51bf84d032dd3ef3e56ab0b6e7e8e9b3db8b469ffacc22ad9af4b4aa418d38c40a5823bb59400aec0786e164f1a4c62e29082a03

C:\Users\Admin\AppData\Local\Temp\usMk.exe

MD5 6879b7d2482c1c46ac94f5b13cab0317
SHA1 df17ecf1fdc470cea11be858c2496f6d1acdc0bf
SHA256 ff6177732634b543fb2af43f6b4526b2a385bc92e1b67bbcead573e6f35c2397
SHA512 4fd5d872bfec650f98c8f8d0756df1ee7a339a581318cc21fb7c2e7ec847152c82fce91562dc575b1b43e7d8c354790a81f309cad1714594c4baf238814e2261

C:\Users\Admin\AppData\Local\Temp\AgQs.exe

MD5 021e54a21166ef99772d7da0d32d85ba
SHA1 698fa0f67c7d26a54861950f93b12265d3a53854
SHA256 e1a460ea0f8af0424797f9637474fcbbbf3e3e6f563112eba593989791477fb7
SHA512 6585bcccaf26e93e27dbeb1d78b3b8b9223017d97879fd2113d6aeb775dab0439aad5a7c1e9f4d7c396d65f063fdb42acee24317496dee7489babe0fdf55c83f

C:\Users\Admin\AppData\Local\Temp\CkIE.exe

MD5 4faf40311c371cfb2fcda1cd19431ad8
SHA1 fbc6ae7b04d593f82cab88c62eed1599bf383bf9
SHA256 96b2301e33e2613408856495d2ae1458372a583e375ceff30a26350be5ac383e
SHA512 3517a6bf5bc7003de85af2bd7306d0cd8ae851789c1f880695daa4fd823731dcedc01abd99a39c9815050aac49656755d804ea9888104ed382f51c5930114f9d

C:\Users\Admin\AppData\Local\Temp\UEcq.exe

MD5 71969bc33f2597a4c642853890ff9c8e
SHA1 4ff8a4591ef824100293606d02dcd37958621ac8
SHA256 279ef81c0bd3abc566010ab08f833697ff78186289cb96de743cc1b7fb874a81
SHA512 bdfd696eee0abc4ec8ace95babaa72e17084e2cdc043e6888de7575e6104630ab949bd1c53ceaa18c527d278f1756e57f3f0a2fe3013d5fbf2f7530226232b0b

C:\Users\Admin\AppData\Local\Temp\ieEgwEUY.bat

MD5 22d87009dc31325c109df638127c98dc
SHA1 08d5f5baf6f8c096763c18372defd6452626f4b2
SHA256 dde0c37b0471c693e2cee43779ccfe8e62e7e9646234c12f20a94281cf3f681b
SHA512 02a19210d658812fea712bd666e03b404a512270aaa283fdcca8ecd1fb53c8076ec5ad1bf1fbfb427f9bc97f254f451758e2de8383fb15425cacc63f92ad43de

C:\Users\Admin\AppData\Local\Temp\yQYa.exe

MD5 7d35dc1b08bff29eab7fc92b2b768b6a
SHA1 4833a359cf84ec01351c1f46f82f0ab7a958b281
SHA256 fd361b39d25c1ffa044e772a04beea874278d1285cedc7372c08863994ae01d7
SHA512 20d3884347df3acf56e9d16fa276b2551cb1cc397c36ed871c5e188c1a81a75a48bb66f345aa23b7e65667447560958fb23a7acb32992bbd4e12a40617ba4933

C:\Users\Admin\AppData\Local\Temp\EQAc.exe

MD5 a257addc022a7693f319952436ea1de6
SHA1 07b196012e3785344e0459650818880969241537
SHA256 a062c20e84ad62dff8abbf643d05e9fbe38a02bbf11efd726935707bfe5ac1b8
SHA512 a898112766d18c3439dd12f7c86e4200d7d25f2de36a2567e4b3fea451fb33bae597748ec2c66014436259ab664c098c3192b8d30e802747ae86f286cb689903

C:\Users\Admin\AppData\Local\Temp\yYQK.exe

MD5 1d53a5beacb0ee26807ab08d63621604
SHA1 c2ad60bd929a6ecc1e01d2574935f19b852a1f26
SHA256 91fbd7b40a1fc3fd927a09006c3d11c9945bc0b74612a7ecfc2b752a30e70329
SHA512 83ae0189bb880fe82ae83e2059443919e0fcb0339d27d2d6e1a553bf213f7f3377760402285e8ab39277963b9c199b1c4abf2f82b9c8a42c09b3211dadd6cd84

C:\Users\Admin\AppData\Local\Temp\meIoIkYc.bat

MD5 38f5aa9e647da46d27379b64056c2f46
SHA1 3016e03e3769057b36fcff7c412fdf998d1e5525
SHA256 9450c88efbdf8059cea8607977b27a1b910132ab75f2b0a77e8875b493b9f862
SHA512 baa53b3bd72a254b104fc1234c31994ee5894ad8e5894b504b06cafd8cac3858a6eeeafe07015f794805077c6ffe850924136189faadbcabba8be974f184ea76

C:\Users\Admin\AppData\Local\Temp\WEMo.exe

MD5 34ca11bac21675ee82a18878a63077e6
SHA1 6b95f96511c9be37b3744df4ede1a5a3e75663df
SHA256 e670459c9185732a5d4865f7050975e079e5e697e45dde91bd2699ac9f4c2164
SHA512 55f557dde93a3edac0f007698a811491f641aeb1fbf1b1d8c48c8207d35fb2dc36469c02d6d166e669423e34f4ef32bc6fc9edc2d80d9a022be365a12deaeb8c

C:\Users\Admin\AppData\Local\Temp\MQMe.exe

MD5 daee56dfd29f4752c63173ac602cf7ac
SHA1 2bc85a28278f80a86aff4fa5860df8a2547bf149
SHA256 6d41536803c4633be3ec4accbca2c15959abe9fe87e8f37c28abb44fe5e71f06
SHA512 c2e41f40bd08f38a613d93a31b6746c505ca86707af956a6f79d7ec3789f23c4b326668b3a19e79ea3c847e2e68f5603f03de280b8829faad40ff37d04688089

C:\Users\Admin\AppData\Local\Temp\SkcS.exe

MD5 f0d713f45c0fa187c9eab5e9412f6033
SHA1 89ad997ba93f8858ac9aecc07958d74f8490e9a1
SHA256 6b78cb305ddd49c6951dd3cf87b63273bd292df5d5437508ed8b5e51f2892516
SHA512 ad30a73042b900510ad8a4ff29208037241f794355c5dbb0e8e760e1109df41a0489306b87df8bbd6c26f20c4521f3451ae2dbc3dcc72a5408c844d471426495

C:\Users\Admin\AppData\Local\Temp\QEIoAooM.bat

MD5 9ec10bb5c27eacf4046f55c700ff45d1
SHA1 48f6c8b3d350b492e39581e05988533f1b22c172
SHA256 376d8f7e18574ff8c824e5644825617cf664ed86968945a66936c09f9f5d9b9f
SHA512 cb6449cf31614170e2e2e4e239dcc28783d7be10191e6c584004a18dd981db5a39c7dfd42fd13bf3b35de57ce89f8eea1297ed21431542dc01c79b3f486378df

C:\Users\Admin\AppData\Local\Temp\eUAQ.exe

MD5 c95ef80e4073fb2c5212fa792cef6f8f
SHA1 c2996d6ef02974fd29dcee2f6101277bf9d256c6
SHA256 710f6b2b7b6229c573f00b80cbc8057a913b82e32b26c82b99cd17019867964f
SHA512 dd81a6ab373eb4eef89ad182f5365dce133ef86375986a79ba30518d8a324d9e96b492f7aed53a583a042b08eba708c11239663e8de2a5a533c2e0683e4d2118

C:\Users\Admin\AppData\Local\Temp\KcMk.exe

MD5 b90836a349fc03b9863a9e06a32e35a4
SHA1 c0e24a206094cf4ebce1ac13238e321242caeb57
SHA256 18590ddc845cd4779de543e1889f3359f651cfb1aea37dc1297f57c2db51f9f6
SHA512 6696745480283361f0f202d36e2f96eb4bab85fe2748b4fe91d9f4ebb9704584bacc285e5b88071e878e2ad2e24c20bc1a0a49ed8b887762884b7b4ce3df04c8

C:\Users\Admin\AppData\Local\Temp\uAsy.exe

MD5 30cd3cb783a3b2f516af17fab8faf34e
SHA1 55094dc1fe554fb2a889f6a3cddb3c0f0a40a6fb
SHA256 d6823e345d11dd630f83b1ad493516517bcccc46a2c55f2b7e8f822054bb3df1
SHA512 6ed18acfec3ec279fea4b016bb301fb968c66888047808aab8e6454089bd6c80d856eed9ce0b15537e2f6019e8974a9a04255195d4b722126301d2b5b9e3e358

C:\Users\Admin\AppData\Local\Temp\FysEUkYs.bat

MD5 0fd2f5c1b85b75cd5c918f867702b0f8
SHA1 dbd8f0b17c7b41553cc689028e21f3135936991b
SHA256 69e4c6afbb44f82287949719933a107baddf3f53e0f578e5326e3cf4315a08ae
SHA512 bf8e6e07d799f1a04c6f5e7be265a3fcb4b733040cbc0fb3d10ab87bda2915c12328ffe6afdb20db19753fe616b43885bdc4969b47bc6d259f490ee1bf694590

C:\Users\Admin\AppData\Local\Temp\UgAK.exe

MD5 f2a1618e2ae2680219979f80eae03d4b
SHA1 8b3a157c3207660612ea868cda4e3c30561a1d85
SHA256 bb978b4319deae7842a070039320c208af75c78c46bb08d50496b4fb9b1d5d1e
SHA512 abc8c847fd237042012d1b9866ccc02d619223c2313432d5839a1ecd677b6dff62eef1e7766393cf1e70aed87a9de49f34292467179946447aff4a1898b35e61

C:\Users\Admin\AppData\Local\Temp\Agso.exe

MD5 d31d3acc943bc6089e6d66c199e3a0ca
SHA1 5625bf79109ced1ce3934eef9762cbb0b3f0e23d
SHA256 911ee6efb4b75e4a3de40adeeec5fc0a8fbca9e97ecde3f649d4c5991c9efadc
SHA512 648710653b48537868bb357c18db1c2980c10a88bf87397b000917164ce1a6ebe4406b696ce1097d99577904ccb873eb09bdbd53b0b304e8ea547232fc43b678

