Malware Analysis Report

2025-01-22 08:16

Sample ID 241026-e17exszdjb
Target 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
SHA256 edc6d589a66d3457c04eb7e5ec5d4ded396a78417a81fa307abc434306d709e4
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

edc6d589a66d3457c04eb7e5ec5d4ded396a78417a81fa307abc434306d709e4

Threat Level: Known bad

The file 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (87) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 04:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 04:25

Reported

2024-10-26 04:28

Platform

win7-20240903-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\ProgramData\ZEEkIUEw\MwkEwYMo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\LYoYIgkg.exe = "C:\\Users\\Admin\\GYsYQMgI\\LYoYIgkg.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MwkEwYMo.exe = "C:\\ProgramData\\ZEEkIUEw\\MwkEwYMo.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\LYoYIgkg.exe = "C:\\Users\\Admin\\GYsYQMgI\\LYoYIgkg.exe" C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MwkEwYMo.exe = "C:\\ProgramData\\ZEEkIUEw\\MwkEwYMo.exe" C:\ProgramData\ZEEkIUEw\MwkEwYMo.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A
N/A N/A C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe
PID 2980 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe
PID 2980 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe
PID 2980 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe
PID 2980 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\ProgramData\ZEEkIUEw\MwkEwYMo.exe
PID 2980 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\ProgramData\ZEEkIUEw\MwkEwYMo.exe
PID 2980 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\ProgramData\ZEEkIUEw\MwkEwYMo.exe
PID 2980 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\ProgramData\ZEEkIUEw\MwkEwYMo.exe
PID 2980 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2668 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2668 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2668 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2980 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2504 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2504 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2504 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2764 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2828 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2828 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2828 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2764 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1300 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1300 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1300 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe"

C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe

"C:\Users\Admin\GYsYQMgI\LYoYIgkg.exe"

C:\ProgramData\ZEEkIUEw\MwkEwYMo.exe

"C:\ProgramData\ZEEkIUEw\MwkEwYMo.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgAMkMIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RmUEMksw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xOIAgIAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XqwMwogY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\COYMwcYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MOsYEoQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sEgAcMcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oaMkYAUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YMEooUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWAEAIQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMwwYskw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FkAsgocI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jmYMQUYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qkoIwccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ycsYAEsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MckYocIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QMQYkYAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mQskEcgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HEYwsswI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JcEMIIcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hisoMkcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RkEYUwME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gWMcEAYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iIAYMAAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QOYckEkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qYogIYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FycwIosI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DwksIAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jqQwUwIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LmgQIcgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\osMkccsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EwsUIsow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sOgYkYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JaUoEkMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xQowYMww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2089044808624891229-101608699522611638-5065813581524281281278221420-1041939983"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PCoscAsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RyAQMMko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwswUooI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uUsgcQsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1706217001-410527333-115893158-1208604595137520514-961840061-1894422437976166444"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MkUUsUII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ASAAckoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CIMsAEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7682095171800466318-86348262-1490769997-917876612-1443762089-312032531672737632"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2047394265172089962275746143890913207-1303681359286561942124493825374613304"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tiAQcIUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYkQgkAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\foAIEMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogwMMIww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OMcsEscw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cyQUEQYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6922323511963032092711334643-176801489113260018943092825951848929-270080740"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mOwEEMcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "555359331928007242-15361886448232186821160271609-712150563813248503-1923581963"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KqcIwUwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jmYAQYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RkIYEUAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "880484740-999056844629051268-3943819707454871871634564016-1813183613-93027008"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rIQwIUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "699658129-1317269949-506264212350837382-834346933-86376069114514688651761173995"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WuUkAgEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-156901242434308679-991843576-1478371928-1160923810-1759679295137454970277770413"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1827022792752768908-917765500-70104922-1840492179-363942183-909441982-872109985"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oQgEkUIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aCIcAYcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1629975553181318446-961041315-6012566591143947397-540051193-159979291729362708"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\osIQsAcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fYkckAUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FwskocMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMQMAAIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lCcoEIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2980-0-0x0000000000400000-0x0000000000420000-memory.dmp

\Users\Admin\GYsYQMgI\LYoYIgkg.exe

MD5 abfe50060b3d9a17b8ea5396db2aeb6a
SHA1 d783f0817f48da32c5d3ee7d5bbc0971ba394471
SHA256 66df5ca881cbbc62c9121a18343b5d6260453b156e033ede57a5f9793cd6ddc2
SHA512 1c7df668058d5e8463533e9aede7755f7b8002dbc6eeea1fb72a344292bfc221c5869f069d6ff09c6d2a84275d6463ca508490ffc12b020a30252b2490926262

memory/2980-5-0x0000000001BF0000-0x0000000001C0D000-memory.dmp

\ProgramData\ZEEkIUEw\MwkEwYMo.exe

MD5 1f2c1f536d027950876668986d7dfc7a
SHA1 590ffab3eb7ec8d299dc829f3df4c2d25cebb6b3
SHA256 b342b204a66fb7b07a38f0a49fb60da2820253a8e81f46864edf249ae27a6e6a
SHA512 34290c30bb7ba5ccae8a7e03ef3c425ff9ba2dc9cacc7080449e64fb27753b6c257cd830ac0011f3f4a5615fee426c129a50d2bf04ee2cce397cd832fb1e2a91

memory/2716-29-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2980-28-0x0000000001BF0000-0x0000000001C0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VsQcIcMM.bat