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 bd3620d10405f024c6c1bcc8fb336751
SHA1 089be102115a8291f60d24f661d861aa28606f3b
SHA256 0badabbd0b173f7f180a72087553045a9a74a1f7e86725064407432752661517
SHA512 86f6c48cc83eee1a8470f4bac14f760184300964d23d504b65127d97ca03e8030b8a08c0d0ed157acfcade13d8130415fcfd057eef6a8c43cf3735a4fe523a25

C:\Users\Admin\AppData\Local\Temp\XIcoQYco.bat

MD5 23272ba8753a6c994c32fed7d19aeb2f
SHA1 2d64a37b693b4b621dba64e2287d145a9482fc6f
SHA256 040215464baab943dde66814658fde25184d5af5b73832abf197b96766033d6e
SHA512 3e22080c07a199883b71abf758499695193a3fd2687172d696952bb57b82f2f7d5a2c817d797fbd0a74e026055445a9e5d4ddb87c92ae57adcbf8f413f4f9204

C:\Users\Admin\AppData\Local\Temp\BIUUIwME.bat

MD5 b36ae33d67be333b8e902cd7680ae4a4
SHA1 38ad0055538e19f4e8bda9012e0e34a53d2226d1
SHA256 5ceab7efc7955a15af67e978727bee0c1b3f2213c06ebfd9e0f8dfbca48806c5
SHA512 5352fc9db65b8cdc6e5a6e767b0046c0bdd1b0e720c39efcebebffe3fc7e2deb32fd5554c546b16ced565da63b8cdfc7f3a9c257fbb0104c0d7073e70fbd9165

C:\Users\Admin\AppData\Local\Temp\SAIq.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\KoYi.exe

MD5 af6c29b6ee92a0e6183c5ae57dbc9069
SHA1 4851010f5d91fc98189515bef83697e3c64a0992
SHA256 dfaed46becdb0864bd51f1183ebb779092cf1b53f6d17e9ce56e3d09275f5946
SHA512 829c04378ce5bfd77d8603b48b96276f3d647b1577bb39cff956d75d8e4aa372c8d0ecb0c01c8b89b03d4ffa83f8134e5b5af11f9b5b292339c68127e1822dd2

C:\Users\Admin\AppData\Local\Temp\McgQ.exe

MD5 e08fc116fe327dc0dee82cb3b5d708db
SHA1 ba099a9e8e0953ee30916f3bfd6663dfaae1e828
SHA256 bcb34f7ceb691783f295ca852405848e7afdbfe1b40be00ac04af587cd33513a
SHA512 b4f453630a364025938522e1a5a4a9028cdbad86a4fe2ccf091e98cadd66bc94b0ef4867d67377a04417213b3e3af62c74b4c1d2d3940aeb4bae04f59c76f4d4

C:\Users\Admin\AppData\Local\Temp\SkoU.exe

MD5 7e7b6a7f461addd3d610f26242416e53
SHA1 083217e00a4e175b7b4db59d514bc9475edc2249
SHA256 1a6f2eeef9877295a5f68fbe32eae11bde4827b7e26939b6e3acf6ae09bae4f2
SHA512 3f675a6582dc0a0ef582cf85932dad0ee7938e893633d1f611e31731a39564d1defda4dbc75ac7f801c65ea8a5262b0427e8be95b92186bfb0502d6f43c425a5

C:\Users\Admin\AppData\Local\Temp\UUAw.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\aIwq.exe

MD5 181278048e2cd5e9cf74f8ac48b5cd02
SHA1 b91aff7d1e863b298ca5805c2d9df5d6504480f7
SHA256 73e21734b3c81295c56a02bc19750e6a2e57307928304be8987794ef168c54dc
SHA512 d46081c5ddbf1eed96238aac1c355842459cdf5ac46d6b1d15131c633205b7e6d713ffcfd4e81d2fd47cf1491e693e8f7725a69d7976c69814eb3472fee20af9

C:\Users\Admin\AppData\Local\Temp\eqYUkAsQ.bat

MD5 fea32997ef7c49d96ab712b7530f4996
SHA1 f619a7bf3399e1e450c854e169bbd9c613bc295e
SHA256 53d33baea6f963789252b491817c99dfd820f7ae36fc13d15b4bbdadca6fd530
SHA512 dc0c680506cb9cf5829fb7efb7f79849db8102f56d2e8d9855f9a496d4d9b8ae3c133548e8538620fd749cf8434523e98b5e1490d257b8a18631fb896b635584

C:\Users\Admin\AppData\Local\Temp\WYcG.exe

MD5 60686c726867277db3340a3d17def19f
SHA1 3aa26559fc29c26b201a32d94f791bf282335f16
SHA256 201c07355c798ddbf56f0845b27cd5b896a6cc163a1df5a3760ffef153010496
SHA512 ba72cea43b8b62ad4abdd2a08209cbd5f677178095dc2b96eec020c36d96ab01aed5041b82dd7c79717c2ab7d3b4f145e87a579ee691bcf9e91c6dbd512df2fe

C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.exe

MD5 f73d982d501c71e56fb775f7b7eed848
SHA1 c1d525d9c15c298bd159821eae1932ff429a1139
SHA256 062abd92628e41854fd84682c72481b2c5c6caa9b32448c2f704af6a7708c38f
SHA512 923ac3aefd7ff71da694b9e700b0eba7d5d855856b412c5d7c9b7de315c38ddcc1f4f7b3c90c927839220f075bc4e8d7454c2751a130161d0de00db705d717d5

C:\Users\Admin\AppData\Local\Temp\GYAm.exe

MD5 5e14f2be1a11ab3e953c8f96aa554910
SHA1 095e92a9b662b365282f8a9e566d32a1f0f09870
SHA256 8f21c195384830dd6a7f75cb5218f7207b5f56f3f01765a1ef41e589c0ab4dbf
SHA512 d3df67e7fa3e2cf036884719446dc3000408bafb41a993d5ca981bc1324b3a3f74c0260865825630dd1377c109d375746277d20f08f022ab13cece9186efad6e

C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.exe

MD5 0e5a52c4734eb8eb8f39f8feb91b1525
SHA1 689b5f3748203680ed5dfb70250564c28e454fac
SHA256 85bf26a029e79d8f2a0444e970b68aac2c97daf6fa01f618bb3a94983820df7c
SHA512 cc419b9053b4df60930c9d4db878d25d114af884a72a84068503254a00537db3b855e3112041ccf3551c0eaa04b6383fced6cbd6224c99e692c4b9bfe058b9bd

C:\Users\Admin\AppData\Local\Temp\oKEcskcU.bat

MD5 bb96748e1a64ec6ad28df94573758dfc
SHA1 094b16b65189208077388ee70e0db815f6387829
SHA256 4f57c44e660541002b34095d7222671ee470b44d77bcb0c0bbdabf421bac0a3c
SHA512 323e7aacc627a64a549352ae9f3d571b89e63a4b26f7524c6b19c9b3b9ae789959def71b394ffe5fc1917c8e2d85c88e3d10c54db628a4f892150b33c7aae7c0

C:\Users\Admin\AppData\Local\Temp\IcAe.exe

MD5 59b1557dd1f4c14078f972867797683a
SHA1 1d419c97242124a5528fed8bfe55a1f61d1f7a4c
SHA256 6c49d6b314457e55707ffe8e58833d470d22950639480519dcf8d1fed882ae70
SHA512 4da488e1d7eb3c489b396916539c7d62fbe46af9e3bb1e91cbca524ea656d59e26ef537f005bce961f736aeb77613f89dee68436eb43093d424d0cb81a4d9b92

C:\Users\Admin\AppData\Local\Temp\kwYA.exe

MD5 9fd8fd35fb3822c55cbe099e92905814
SHA1 0c67a2dfb0427ac10203e82881fac25cc71adf8e
SHA256 32144d30b6e83cbbea029cbf0d0997c677ef4ed2cee448f269c66c9d265443d3
SHA512 9d7529bd2e2a4e6a8882859d4dc19c341f13ef27acaac7066a077672e444c850893b94694f5bcc7f9eb4a626be66fc6650d6d8f379695534db2b19f8cea0622a

C:\Users\Admin\AppData\Local\Temp\akUckcgo.bat

MD5 79de3ff311a49f62255ecb2d4689a629
SHA1 11bda7e2a3eecb6e917cb716d3f74f007d5c6df4
SHA256 7a8df5944a7aa1b2dd4f4636d7fc99a3705baadcc30951ec0c56dce2917dc332
SHA512 56f39591017bc86539c471611540ba85388772a9a603fd02a35b3f9465f3a99ab39eea3f81c873abd85a7c2a2bae63beb819b51ba75f42f515e64476b8bf96a6

C:\Users\Admin\AppData\Local\Temp\WegkQogs.bat

MD5 4621b836b3d9dc923cbc75a8f76475b8
SHA1 0665a739073aedcba27f382863fd25e06072597b
SHA256 579b4c1efa4022d0c520ff65e25214a4e1128901b71f2a054d530cd23574fa92
SHA512 c1a85d7bee7270c6cfe910e5e5cc50d67604a77bb10d2229bf124f554b5d8e5795c99ce11bd01b577d8d9fb4934c3cdc9531a3c07e362cdbf13c95abc8b3591a

C:\Users\Admin\AppData\Local\Temp\KkYIwsEQ.bat

MD5 6507c965c7ca51c87f9743094ea16e28
SHA1 6242860f6703004c85f8888f0bf8e396f14f7df5
SHA256 c53b4761b1b8f389b4f39656765814acf2718dab41067709c899bcd4e014c463
SHA512 2284645b1b09239eb57c7e216a4fa2ec7503c7e3881bc3e3bec5b17e98af53bafd5eb5886597352dc3938bacb581bf8d7b7ea122635a5e659f26415b4008d518

C:\Users\Admin\AppData\Local\Temp\lycgwUAE.bat

MD5 2c0a5337bc0285092f12327da86c7396
SHA1 ffdf2c1c86e8247d753d1d36e6cb1b9efd0f7c8c
SHA256 ee4593f6030a5f64ed76c36c123b2533ab86ffd79a2f824ae811fcc22f5419f6
SHA512 a41d1464bd214562e1f54ad9e1b16238ea9f0d96b3de0428b4e5f54798ae9588aa938ed45376d47c5797e1dab94dcb802e41abcd9160412f57ca0523bcac96fa

C:\Users\Admin\AppData\Local\Temp\xeIkwsko.bat

MD5 5a419d1c913951bc0ecbdc2a224f43b5
SHA1 429e47b551c44770f694c73529b848bb6cf10cfd
SHA256 05eabd04c1b577e2b9c96388659c3140b899f47da3ee2cb87c838fedca9fc87e
SHA512 89ee8d133850133beb3f188b7317fe1a67f127c3a5715f8fda7b97264c692223e05f1547f26c69921988f2c66dcd7c9ebe6f2b9b1b2b1be2174491e1af2518fd

C:\Users\Admin\AppData\Local\Temp\LOgMsQcE.bat

MD5 177f5215dc96b58d071a0cc1943242d2
SHA1 a7e6e9ae8179b62414bf9ca599ed08c01e8eb398
SHA256 e33726b8f577250325cc211671fa4ab6e968da668d6b37fe412bba2b025d2355
SHA512 e515a71d3ff443effbed5162b6b4aae918ea352293a52cf4a6fdf3ba9c4c0cdbaa7f1206146f4118067db6f2737169dc12d9fa820ae86b8a36acaca96005cb49

C:\Users\Admin\AppData\Local\Temp\rWYQAMEY.bat

MD5 d097d1b38d1ca8a60bc265773d9c3760
SHA1 8eaa1e0cc6ed26d2faf8b6d9fdedc23efa524ad4
SHA256 89f7ff1fec226b871cdbd00476c8b382d5223fb8a5051dc2afd2eb6bd8de6108
SHA512 7137c25ade35a21141a33ca87872dfd15fb6269904722dfe0808b4248ee36a526d96499f4db93e36560c9dec12acb85018abe68faac4ea8f9e93eb11ad79d4ac

C:\Users\Admin\AppData\Local\Temp\qokAwkoM.bat

MD5 5e8fc13736682c873ba4bc4a6e7eb570
SHA1 da5912bc54a8545170263e4cf43dda9839fb9b65
SHA256 e777cd954b2fbf51b76ca7359f7d87f0292439584b857b9a8a7a65b57c4c638d
SHA512 2602262dfe444898f341542c3fbdcab0b4667fe37d38c7d84eb48409791ffc0b65aba62b9efde31ef896e5098934c2422094016cc17882e98984ad6e74a713b0

C:\Users\Admin\AppData\Local\Temp\yCwUoMgg.bat

MD5 aa97edddcaa4a479e3ee785e85ab5769
SHA1 cd8cd6527b661030c6f3a31fc8e65ff75655a2b4
SHA256 950a77d0e8899aaa82aabbea4d04ab0db05170c9309bcd3196f69cb8b8ef9a92
SHA512 58c5108b8fc4858e6067ee737acce7178e89d6dd16540a107271d852dadfa87ff9c0f1389d32b8a934eb43112b402eb84ae2bca893333ac33d8e3f0decd92fa0

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 16:54

Reported

2024-10-20 16:57

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (78) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\ProgramData\CosIIEMs\JGQUEcAk.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jwkoUgMM.exe = "C:\\Users\\Admin\\iSMQUskw\\jwkoUgMM.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JGQUEcAk.exe = "C:\\ProgramData\\CosIIEMs\\JGQUEcAk.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jwkoUgMM.exe = "C:\\Users\\Admin\\iSMQUskw\\jwkoUgMM.exe" C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JGQUEcAk.exe = "C:\\ProgramData\\CosIIEMs\\JGQUEcAk.exe" C:\ProgramData\CosIIEMs\JGQUEcAk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A
N/A N/A C:\Users\Admin\iSMQUskw\jwkoUgMM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4608 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Users\Admin\iSMQUskw\jwkoUgMM.exe
PID 4608 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Users\Admin\iSMQUskw\jwkoUgMM.exe
PID 4608 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Users\Admin\iSMQUskw\jwkoUgMM.exe
PID 4608 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\ProgramData\CosIIEMs\JGQUEcAk.exe
PID 4608 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\ProgramData\CosIIEMs\JGQUEcAk.exe
PID 4608 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\ProgramData\CosIIEMs\JGQUEcAk.exe
PID 4608 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 4216 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 4216 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 4928 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4928 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4928 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2744 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 3104 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 3104 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 2744 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4492 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4492 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3960 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 1028 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 1028 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe
PID 3960 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3960 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3960 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3960 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3960 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3960 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3960 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3960 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3960 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3960 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe"

C:\Users\Admin\iSMQUskw\jwkoUgMM.exe

"C:\Users\Admin\iSMQUskw\jwkoUgMM.exe"

C:\ProgramData\CosIIEMs\JGQUEcAk.exe

"C:\ProgramData\CosIIEMs\JGQUEcAk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwgIAsoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYMwgYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQsAAcIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQIwcQkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKgIMoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wycEEwQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\veQMEkYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWEkEwUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwgQIowU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkMIAIUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyUUMcQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkogsYEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EoMkgUIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISoQscsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcosoYUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiQIIcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEQEccQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rakYYEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQUQkkcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOIoAQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAwAsQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gekosckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwEskoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tssUAQQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkkAoIgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmwkMEYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AscwIcgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOogYAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEEsUAks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOAYIwEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAYwMQUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEgswggE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGIsIocc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSQEQUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCoAssYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsokgkME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaIsMkgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nucsEUgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmEYYYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQIYQMso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCQoQEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAkcEkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwgsYcws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REYUwQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deksQEQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQQQkgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKEIAkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gggAcQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUkAMgkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygEUwUEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emEgoAUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAgsoIMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSgIwQQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuwYYYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuQgwQYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QowIkQEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omsAgoIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swIoAcck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAoswEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGMIsccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUoAUsMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIcEAMEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEsMAUUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMMQsMAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIwEYkYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEgcUcAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcYMkQAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUoAsYkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAEUwwEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSEEIAEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyEEMYAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUwcAMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMgIAcgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWwUYkcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmsUgUQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgAIwgIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQIYYgkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwEAUYsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQAkYIoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKYYMIUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYQQEIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIAsIgYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeUYcUIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKEcAwwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwAgIocw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiEQQMQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcMcAMQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQEcwIws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWIosgQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MisIQcws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWIkAckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMoIMQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiEUgwsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQIMMcEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCsIUMks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgAcgYIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiMYgocs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewIwswkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSIQoEUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqoscgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 216.58.204.78:80 google.com tcp
GB 216.58.204.78:80 google.com tcp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/4608-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\iSMQUskw\jwkoUgMM.exe

MD5 6c6ea805f10dcd86621d212127d4f58a
SHA1 d24d53bc3c5bd53ec2bb2d728ed6eed841e2d422
SHA256 6b903481e238897f51c99429b7f6120759b8c2aacbb913693818285ec18c48ae
SHA512 494592d7e0db5fa7afc910b4c1afdd3f0be5d1848a5aaf92cf7e3c813a1a82ff14d2da1a671547cb67d79d1d82cab22fa054952a9ea3e363b86e25647264e04d

C:\ProgramData\CosIIEMs\JGQUEcAk.exe

MD5 4173e2834c5a9216cf7f7bd62d5aa6d1
SHA1 3944fa5f95d6271846dc82e077eeb40269540917
SHA256 840cc77f6210359e377cd22387fae0e821e4e691094d41fcedd829ba85db5de5
SHA512 39764284c00ce6f298c6eab156936413b033c1ad29b86ac6dea5017a91faf643d363b69204d1eb4deb6cbbd29cd2e6d59150885daeca0d95b0e7b3739f5b6ef7

memory/2132-12-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4756-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4608-19-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jwgIAsoc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-20_25254d694617c9f5e62baff92b13782c_virlock

MD5 5861d4e6983be2b92122bcfb7d239eb5
SHA1 892a1af54e23a9960f63eae6369c526ef325b77c
SHA256 b3de971f88cdd8219cd9bf4a1212107b4052f468caac1f196d756ddf095acb48
SHA512 af3ce9a9c4a7be34e1d75bd9e25b483cfadc18e50cdb3229c5bc70bf965f6c478a707711154066c446f84ae5b6216917dd34935ee69772c305a00bc6d5040178

memory/2744-30-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3960-41-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4932-52-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3124-63-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2200-74-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3408-85-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4728-93-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2524-97-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4728-108-0x0000000000400000-0x000000000042B000-memory.dmp

memory/820-119-0x0000000000400000-0x000000000042B000-memory.dmp

memory/956-130-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2696-141-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3908-152-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2124-163-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3236-174-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1284-185-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2816-196-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2384-207-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3044-218-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1900-229-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1268-240-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4136-248-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1416-256-0x0000000000400000-0x000000000042B000-memory.dmp

memory/924-264-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3596-272-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4852-280-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3636-288-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2016-296-0x0000000000400000-0x000000000042B000-memory.dmp

memory/968-304-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3632-312-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3964-313-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3964-321-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4808-329-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1444-337-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2036-345-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3516-350-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1736-354-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3516-362-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4776-370-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4364-378-0x0000000000400000-0x000000000042B000-memory.dmp

memory/816-386-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4472-394-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5028-402-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2592-410-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3124-418-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2824-426-0x0000000000400000-0x000000000042B000-memory.dmp

memory/824-434-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2044-442-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2036-447-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2000-451-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2036-459-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3668-460-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3668-468-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4136-476-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1668-484-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4516-492-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2876-493-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4516-501-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4744-502-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ycIc.exe

MD5 a8e5e46f5c45f713e4cd9e93d13fd10b
SHA1 9085eeb2bb7de25b22ba2be1cf6a1c0dab6ce7f1
SHA256 bc2037d639af62aec4d46ea296fd516e7b14f95061f4f3ea6ca2f68731a74612
SHA512 bac186bf7d4cc421ed4287d39aff07b4cf1ad3d58e34db1fca14b18fa18de6282c0e67744feb7b5e357f5ef46a43b2c76482542b007923560277b079e64dcc66

memory/4744-525-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wIMM.exe

MD5 4348b6495c7910c2431ab26cbf7e7e02
SHA1 f2a8f86e0d7dc23977c4ca999e54eeb921e1ca03
SHA256 ed831fd2b95dc0b2d145b0b10a70bed5c9bfd4370ee24f8988f1178b8d919d3a
SHA512 d0c221c4e92994bb9a48590c5e4fa6c2ab9139f315febdb307d9abe3f714cff5f7189ec1ac1cf59b9d04594dc7ae1c2d0fb9a2b8a8e40c593f100b854671c961

C:\Users\Admin\AppData\Local\Temp\AQYa.exe

MD5 60221fe42d3f17e6bce9ea3ec04b78b4
SHA1 e2690919f75b62b82efe00350fbfa9730595fd64
SHA256 3a61a7069b67032c819a30e3121c536e0eae5f6b5f74dca17866952ecbdb6ad2
SHA512 d18380eb0cc48d69eda7683d6b38f77316c2b610f59b7c3f7305ea51d0ea1d0b6aa8a36b299560082d1fe351e0e6883e1467d2d1eecfd4384423ce713ffed6f0

C:\Users\Admin\AppData\Local\Temp\WsgS.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\gooS.exe