MD5 4d9b7f3258ca69f2840010d659eba999
SHA1 fbdbd005d36d579748ac451e61eab7ca9d95de7e
SHA256 9a6e8d36d69e2056860c35f5632e633e2bd14cb9f94c80b82fd34b60567bcf43
SHA512 a955d595c6ea2ff89b03d8e9a91ab8c0caa48408559c631a64627414612aad4104ecee065b5b5dddfd6ebb95faa5b59d024bf9d56536ae5a7620254d096c1308

memory/2668-30-0x0000000000280000-0x00000000002A0000-memory.dmp

memory/2668-31-0x0000000000280000-0x00000000002A0000-memory.dmp

memory/2980-40-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dgAMkMIE.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\jOYgYcEQ.bat

MD5 348fd3d97c3ce553267c54dbbbfe69e8
SHA1 f42095c9e7692eb19e52a87a8d542c7d87a8fb0a
SHA256 218fc24a303b789805277fcdfa427d4e79c7f9eb6cb9e806fc28f50cdaf00a26
SHA512 f05f5eb569bbf0609fcab1a7bbd40b45ab5db1e55141223910111bcc64b9543e3f9322703df65a045b8dd83dcd0df44afe039e9ef1e3bf1a2b28d13a63a157a3

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

MD5 d7ee4543371744836d520e0ce24a9ee6
SHA1 a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0
SHA256 98817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9
SHA512 e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808

memory/2828-53-0x0000000000270000-0x0000000000290000-memory.dmp

memory/2852-55-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2828-54-0x0000000000270000-0x0000000000290000-memory.dmp

memory/2764-64-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\paYoEgsA.bat

MD5 45b98d325ca5df369950a2132b7432cd
SHA1 1e91513526945c6ae184f3d02b975f1b0709515a
SHA256 581990fa87986fff2e5f717d2d1ee8e537a423d0092e64c20be7987e14000b5d
SHA512 3b8cfa0e4342e2a1ca207706c18c883e251f904f34b6ae5a8dfeee7f32cdc950e4461bc7df467fd548143bf93eb44858ed21ea7cf46cee3759891348b4705c40

memory/1452-77-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2852-86-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XcEMgskw.bat

MD5 3f5207a99d4180bf851e16708af084f4
SHA1 b9ff2f78006ea8887aa47f1245a9513c95a1367d
SHA256 8d71fad2fcc20902e7287d47f887f0fe4d53d6ea011cf207d3ac852f3658df60
SHA512 9526e30d68894fb8682cfc2ebb092499968b2ae2be83cda29d401f8f7222f16dafbf91b3d349d60ae4197f346fe3e765e87bc4cee7c2376f2f0f63028664872a

memory/1048-100-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2344-99-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/1452-109-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\omwAsAsY.bat

MD5 54e742992a444b3f393e65d919b3d43c
SHA1 1922396e7af92691c3eb0efe7a2c11d89656e165
SHA256 7e3cc382309a6f7c6cefe1188c071f68b7f354a243963c3e8ffe1335bccf94ba
SHA512 5a7f51165b49918103364fb740fc763085c2d4a15558b4bb86724f5434400ee1c9168bf4066b7be15d8809ced9ec94cb990b125b53561ed8c8e1b0f3752fe2bc

memory/1556-123-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2204-122-0x0000000000160000-0x0000000000180000-memory.dmp

memory/1048-132-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UIYkQIYk.bat

MD5 8139fc1369789b7a4593321422a39ba5
SHA1 fe4925f1afb6c4ac02eea4ed5ebdbec636dff604
SHA256 8c3a23848f76ae554b47ddd51c35d3f42917b9d68761bb041aea11ed5e58df5c
SHA512 6fa15a9cc15a35e47acfc7efa0190d1896751169b24e558cae377077dc068a51f36f5bfd33a48e1e59ef2ff831b100a45c631f702035fe728ad4ac36b2413471

memory/2168-145-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2168-146-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1604-148-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1556-156-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AeIkcUYo.bat

MD5 85ba2878c05047a79a81efa02573b369
SHA1 91d24312c2f840a37ebc94719c071d17841a6a9a
SHA256 9366b5af3a4245c15e165d1f3e4ea938d716fb98696d3c8932096ef038a21cb4
SHA512 3eb24d759cbcfd26cf730bfca73c64cda510844c8032ec8570ef04dfd68cea76310fe658262130a56e5c4c25597c7c7efde8af978b4eccb7ee1278ac5ac40101

memory/2960-169-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1604-178-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qcMwkggE.bat