MD5 714ebae82db851949050d900b9e443bc
SHA1 321d7c561bce834dd9f66b4558a3e13a790dd0a4
SHA256 e0bc70241d3970b6e129fed92e15cc471c108857d4a5d845f27e7c218068c47f
SHA512 fa79a2ca95bb247249eca17c1a8fdb7dbc2ddf042ab658588a7fa95f4226b6669ab0ce673461db7e4d5b751c0b58b532a0f847f05d49fe4775c6ab717cfccea9

memory/4008-574-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3104-589-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eEkQ.exe

MD5 87709f360f7cf60554035b4333a4a3f7
SHA1 21a4b6499b602a41a3904bb8ad3b7d54ec0c21e1
SHA256 8374640594e04e2ab35f3ebe5cc6839b7bdff96b7753869e1cbc107ad11a6bfc
SHA512 cd0ef9250f6bb2ba5a52ebc9ddc734fb9c51c47ab0292956680cfdcf2206ceffc1b3b1c7f4d33b3ab87199c0db6cdd9dcbeb3c1eca76d1bd9240c8e7a3e482c9

C:\Users\Admin\AppData\Local\Temp\oYMu.exe

MD5 87187f1a2346496438f6d0899b5524dc
SHA1 eeade7708aaa95f2cddff38a480c3a5c317af542
SHA256 1e8bccf830b822ba6a489771403c84519cd18e3ea6480cfe594efcf4a7673307
SHA512 b1c6741e472e11fafa026de088094b22a2c70f7a8e33c2ae0ab81fbc4844aa3a5c824f8f5f8b61b3158719b11eb971e89001904224c8404f2630c62a0c4600d9

C:\Users\Admin\AppData\Local\Temp\MQAc.exe

MD5 d295c50a07c2df95096ca261ab0ea97a
SHA1 04b50c7700f543173a0815c9d6752b1e96b9e08c
SHA256 db2c9c1fcf5a635de2c40dec4867067c4a5d993f6196f69bc0e282b3d57e0413
SHA512 76531306dbce6855ccffa6eb6d7bbec03563c12538be6f3c99e8b5ce5fa06e2cc72562371e1200d8517fa2271713eb53817ab7f906f565f3bbf589d17ceaec52

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 28491651a1e7a6067ecdc773838765d8
SHA1 fc29fee7937e719c49f8c82e4001e157f0cc1da1
SHA256 723b56a0cf1c1c4da94dfeec747ee725c74ee49d3ed1f397d4492f6c6257fe10
SHA512 a3243f3c514918871c97a92a40fb83d0c0bb3f1cda4dfd539353fdd15fa323681e291c846201c6b4b1759ce5d45d1b4ae2b0839af9f0fed7186ed7901e0f4bb7

C:\Users\Admin\AppData\Local\Temp\YgUY.exe

MD5 99b77f33bffffc637f8c3971bdf60331
SHA1 5b42449756cf3c68b81969ef2dff39a604799a5f
SHA256 701fd8f68eb0ae587324ac4240227f05de9558ad6cf18eb29b2fa8f9b037daa5
SHA512 84409f376b2bca8e3bc945552b3158b6022da40cbbb67bde6e73129df5d4f902b3933c273d321ea936a3a88dfacd61390a5b3385580a7c39bbd54750bd1d8762

memory/3104-653-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qkIM.exe

MD5 41aa2b3b856e9f861a3fd50e17c9b534
SHA1 a2c263c63996bd80dcf6e66fcc0fc1c18e37deea
SHA256 17b4fc89066e334ddf21af7ceb7a0d370d82e29bf5b2c627a3fc8b3e20580015
SHA512 85b309e4269cb9233c3d51620cb2426ad0f4a3c57bb53eceb32f9693372ef212ea8570d2414afc8ed7c29c7479f8bc3699ac24fc4c38271e9b7016cc4262914d

C:\Users\Admin\AppData\Local\Temp\sMci.exe

MD5 f41bd051db023cfe5205a716c8850f04
SHA1 c2be8c1256b293c97ee128121694f6a28f148a49
SHA256 c7b80fa7ae34f3ce99fd0f43cb076f286a6a4f84b1cc2d8f2c5d512c961594ad
SHA512 7e38f86d519c8dcd4bc62a4d5ad08da6d0a732015ac0437dd5f5415450d7d1588f47094a7555381310c02c62e633e39a2d2cf9ddff33cf292da4c85472f0d52a

C:\Users\Admin\AppData\Local\Temp\qUse.exe

MD5 2d4f863c7b05648ad37ee24a3060a004
SHA1 5378f446b2563fb02a007ca69ff34a7033ad6280
SHA256 10293bc3454682149ad3c7b34b410b1932529a115aeb8dea0fb7d9a888aa114b
SHA512 72efa01a14ac63c26bccc3b108731e3eaf383a7c6fe06559d311342ac9cab8ff76218d7176f8967206ce85f78533a0b3d6a31ac7136294be565468ca70ca4b59

C:\Users\Admin\AppData\Local\Temp\UUcg.exe

MD5 e77d7a54499b76e31d9e2f692e8aecce
SHA1 0ac0e4ca184f734adc3229e540fb75dc48e4763c
SHA256 bb1b1588a553527531c5edbd4f09832ebd404d646108a7577adda56358df73b2
SHA512 4d8752eee3817eb4108042affa5489e99d976456c46bae6608b12c398b2da24245b192d2a638133e727e943b7e90789640c0875d53d9f13a267b35cf86230c4f

memory/3708-717-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EUso.exe

MD5 e3fe7e181b8a6509dba21def31035750
SHA1 d8cc5837ec643aa9f45474c0865c7fe5a53e7487
SHA256 77d1673d271dd5260f17281f584eadb0f7b1fa84b66a1fa2890be8c9da365793
SHA512 1167f2f39128e91987035806357b4473c08594cb3b2bd02754fa49079decf13617c7a09020f302a824ea07368caee8cf8ab07fab3481c6eb7c72a1905fbbe181

C:\Users\Admin\AppData\Local\Temp\msAY.exe

MD5 0f40b75d348696d6722e2c9e83e75d5b
SHA1 a8ec862920f832989bd9e48d48162c061433c4b5
SHA256 17307362fb12825f8f8ed5aa65d57c567180f92ef626cf17e4ada328e7051a3b
SHA512 85ee350e367de3c390720c51ec880796ea1ecb10ddfc3f410c8afbfbcab428a39c3e43e28308ca4d5f8229f990123b99a1ac675c99b840ff1d66d4626f43cea5

C:\Users\Admin\AppData\Local\Temp\Akwa.exe

MD5 de80871d6639d9b82afe223436c4bd7e
SHA1 d59223a6c6167a8907f0d2537a1743605fa16ef6
SHA256 91ba867a0636a1019875d5ea078d9fb2a1ec4e3312bff60327e0f892f2769bfe
SHA512 01b522c2a3b24dc4e2cee044387bbabc4b0d985167e8476f807de3064cc0c519965b85078b97a8c100252296d5d204f2c8498e6605ad3f7fadccbf2c69cc3d28

memory/3632-768-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kAkW.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\woMM.exe

MD5 2e0dd107d221c56f5fac64d8c8fe5969
SHA1 39cf7d8a25691349dcafb13d158fc06b7b5c639b
SHA256 635dc31be26f0aabd7934c5c73549e56295e0e996b198f14bea3ff559ebc7a65
SHA512 d3c89220953a576e08295576a49767c233754311ae83255e9a5e60c7e9c74bfb995c40d84915091c03801a0e2fabb05243cf24050af9cbde6086ce5bd4574596

C:\Users\Admin\AppData\Local\Temp\ScEi.exe

MD5 ef1b7e61a661c1311e884732c0dd033d
SHA1 e039a51af9c778c9c3469295393e78a1e740573c
SHA256 3b31f3b4574f627789a2b2e4f9a4dd000d137f478d71fcba9998b9f91974f0ec
SHA512 a4bf3d53ca11cafb510de0987af36a3dd1d970d6bf9d5b3025bc3973aed0b582caddbdacfc7a07815d521694b0dbb496e1265a36e9d2547bd913b3b3bbcc557a

C:\Users\Admin\AppData\Local\Temp\sIsU.exe

MD5 a45ba9e6952038c6add9e9363ee0d4f8
SHA1 2a675287ee2d9486a28513767438eaea78796b30
SHA256 5b0733068803e35903f8d167aabc4dca8aa6e7978b44f7a4b4b1a67f9b5dfa5d
SHA512 2d12eaefee7523dde2ba47ab7556e6fd721408b56e4d6132e816fe34a0cb2a171a55af391123843c7d7c4a608dd8d2b6ee14c74a7bf2693d77096dd0aaf35d1d

C:\Users\Admin\AppData\Local\Temp\Gkso.exe

MD5 28efebfe530a3b02615972cfcb14554e
SHA1 5e806f765ec01bd38ae01d76cb2a1105a4fe1d2c
SHA256 7024c0b841947b7d1fabe98bbb7a3c91bdde2844ded57dc8804aff75eda60c76
SHA512 57ab55e0f4ffe2e8e590d4e9b1d2a999e7eaddabc6ea2baba48ff69635c8bf6f7c08339b48aff58ca55ce743b729ef91f55a4942153cc259f53bd9226f5185a9

memory/4808-831-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CcwA.exe

MD5 8d6440a51951604f1d6a2b27ccf7c80e
SHA1 a8b6d9c51899630ca2df11132173c1d3313f0564
SHA256 c9cceee0978c9be291e25e27517ca52a9f537cfac240c14c5cedd3c74096b9af
SHA512 e6081fbaf18e0231fe2dae650374cc28e2afc1478ac2b1f573da09dcd52537b8ae2502ec696f368b140ac9d3faee8f1ed3f1c154ebe614d179567f934a43533f

C:\Users\Admin\AppData\Local\Temp\wAsy.exe

MD5 54967c1bff045189f5d777af9087420b
SHA1 f6d06117204d017efe2fdd6e8a4b644514dc1b32
SHA256 0d9236bbc21337145f9f992f8f98be5715a40f04a78e2bdc303615b5b39cf445
SHA512 1683a7fa8684222b5b067c3fb400bae4d62a0cdb98affce133be81ce68856405df458fee91ab3117e2551287e5c892042e4224581c556d13bcf8da9a72c34542

C:\Users\Admin\AppData\Local\Temp\WAgm.exe

MD5 c697f0ac8d7a52c577bab0be7d3efd51
SHA1 df1ca580ca4bd3e9dc328f6b25079ca131379e2b
SHA256 21f9c47f604b66d3a859940e2489b0cda0622172e66ce42716b21ee48765e572
SHA512 1b679e9f4f32f46ad8a98faabed9d07337a0f5dabbf36a15ef77889ac5600b5bf15318a909cd63fc05e3091877366c2984a73800d97540b36ac4e6aa3ce8f783

memory/2016-895-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AEAW.exe

MD5 56c181c44706d8dd97ca3a6a65a6c896
SHA1 2a5935d1ddfba98ea1c763be756bd7782797cc6d
SHA256 c1622752a566ab5cf150c523cb23973bd3d95ef4264180b04df80566133eaff7
SHA512 a735b5e649f1701d04395cb0dac53051f78bb8675303f9e655c225cb1c1bac11b82ea4897f6bd8d388b8a8590c0b0d394a72b6e07b9dee3423f83b43da06fad2

C:\Users\Admin\AppData\Local\Temp\sIMu.exe

MD5 fcaaa54eda036cd3f1ce3b282a038a1f
SHA1 5ad922f9c43c07463300e30780471e6bb32a6522
SHA256 db2437035f9b3a77a3bc6b58e5605bcdc41c8ad1a9b6846e692ccb33ed63b1e3
SHA512 3d5c601182d117dbe1451ef0bcf8d85087bcb9f40e34e77ed42dfa44b7becbbcc2c5ec17840ec28a489960973de025062e0e8653a3a43fedf0c459897802fd6f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.exe

MD5 be58dd9e0d98823f266302378cab0d41
SHA1 de03c814c1d91268ea8305b19d48a054f1d869ad
SHA256 bdeb903c13d9a070dd9abef67a411c139db9710dc09aaaa42c0f1bfb675c2f80
SHA512 e01a272839f5101ed5a8bcc4338f612fa3c759c9146068d0ac36034f24b9acc7c27fd1206492ef363b14c387fd062ec3c970ae398b32f269357e7b9306fdf90f

memory/1508-931-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\isEk.exe

MD5 9cc20693bb03f431b0817547aaf5345e
SHA1 8551178820125a519824b31b82f1a645ce3866aa
SHA256 421d4da7691989428225c697eafecfbb5e05856a22fe5a0ca5118b21a047c4c7
SHA512 69695eb992af0ecfbb9b1def92d4eec4f5a06b37fe9f75c497b74ca55c2881724a56b3d79a381f0ad38fb0897f3405903b58c5b144bc7588d6f27ea655dc05c4

C:\Users\Admin\AppData\Local\Temp\WoIw.exe

MD5 608d3b0a2aa997778baeb4d2b1b81b83
SHA1 8f729efe3d75772487bda1767f691f740036bdf4
SHA256 e2b8b3c58b94aa9fd20ca01eab27cdce222686f1970a9b4790e0e93846bc3605
SHA512 d71ddd41f7ca9c8ef7b572595b2e7ecff361d215cbfcf2c0cf2746152c71c2cedea3b9d911224e2165262de745190a5c7a7dd85f6d211966de74bfc4781d8736

C:\Users\Admin\AppData\Local\Temp\KkwI.exe

MD5 fa0e56b8443dc463a194a95c397b8707
SHA1 b4486f86b74841984f0b706e769e1f0d7dd803bb
SHA256 570d2a2732bcd3e2bc1a192ed617fe203e0ac873feff06d69f8008fc3b0b6e5d
SHA512 34f5e668b4f7976bb0615a44a837085dc73edf8e451ee728048f862889446a03d4c4113c98196df2d6c9b610c65635bd172a5ad6daa3dd14ca656557ba797111

C:\Users\Admin\AppData\Local\Temp\yokW.exe

MD5 1b13c0c1103516ed685abbe53273d7dd
SHA1 d970541992c34b2c79653ebf9b605f325b251191
SHA256 9e8296effe70f53f835038ef39856d60d6af9a5a551d0416faea23a95d46c9e5
SHA512 37c7b5c9a89b525c0b5eb3a9a56b8ff9bea3b16e1c1e0f3dc918bcc5023e03ffd7324288618a5c8f6c40f5d0d5b59a24f130f552a77ae1ef93cfabaf742c0fc9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 c8888efab6956da8cbeffba4d9bcc4a5
SHA1 743b1c6ec715d65cbe587259cf673de82970f396
SHA256 263098d2ccdae333133bfcbba7c39f862e0b04e37f9b38f696edec3d9686b113
SHA512 6b77c146fd113d9dc034fab3ce2cf9337a00c5f16034c50f492437c11e6722c36b3a3578be52a69ae7169eb6a38bfc7cc3aee581310eb934c7e85d47d6559563

C:\Users\Admin\AppData\Local\Temp\WsQc.exe

MD5 f8fa980504d6a606c1fae6f2117e6e2e
SHA1 b20d2945461d790de6de58cbd7199cdb66dd2e11
SHA256 3587f1471be10dd5942920dc9c500f811aefc6578dac9d57668ee25df810e108
SHA512 1db6feeb8e709ba597e13cf2d62bb74426e3f7fe1589b987f77c41393789b6dfc8538ab9e1af918fe5ba0ab11fee8e0dcd689f218f8551f8482a5f5877eb81b6

memory/3596-1023-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iwEI.exe

MD5 ada3aaeec18eaa9c413cbd0e88e90524
SHA1 922b68fc1aecf7015e651769c8971dc9ae881189
SHA256 dbf2fe2c4bf7be641652cc872415e48d690d286e852bdd637e1ee89c56bd1df3
SHA512 8a789f4c74852fcb85f0e639390f03ed136b6f6b0a9b8e2cdb15b97cb30b4729038ede946e4711de6a2d931a9bca0bf333d5540eb790ac91c33be163990ba4b0

memory/1048-1038-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Okgy.exe

MD5 4bcc48bddfcbab94c5e34c6c74b689c4
SHA1 ad051c95ce0c5f0113a0aa81bfaa529bb8c77e0c
SHA256 709a43c283b5ebc36431dfd72960d0ee017cac2e1cd61f7871613a3cfc26cb8b
SHA512 870d141a7f9e5c99e8624978d3ec126b29ce166fa8b2a9e513bc481119ea2a316f2a6121fba71ded487f438215c4aa48344c6b33f0c49601ce9ad54c3fa21952

C:\Users\Admin\AppData\Local\Temp\soYE.exe

MD5 ab780cd3b52f5a16b3552cad5812e0c5
SHA1 973b2a6b2c609cdb24df5c33b30b2b2b431789e4
SHA256 6be2c0c5aae194a1827a5f0459089d1c4425123cd8c9a03c4ca83c4cc888c47f
SHA512 788fdd0e1205d01f7efed03c5a439af4e86ff83199f85bb0901a169c04282d6731ddd2b1c963a3b3d2d009738bd5d16ce5c6e09702e50d57c484c88121170ecf

memory/1048-1086-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SUEO.exe

MD5 bcfa770aa2f3e1948ecacfa91a4b1245
SHA1 f57c16cdab80e95393ddb16e721b0a9745aff97e
SHA256 1dd010491385044a497c43df688b8158b5e094e055a430cd0ddbe12957739042
SHA512 71f2007f4dadd98687e50347a99938d31378b4c838627ab38cf5643b738d49fca10b63b1e8d14fade3619d9886ddaa531523c24ed24a76f90720b59b2d0e950e

C:\Users\Admin\AppData\Local\Temp\qssA.exe

MD5 c1cb41c4fe5e550b27a9a2863f9f7944
SHA1 a83876b05e805b2fdb080133156e166237153908
SHA256 7ba9da3a464ae9737e159d6cd7c4d8fb3ade5c89703b13c8974cf08b9ad4b4f8
SHA512 eceee1318c786360f1fcce065f08a5be427a4f16c9bb2f9df08f0cee379317e0c6d696d8b934aec72af8621f05b495c01d2e7c0ed8cb9353634c0ba51e701abf

C:\Users\Admin\AppData\Local\Temp\kcEE.exe

MD5 fd2fc5a125837289c148241dc7e43714
SHA1 ace538216e158c07bbc805590da0e6f2a4a4eb92
SHA256 9ee790eb1466e4e0c64a8c93abb09cde5d92983144177c12c95bd86b8656ff18
SHA512 770df64b8080111c13ce928f035b9c032ee2d6605ccd595d293d0707c72912b34fb83c0ee1966684b1aab79a1419a7b77f49c47f7bc99669a143edd95d8d294b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 3866e9eea6a4cbab35a117e5115cb504
SHA1 f357b49f615bbce290c32891f1d6169df9965360
SHA256 51eb5a5fdd83b15fe4cdfe4948b65cb03e31ca9673ce627f13144e4ea9a9b761
SHA512 13f198538c60fc844079c718cf88258396a59e193e918833e731d9d20bb87f39424f22a29802ec54b20d0a23320039f48aa6d572545a017bfc43c92b2fd05751

C:\Users\Admin\AppData\Local\Temp\IQse.exe

MD5 83706d14eaa50255a3d37ccda0c6829e
SHA1 4fc53144ab63d26556fb1179acf0acd8ad0b1bdc
SHA256 518cf488cde7d739241dc1c99fa79d724d53865656e3ef5182f7a0f82177920a
SHA512 0a0aa0e59bc8659a0da524d4bfa258c915c91f9ce6f7b2eea29e725da639bcc95455df51e953ace8987707327f5bab79d388497aefd0d4c162f0138951949ba3

memory/5104-1149-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1648-1153-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eIsW.exe

MD5 02b43391a7c1248eb50fc7fc611a7eb5
SHA1 64c316dea751c5d6d4c7b67c3c353b2a16d891ed
SHA256 57a0ce38291e4efa7d78ade603a386f57698d3680a85d79531df3cd7cb2517fc
SHA512 55c2a7e31d91b5f6d3e0b9559704732940a82850c5411be76a4ff5028a577e0ecb1a4c0d7a54e559d35eaec17c5e70de09024fcc948bcf761eae0ba67e55e895

C:\Users\Admin\AppData\Local\Temp\mIkq.exe

MD5 420f104ea4a06d6bb0fccca34a7ba518
SHA1 0fdd68493731b2b9e5e049ad517116b3baa5041a
SHA256 a65430e1b04efa51ed441de7dcf934758785c20451f18574972679464ce019bb
SHA512 77237bc80162c32cb39a753e848796610aeb7988d0af77fa6de982f5edbe4f3ba6354d1e72f387f5453c301b87fd49f6c0c177a34f87f2ed7289b3e6fac1331f

C:\Users\Admin\AppData\Local\Temp\eYEC.exe

MD5 8527615f1f61cb54d879706b4f88f00f
SHA1 b7630daae5e974313075d3112281139b5f1f62c7
SHA256 45ca6dcbf5fb9c79b3f50e760c74e813af130d5ae6bd30107b1ff9f4a71c2224
SHA512 98db65b196f31b2583ca88ee772ac66ca9686108aa891776eadafd0dc0541844df25eab0bb5d3eb89a08ce9f0fa47acc6abe61305b50281d03a580042dd2bade

memory/5104-1207-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qkEg.exe

MD5 8dbdb004e9f0824d999c0fb7f79eb923
SHA1 da5884026c0970ef606676f0864d1320db306d78
SHA256 afc071c81d1248c84ce63158df02b39f9b836b8f0ddbca1f57f97545e46e4bf0
SHA512 70d5321523ebb7b874757eeae983b60e02e8f049e563e24739c95e901447bc4ed3753b5222b33690d732e7c5a838817e6227b4e75c7eb0878c625708c7b1bd0d

C:\Users\Admin\AppData\Local\Temp\uAcM.exe

MD5 d95fe84e181d1aa3274d0493da1ce7ce
SHA1 08f829d99dfaa047d7dae80d0178698b0ddf1ad6
SHA256 4fa46b97fe5a262acb1995ee246bcb8235c2e707af3e016302423e2437a86209
SHA512 3885f8726b91dba10bbf4de6cecb6ede6d527d920d93ed737d28288a3a12bde69d8983152e8833661696c09724a778c24b8260a304b6daebf154fae5ee55ce0b

C:\Users\Admin\AppData\Local\Temp\Yssc.exe

MD5 5c49c3d27f59b25108bc81a313d33d4c
SHA1 e36ae97abaa68ee8fdaaf76da3fe78bbacf7bd12
SHA256 17230b9899831c514701b43f24db9cbf7c4330575a73d8036e8a9746a62002f8
SHA512 97adaf6a51bb8ec14ec24ce9c2207a0ef4dd726b560329d5a22e206cebbe43e499c199dcd981a16e445de746a9bf434615d5acbe9c2199bd3ad1f9877bd9ebdf

C:\Users\Admin\AppData\Local\Temp\aUUm.exe

MD5 3d43e5a172e5a394b400da38a0b9a5ea
SHA1 6a19b476da0792af83f2465f357fcfcbc7e86e14
SHA256 ea17e8cd96f0304be21801ea768fa8e500440fc6785edc12a2eb978ce526c73d
SHA512 ce4894456f73528aae574c576a5353c416a8bf6e881c2fff5e0e3f1d41ef8a26608b2e22f4b48a8fa0a76b2601684d9c4cbb7c60f51ac4f1b6459bb75fbfe7fc

C:\Users\Admin\AppData\Local\Temp\WMEE.exe

MD5 9538332bf013344a5500453c6c963b28
SHA1 591160279362ef2ba321d41bf6470b1842ed5e66
SHA256 a665b2d3b3ed5715dd17aa93cae43759c459b80dceadfbbc6ad4ee267f3bb0fc
SHA512 572362e7640690b5d6fe53017c108ed8a8c5300986c23d4d58ded1112321682e4a0ebf9a8f8d48509abbe54ea374c80025d1b76cc2c7231332521bef9f665402

memory/2220-1280-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kAUm.exe

MD5 52e0557534d2ed84c32969341dba062d
SHA1 4a5c07317aa2ad9cd997433853e6b39e1c3e6e1e
SHA256 e356a91b7a1c6337d7a06a3f8ef84fadefcf097f9663f2dd5239995fff2db348
SHA512 66d96fe94e1ab3d03e8e4b1b5d50c496b1df870fc7e4e9411ebd0b861e41f181e7361f67825c8aa59bb414cb10ddad6655556ab2b5af3a149e8b92188ff2da97

C:\Users\Admin\AppData\Local\Temp\oIYU.exe

MD5 ba82cd1e687c4c5985c6b63f2a252ea8
SHA1 6700377d22a16b146d8d8a34f5436ae471d31c3e
SHA256 fc67fd330eaea8df7441e28391c26fc3554a92ebcfd7539b1d9f88b86b97bfb4
SHA512 70bb7276492c718b219dcce4da987c25522155e62a3fbbe433101fe27fb31414fbbfec82cb66c8c5fd8d75604405e1a967d6b302e0b716d8883e3b5523649119

C:\Users\Admin\AppData\Local\Temp\EYUm.exe

MD5 199ebb1fafe7532fd4da805cfae6bf89
SHA1 d0b9851a6d9702831e125c9e75ce3db51248585a
SHA256 173294d6836a121a6b131205984a87ba816cb964791f70c6dcb3fb474da483db
SHA512 ebb57099e2606d6bf3a222fb97e22294ce03234bcbeeac5b9cc97662116ae8f54a33ad277c13a9730c636a0796fa26385a5187b57fd012b7e6055dd897568bda

C:\Users\Admin\AppData\Local\Temp\AIYa.exe

MD5 09517ca6c7825205d3aa7ef030841976
SHA1 5c656b0ce8e369c618e97637b39f58fb892dd5cf
SHA256 659020c98dd796bd48342d4cfcfafd233bd541ac6be8a43fcd864194741a31e5
SHA512 b7f21fefd9fc5572d0edb873343cc8694a3ee51c841d8de563c08cf5a7f00ec4f46c52ed981bce08172b4c0ce54b3054642ec05a98c3685d99145392f6d614b2

memory/2404-1342-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QYIG.exe

MD5 48e2c0e0d15ad8161b79cafbe1a4f728
SHA1 d6ed13e489da506e26227a8b323cad608591152f
SHA256 0e13be14140c2c5f4a25eced6b06d39695cf3ffc1a834b72c49d36e84813dfb7
SHA512 07ed90b957d658e383875218c6f5d1f7ed90b07cd2d263c83fee445a6fdd8332b4a7c89190a7027ffd7d111cec31f07cb47202de998e70c54bd9887bf242c459

C:\Users\Admin\AppData\Local\Temp\qoAe.exe

MD5 61b45cb6e8db9a630a9886c8b7844b57
SHA1 a250ba09be5c7ab8d5b3e6b84d5532513055e8a5
SHA256 055d24f29a154c7fbc3d8ab0afb045aeb232922222f3012c02d30d109bc9b091
SHA512 c314e7c866ea74e557cf6a127d7edec65c40ed7e3549cf674380a0f824d95bfd090ad45511e61b2207abf3f7cb6508cab18718383a006900b6de911cab63a00f

C:\Users\Admin\AppData\Local\Temp\KAEI.exe

MD5 bb429d7d64c4d1654dba065cc8c0cf2f
SHA1 ebe02b918384fd9103c7313c7243ec9f5043856d
SHA256 58ce1442edbbc409748024894dd3f9315eccd3fe3aadf2221b22ab4162143abc
SHA512 54c15ee33f02dd03d38d584f319f36ea65799b6f04519849972a1281b645d0454ccd83970790880e6000a0d76d33302fcd985e0b41292d7608ab29817a48f2c0

C:\Users\Admin\AppData\Local\Temp\gAMq.exe

MD5 475383b7abf67813d52fa5e93f3eeb36
SHA1 b385ab722b577b4a01e472ef8390893459b236cb
SHA256 9652374f51210ecce551942f5cea3d96f86ba239d356aa9f234176d0a8742487
SHA512 ef2cb5c815a2050ac6a715da276fd3a84e3de40723d71bf3c71f2bc236cd35b8f68ba26ef951f236a3c9c4058160db559296d2f24f98976d6bb15b5547ed1055

memory/3568-1405-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UIwo.exe

MD5 43fb1178621ea6c8f877b57720aab9f0
SHA1 8104c2b5b046cb17f7460732e5922779266b55f4
SHA256 a703fdd20718e679665eaf4004411356e02bce71ed1542cb63699f276829408e
SHA512 a4fef112b56a5d34a4c8b5959e82dfaeeeffff51741c5b4d51c46344f218464385940c9ead125336a941042a430432892a0745b8a97e89ff75d366f79dc6a8cd

C:\Users\Admin\AppData\Local\Temp\EkYe.exe

MD5 7151403f62c5f2092a0acbd1d16822a6
SHA1 88e142786dc4e35aebf97e94b39beb2b03f568ec
SHA256 ce1a2f4c551d4ce317b9c468472a4fd7157525e8a9dae68e5ba80de80bfaf383
SHA512 240498db2dea7e3272418dbd7bfe6229e126598890434d03f2e3a3dc177336dc6ff59cf3d9e1875af2bfcc84b4248694a4821ae093ced68dd71b8380e4e2061c

C:\Users\Admin\AppData\Local\Temp\swYA.exe

MD5 18d5e618d59a3940ea3c8f7c6ef4bf2f
SHA1 beec18b7103e931da357fe30de079ab15586b157
SHA256 fb936c7156fe881afaacc0eb33e521d77e5ddc168d4b0c5d877edca1c59b8792
SHA512 838d00974c3b8ff9b50484785a94c51affaab26f4018b1e7bf6c599e645f6d5c4f6cf971b8ad646154b07bbdd5ab422bda705d8e2eb896294b92d6b938e29aec

C:\Users\Admin\AppData\Local\Temp\accc.exe

MD5 ab533f42c2a4118fcaff7aaa19a79bf5
SHA1 b8f6b013e4e6c39d0023df76939aa587a5f80168
SHA256 0763ed778d93000b7530d903afc75daed9c80dee41b5d9270da1cd9a67357fca
SHA512 67cfeda3cbf41b709a0742ec8f7b2557fda2141519d732ba828ec9a50821383bca1e0d4fe16ee16617e4bf964f4c8da649ff3184e408c491ddcc64f5c54613a5

memory/1420-1470-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5004-1469-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mgYg.exe

MD5 efa3f4521c4b1f0a6cbbf7bc01debf8b
SHA1 363f99a3f35f685a0da978e7d3477501413eeb95
SHA256 e34e2a96a71e965d2d23fa90ff0ace399d59af833ccc3cb4ff27e6a079fd63a8
SHA512 c1764109503c177933fda1a72a0ac8dd3e37a836a57e14882af197dd64b23d5aba5b5e508e8888623b335751818b16c64e8f856e2045474a22257dd46da39e66

C:\Users\Admin\AppData\Local\Temp\QUIU.exe

MD5 42f9bce1ba2ad651710776f52a2abe9b
SHA1 1ed9625899332db21c1c3fa309b56315f899253c
SHA256 5a3a8a6f828cc1d769e1bef685a2d75acabee827a3bf9f71241ab4b468aed1a5
SHA512 1da69a691c86a2bf3ab981db0e44523aa57012e9fcbbc5b36742389a3930343fe1b9e2713a463b6e57bb7bfdebf01e0520cca3ac9859f2f7687fb9a26497d08e

C:\Users\Admin\AppData\Local\Temp\qQQQ.exe

MD5 a049152537f5b7169e541c2a667c68fe
SHA1 f375f796d72a6aa25195d3cb4b7797a5cd97eb2c
SHA256 90bd75f06f963bacc0239eb52f1c770f019b5fcedb7aa3fe7a9c34fb5c9ac90c
SHA512 3f48045ff4b45f0c00f16ae0764f63fb505e26932561bff732da825ca7c3bb01dbe850dd417ad7beb931369ad12c811c25ef0c26333c32c488b1397e2eb2a3ce

C:\Users\Admin\AppData\Local\Temp\yoAQ.exe

MD5 b732c5e85b0f39819e869766efdf07d7
SHA1 584911d3aed472f5b3f554247959dfdd2d5b6e55
SHA256 863f22d62be62a7a355be3b4ca2e9e002ff27f9c822ef55775f47a683c74467f
SHA512 7f49c8a40defac18a998d6f33adb9a657e629de91649df25d42b4cb719d19d0b76f9bca939680714bc4324b39777e94e83a7f965879f13b0263c4104447b65be

memory/5004-1534-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\woco.exe

MD5 2272818ca410ae0c2374923c7028db5b
SHA1 effd8abd798acb568e0662a948a0b8b3867ddde7
SHA256 6068a4d028c71b382f9dbbf99420a5cedec3dfe2e5d00c89e7e2630c258c946d
SHA512 8a97511f7b71f0ca2762e4b42462d3e6624817830b36f3aa8e1545f87e183f39b2d0671c56fcaec2ae4c27016df215bb9fa6cd5a98882ad40df0462bbb65f179

C:\Users\Admin\AppData\Local\Temp\qogc.exe

MD5 81a0047c5d41ae4f7a5edaedf5bb147d
SHA1 aa66eae8f4d03aee8c18d83fc0c9affdd4c96649
SHA256 b1271a7001dac1bbda20fb790404c63bd98af0d4d7e2c11fd96fee64e3201aaf
SHA512 a9f14f4cbf1f7682dbe6760d626b25e00c1b7f0b4e4feeb42795beae18e91cf8bf4b5e8cf324320d1ed4e11189ddd569f5f083abeee3a14fb4958b62d4b88031

C:\Users\Admin\AppData\Local\Temp\eoIG.exe

MD5 69eb204a3723726add799220fb9cb964
SHA1 c8f50e576579c4374751571a87bf53eab007e56a
SHA256 7c3aa9fbc144df1b56b9d7b233e8f3f1ed56b942bc4e3693afec0d30fb5c99f7
SHA512 1f7de18dba62d571dc397cd6c84e95d4fce659e2c2ef4cd47b3ec9226b5935c566ebd531099eac71612a6a14dde6986d9bc7da752c8da1b142603718475943f2

C:\Users\Admin\AppData\Local\Temp\yske.exe

MD5 dc5042781339300cd9fbf3453c0cb7fe
SHA1 914aad3938ca32da40f849ef26a3791454b550e6
SHA256 452202c3141a71f5571e8e41f3f053001252b96e236615649b2731f04d7cc4fa
SHA512 60f3a41b1d76c52f34924251750b1d180cf8b9adfe545670ae0699f24cc239d934d8b2fe6eba6ca655299cd2749c1f2dc6f929d5db9a83f9ecbdd1e956621cea

memory/2840-1596-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eUEk.exe

MD5 571eccd6022d307cded59d8b53348975
SHA1 3731c18ff29ebc8546e51a2c56e473433b055ddf
SHA256 36dce37e5c0292366fe27848f18b52ae2e0d39ce9a7a95461607731124028c53
SHA512 fba63c43520ec897b3668cc540ed4ddc3553c0367dcbb727270b6f114b32780a906fb9332cb36dd937335981dfe2a763bb19c029e617671601dd6403ec64d585

C:\Users\Admin\AppData\Local\Temp\IcoQ.exe

MD5 621e524b059d187b8ca1e6c130c410c1
SHA1 dc1972d71ebcfc3a5165697dafa7f81eb2228c5f
SHA256 10fc53c235d0c630c0abf634309e8b40bdfa268b2aec2ac73e22e01cc34067c7
SHA512 4b9270fdd88ca6ae391719dfbddfdc682e9c5771222244ce0b6ef510b2c9bba9c4d7310e8a4a088cec9c72536f07898c8dfb8df17293698f62287599a1e0c419

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe

MD5 f5d1d777c32c9de991fbdc6cd26b5bfc
SHA1 602280fdac05dd822a9d66fbb9dbd51417d1ce27
SHA256 cd4fef04d481b96221eec98f4e2fd59a952e526857f68f7940a9ba5e6b013564
SHA512 48be1b98d219a6f4a301ecf5fe852c36eed2f6b3e4547730204702a2d7b7251aa58e053e1e4c68a874db22889a6c5362cbe5e5f9879a53d75be588b3c60a902f

C:\Users\Admin\AppData\Local\Temp\IIcM.exe

MD5 946e5a1d3dcd528a965b509c8db5d499
SHA1 31257df1da2ae5a722aa801b7c4a63f3ee315f16
SHA256 f4a1ac6cdcb5161467b6c0a8af2e5841f25d6213dde4fc15e6498f3cf91dbdea
SHA512 ceed2f03d7a0feafefe0b8ed7eb85751817ff7c14a1224e374fdb464a48519164bbdabe8031d8f41fa6bcfb5362ad154b05cbe4285277eda837cc862d04282ba

C:\Users\Admin\AppData\Local\Temp\YcAq.exe

MD5 1b64ed1a34211cae52e35a6c11de5f28
SHA1 9a25ce071873c0f828df2c29ba02baff44c92af0
SHA256 2f106de1429dfa160adc7ee9e808c6373ac028897aa4e8baa6163f2f641acd3f
SHA512 1d1da341d537340f400b4f21e5b298cbb9499756af62878dabb585caeee34764e281106755b24cc664cd6a5d3fd90bf1f198f3f6988ee7340cb7d37640faddcf

memory/400-1679-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UIkI.exe

MD5 6cc0e0c928f0053fe9fc1612a009ad5e
SHA1 45b945a8f0b880625052f469b739250e0150dc6d
SHA256 3f46a7cbe7d3048019dc061cdaf3e64d626eb14f174e43dde53bf7b26f90fc00
SHA512 6092605022904ce69153d9545b185c97309fc0c8647d93533fa66f79382b5b91aa9213ae0077a7f64f3bbdb74a127dd07273b50c4d8fb0779fbd3af3f90ce477

memory/3108-1703-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ugMW.exe

MD5 9133660d8eaef9b5f3a514368ab7c348
SHA1 99f9b8f23740758bdfbc6954283c462ddc0cb290
SHA256 bdaf9642e5b0b6223e7816752e874a2d5fb521ec11178c1f7478a7522e5769a2
SHA512 fcd3c159915285ef446d0d81c32359100f7ae903e68f3835f258b64296b6440a31ff88e1b2981c73edab0177f339067be04f5f4018b00546b4963d4b263014f8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 978fb59749b26c848475fefa53262be1
SHA1 812f18f658ce7081ba3d1ea183e327cc39da2893
SHA256 1f0203e9bdf1884f70e5b0e2c3410dcd5dc69b044556b8286e13a29b1c0c7d40
SHA512 ef937ad876c83203321663c155e205c551782821653a9808cb0cabcf9136f91e5aa0c406dc1d9681051ff8f50ee95b5e269e5cd8a468e9a077e8ef33cbd3dbbc

C:\Users\Admin\AppData\Local\Temp\mcwE.exe

MD5 8f4a8974ba02487bd0cb31110b7a31e8
SHA1 b8b0a97b1c8f4ae81c9094f643ab49be91ee9f83
SHA256 ac77f2bf820f2b6485bdb84a5ec2b96bc0eb6d0b1f044b36052a6ca8b0689238
SHA512 64b16a72ceccea15860f1bb3271cf4c8a886771c99c1f7b781a38bb38687ceb3ab645dcc3e7b1f96f177f7fc8ddff1bcb3a551257f68dc078e4efb44643dc551

memory/3108-1739-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Mwko.exe

MD5 4ce95e773740511b3e489093f169fa60
SHA1 fa48403b6a80d0bcd3ee9643cd2b85a3d3ea8497
SHA256 9286246057c20496d00c2eebf6d6963a3d506cb1bbdebc47b074483842c6b533
SHA512 146349c73f9d1cc5512c81242ad6e6fc3d845aa3cfd4fdf5b4c2d1d7e471fe9d3a79066a6aa91d2ce536dec41bd0bfa2bc7705f744f261d119d70223262384ff

C:\Users\Admin\AppData\Local\Temp\ioMQ.exe

MD5 c4cbfb9412462a4bef5b339a1f6129d6
SHA1 ec847ac5a2ebeea27595602674667675cefb8f65
SHA256 98ca3aedbcefdd82ab2e2f5392d8f91648bf8ebe73a2dcce529c02041121492e
SHA512 22201dfeeb19ce755026ce3952dc4eadb41daa0ad42e279b43a9591afcad1616d2072601ebd9ef188810a3c704cba21d6e6c7678cc754ad0acb294641c3b1e20

C:\Users\Admin\AppData\Local\Temp\wQoY.exe

MD5 66f92439854074db98b319441974afb0
SHA1 85c73b2c22f56903fc251e5bbd6fa844d7232a48
SHA256 4c884e128014be81fc21c6be492151dc759daa7b333189978f1c3af8bf1de2ae
SHA512 2c262adfac101d836fea3252883d4c167a8e18b24c974951d56cbe7eb09b44c15f9a8409224ab1b045dac0d0213ed58952e576a190a0bc3b65c01627cdf3910e

memory/3988-1789-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wEIQ.exe

MD5 021c8450caa9c2b32542d30ca3b3da8e
SHA1 0213cd04a4516f3985240f4d057ee53bfcb472cf
SHA256 65a08a675c758a71536748bd75341e81487bfe4bb1a49388376d27ca1939b411
SHA512 c5a00e7960d01ad80929e19b17dbb91b8b0296176cf4c13219eece7cc7715bba25adbfb674e9664cee958e6e1fbb7940e83acadf117746b8874290dd74f4cb1c

C:\Users\Admin\AppData\Local\Temp\sMsm.exe

MD5 ea4b1d56c91fe07ede8c766a822be94a
SHA1 7fd19d1572a68b8d0e0ea4df82eae26bcd870492
SHA256 746a460fe292cb55e4a9294a7ba59f6943cf09a9b1ccb6e7bfb79c8514f23a6a
SHA512 81ef1a9b2baf6a316838be59a9d9f8f85c164a0b4fc824c38890f2db2c78c68b9dc5e8b27b1dc66f4e8296c9c5098509f39fedd0d55c5b23a21bad8dcf0123d1

C:\Users\Admin\AppData\Local\Temp\uMgI.exe

MD5 9b5fd4022d327a6523dd4d4506dea70e
SHA1 1ee15fc3b41898b5d3fa514540b0ff4e21f860c0
SHA256 11aa314b632441d7fe02bc742f581434b9ac3e931a50d85aa8cefd1803be786b
SHA512 7ffedb188502b0eed1512491478735a9a09af4e5e463a62e28a2eac7012214d894b0cc4dd336b5bfa365b8b4b346bd8928e42e1b233513f2263f3bf3a540f9c7

memory/4432-1838-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kwwi.exe

MD5 359b6253b09bddb35c3f1742868ee41e
SHA1 1bd2c98aa0a3d702f1aac8c7233976689ec03c2f
SHA256 6d3983372612a60c8632be4d03d134dcf717bd70c680e4fc12203a55674f94d7
SHA512 d6796abdc7c4aa8a44836793980038acdb58ee09dd805a0640b16e2b3c1c2e791f342565ee1ea82dc5a4b8abd078c04c5f3f8e9c880b724d8a3e157a5dfe3a35

C:\Users\Admin\AppData\Local\Temp\EQsU.exe

MD5 efd1795747af3f3639f72c00c1085ad2
SHA1 4dcbffc62b9a9c2234c2f611d56d48f63392fc57
SHA256 596756797e21432f635710f7bac48f554c54939a3ef04f7944892e6c72ea4acd
SHA512 725e8b66354ccce8e5eb06e95262d7c2aae50ae75312343060f0b2bef1ec6ebeada061e674e2c3e579a4cbdf1831850f878429cb904ad0772176b73b185a2474

memory/3052-1883-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SAUk.exe

MD5 070f683697aed63541bfaaf1c38fa5db
SHA1 b0dad3505851aa3bcbe922e6c3b57a851327be17
SHA256 4a172a0a9aae40d282b06a9a0373a489375a225fab2ef2fee3b222f5b710bda6
SHA512 a18a5d7abd1a66620834e9787a8229d3df6ab3784d10dd7fea755823a0f2d81d25245815c169c1cb4bba15005fc32c659b2100bdf2217d58259a12fd681a4273

memory/4744-1889-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GIsw.exe

MD5 24fd82e567c8bf703d6a4b1ed8687267
SHA1 c743e5103ca24f93d8a5fc90ab6803d5ab965209
SHA256 280b95b81f361f6c25a7cff10655166afd96cc3fd6398667f20911022f91a789
SHA512 bcfe5a644a7ba4cec7abed4964971a8c210eda7fc1ca2b2a21c4cf8a333473b96134e1e0b32f833f2c21df6d4a8258778b4dd4dfec3b58e8a1fd707fb6993198

C:\Users\Admin\AppData\Local\Temp\EUkW.exe

MD5 4b377a07bb24f1339681bc0196108fdd
SHA1 d7abb9e0cb49def9b3ac59d292d71cbb4551d4e6
SHA256 d37cbde5a3c5d3b986f9ba68d23280d1724c4b98b60732e8c803feae4a8bc3ad
SHA512 d25d067ce61053fa6d43c21f259175787f0a0f894f63d5adf8ca640d4e0908a221722c70e8982c82aab7d273034612d4f74ed33eabb2f520a93bb0ed88475142

C:\Users\Admin\AppData\Local\Temp\qQgk.exe

MD5 6a3af0255b57916b79d4fc8a760e3d1b
SHA1 adf1706cacda7782f8f5c21d2407c085b412dea0
SHA256 1258a3bac36fa9c6e56b99cb8a3b7c1acfca70579fbb53022e7cec9c1bcbaf07
SHA512 7a84c91b43489ea979912b919b6dbe50959c3782f452ac6fd73c5ee479822b570fce730982bd5075ce3799ca4046fa799623e86104ad478fae175a65f9905380

memory/4992-1937-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4744-1940-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\osgq.exe

MD5 cae943391b8b3d404134bad0d780bbd1
SHA1 5a3f9849641141ea8e0f8dfb71c58ad97a8fefbc
SHA256 00c31fa2a34050af15818bed6512d0e762f72804bf37ee1a206aaf82071b96a9
SHA512 e34d37205c1be1e489e8a35d15e046709a64a46cdafc5fb018cae6856ea64ce6feb45e468b0dbd2eed24295b05f78dafee875addbed8b00df1a409fac88154fa

C:\Users\Admin\AppData\Local\Temp\QYcy.exe

MD5 f1fd0acd07205de7ddfefd22eb69eec7
SHA1 761c42c6422029eb6fd556c08de78687819166c2
SHA256 4c7748f6a4bef7dfed9ad0a4ff34335fef5cbb856e5b200d1b1fadb009601f37
SHA512 49c95e785878146637de13c45f3e5b6a5113ac6678da9c615827c7cffca72285b89ed2a73c89c2aa2ac9acff7f887300b20736359fa829dc980881d1b95d88e9

C:\Users\Admin\AppData\Local\Temp\sUEu.exe

MD5 75252f944621fabe3c5e0205788d846d
SHA1 0cd2b34ef558008099fea7f5aa24dbcb2cafd35e
SHA256 9c21177af07bf71a8be1c8c369a2a9d84d3f9d4aa3d2fe2b2711ebc9ce872db3
SHA512 4b977967483faafeeadc394f9c5ccfe2d40e60abed14c1fee533a392f53aed24420b7db8dbff6ed3bcc896afc705b002553724c414a03cc1cb003fd300250bea

memory/4992-1990-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oQoI.exe

MD5 68210cda085d6f028bdec06ba5c449c5
SHA1 096277f3507bc97491bf2e16ef172897c1725fda
SHA256 d11917851961a72bef46222bb270d62eca715d68cbc41ab502173df7258142d8
SHA512 806037e549d78bfd8fce2d5b03191858b3f0819a13eaa250ff3a8ac91113c59838e26b8c3f9edcc84bafd5ec5acd1f922b5d158b44bce041b1f2afad152c87a0

C:\Users\Admin\Pictures\FormatClear.png.exe

MD5 857af3564ceb54745ac2c25fac75b2de
SHA1 006b43c8237aba287b991e9ccfbc226752f4432a
SHA256 4600890554b361a1e2a9c3574b19258f7b20a4fa4ba9feb1a457ac27ba55a2aa
SHA512 99c9a9d0a541ac414f6ecc447456b6c243f0214b3fcbf42ad3c8519f8e0e53aebd19819fe59c138a43eb08a6c34e9aff97abd23877e8e504a8d4e2a7562f1b5e

C:\Users\Admin\AppData\Local\Temp\Ykwg.exe

MD5 1150c0bb9a42b8e07c5653aa8c192748
SHA1 29a5eb127cec45829d3ab3c7d2e2b53f7edb87a0
SHA256 3f3c8f3fd2e98da1e72925caa86043c765e4d5e830612bab31f47ca56f5357b0
SHA512 190c73a1a06d8ce7975c0f8e3c86358aa6d586cdea62f55ec71f3c58e06ed274a9f78403947003633b5f99dc40e75f07b3e6d0a9c92824b1a1a8961128c5cc9d

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 a4450b8aa1c2b9684d6aaf3e00bf6d2e
SHA1 eb9274dfb1a735e6d47f176911f70531b50d4186
SHA256 47aef7b0ba7df981d79cb4ae47dcc1107cad1d2671a8e24c725734ed2dc9b300
SHA512 04de0ec685015bdd417bdca4c389bf8809f9a0bc20b8599aa90cff67c03c735a693d01c0d26a2d86a057ac10b383b1b582ae6fc4212623a40723f2508a51df0a

memory/1900-2057-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YYAG.exe

MD5 20acbe8a8b711a8e6bb262ce2aebf6bb
SHA1 abbd25a55094e15d01c17695056e06b1205b45d6
SHA256 b80eb86364324d4b20eb12e7296aa5aa1da7b25ae23ee115c3213aa51967f92c
SHA512 ddd6c06e728823f310d2fa2fa6d4638cc8b9dbaded1eaf67fe3621dbf7f31d5963dce62397cd9532113c82d47f6545cebc6aefd4994f4a93051bb11816f8b624

C:\Users\Admin\AppData\Local\Temp\GoUE.exe

MD5 f3d6add18af70a9a502df8367162b439
SHA1 f196cdb1c72e68349ca2d7a82d00e4cf2b06aae3
SHA256 1cbbd8eb045fedd74aea844d575f547d8496aaa84846b0db519287d50be8b54f
SHA512 31c51bdd20e69ca654b6c3003355266dcb650e0404271125776ed34a542e679f2c571892a645759d6db09f059bef266cfbaa09bc9e6fa2c6bb3b81035b93d4bf

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 34ac624124d5971fe4f4a0cae88ed474
SHA1 abebab1c5258821f7ce9f835879f15c7e8161e2a
SHA256 a3ba08af0478282cbc0ab073c91ec9e131750afbe2f3556560ef0bfd1462d5af
SHA512 530df47fd79228a225cc10ae552d7209237bc28e23b89c52a30d7800c8dc3b1cbada53518eb1df5b18cd8ed9d4756340d1a6fd14fd686b15890444409865048f

C:\Users\Admin\AppData\Local\Temp\GsYU.exe

MD5 f7a5921473085083eb55b0cc034b1114
SHA1 4bfc39d1a6125ea85f650e50430e9ba3ff8bc337
SHA256 5d96f40de12d72aaa9d3b2f52058628f162cda228bf9ab080ade71cf535eba53
SHA512 9232d6789f75d2eddc170d64337748f5119ed1d0aec3f5603fe2ed470acd8bf5f629f9305f9808d76e8f6b7abe2b642763c13104640989cf8b1fd0ab9af46f1a

C:\Users\Admin\AppData\Local\Temp\ioke.exe

MD5 95fdb4a877891e1d4ec36bb4c1853b3b
SHA1 281958b7280946da13df654029c18eb4648ace8c
SHA256 57dd2b77a681729a80ff3a24b728c02ae885ee42b9ed4dfc5d9d1017539cbef2
SHA512 c2c340093a9012b33c3e2baae8f9a60aec9c0bf128c3f6f9186c4d9c516f15eb520b6dd977e1f9a0ac6394c081d02c2979b8ae06bed9c000f3bd70e19c600f99

C:\Users\Admin\AppData\Local\Temp\iAoi.exe

MD5 b3c574411d4eee246390caab1bf13237
SHA1 d04f8dae44e743e6903bfcd5ffbb78d45307d0f8
SHA256 53c9b0b9f3056a46d7081fe7a3be14c52d3b204057df57f34a6afaa34e7afa9c
SHA512 6cfcbc0d30e5de35479ff2f5b9d24ed82edcb754ff65913c7595ca151e69f8f33c94a04de1a9e5c3f7d5c15e83c7a83f2e1011c25ffe8a161e62c197b21be490