MD5 aff8fdd0632bf07210dbbcb623bbc0b4
SHA1 4bfeb07ce5b50ad6ed441920bf4a38677b683d76
SHA256 217c10e86e450d289f2538bcda5cb2ac9f8004e4547bec933828c9f6624a76ce
SHA512 2f396ff7f0a32e30a48f3b48d14c95f58852a16c261229dfc254540beac4e25ed01cbf9677d244a6d33f07c358b34b1ba6b3dbfd526ffcb201d8e1d8f56ccf60

memory/264-193-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2972-192-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2972-191-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2960-202-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UwYsQgMU.bat

MD5 ff67a1152603eb247d22fc3df270d581
SHA1 737b0d8c67abcd835e006d6dccb4257756271ac9
SHA256 3e9b62a1dfd7f557a999088b1f8b973db39f48f40863f7265b05f53fd5595995
SHA512 e5866841c77d553358f6f428e0a6df33088b4450fdb5968addfb5ab4daff9c98010d94ed77ed35d680c701ccdffef7c0dbf785aa8075b92fa595adc7c1266947

memory/2908-216-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/2908-215-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/264-225-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hCAgAoQs.bat

MD5 cfb48d7d38ba053a34073e9d9d522025
SHA1 80857c9330c96aaa002992ed4feb72dda9aa232a
SHA256 57d2821c1489f86626fd5b3b4be46dea457c826949539de9ccb928dcf40f0ee3
SHA512 9b9ff8ec29f96ef330ff9cc9a6560ebb275dd04f923224b8c502032a1ff960f1299dbda82ba0824c660ddbad08f469396bc785a97e9e7babf734a45c751d18ca

memory/444-239-0x0000000000400000-0x0000000000420000-memory.dmp

memory/444-238-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3068-248-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jcAkIQgA.bat

MD5 6cd8c0381a08c955912235c4c1d9d1f0
SHA1 74ca65f69e9975af12765f3ce5738c6e79cdf6ac
SHA256 bbf88966c93ebbf2834436e9714fced1fe71df43d601e285a7a257271823fbb7
SHA512 ee1c7c5fcea984c25808c1ee7eeb0f8d4adb1c7ef9e37b3f773b418d85b9c32b006be13a359370d3a2ec4a7976bea7d48c4d820ad906f04012b31f5484203eec

memory/308-262-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/308-261-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/1856-263-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1504-272-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HiAkEAQw.bat

MD5 acd91723cf33db5d931573b20a29c9c7
SHA1 65934ee6bb13b6dc5944a46bb97824969ab7d1d1
SHA256 f4032f8c721206ac5cae99dfef7a464237e4f9bb56d14801ab0a2137b50910f4
SHA512 29786989df8502dd153fdf5a8a9b698c17ed19742f4ea4786d43a28e2ed4a4e7db672870b61dc1b1aa8f89b5f0ee3e90ab9bc7acbd023488aee2a65ec828997f

memory/1712-287-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3060-286-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3060-285-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1856-296-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JuIwwUkU.bat

MD5 937cb6b18aac11105a54a02d30cd5449
SHA1 4cf000e2b8b5d90fbe08a3b4beb211ceff16f0c6
SHA256 10033414238884c4a5ffc96b10796a8cd9149e835e33f2b42980b112925a6f89
SHA512 8bf3f2383fdf1d9c62aaacbd18719e91e0b15628377f90f753cca38625a4d5038d93cba69b5b8f4b876af50d292dc7ce1b0b6e806ab96df13cd3cea00e246613

memory/2756-311-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2820-310-0x0000000000270000-0x0000000000290000-memory.dmp

memory/2820-309-0x0000000000270000-0x0000000000290000-memory.dmp

memory/1712-320-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IqcUEIQM.bat

MD5 fdcfcce922e2acf18dfaf5da5683c809
SHA1 da965aea2def2d36570a4231d61c77b17a37d359
SHA256 5d1138b766692be0cebf0e2e5abc8455634aceac60e7702f2eb9e574d15044e4
SHA512 15c898e39e097126c8c78678ef17eba49059089966319f973d635ac1850f737abf1014b030305a32285b1ea5839051b57143a4c1f9aca9ce733d9e23fbc43285

memory/2220-335-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1296-334-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/1296-333-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/2756-344-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wgMggkMk.bat

MD5 8f78da1f0b4f7d774af0aa0108920a85
SHA1 2c9843dd519e9095bb8103b48ce57386f02f26b2
SHA256 03e9c72cd957b931ff82ddff2b8c4585ce6124596a9c40aab367978e39499dc6
SHA512 1bb4c8261f7e20f00a6192efae6d69b9c9764db654ffea98655a444af77df915064a815c8dc7e0f2133478a3c88800d106071bafc20efa931cf0e16e09bfc799

memory/2272-359-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2116-358-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/2116-357-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/2220-368-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\amsYAgoU.bat

MD5 61b2d5839bf2b16ff5dc18727e56ac68
SHA1 a3081c024cf72edd238b806b2fe18c7a01aa61d0
SHA256 d58b1e053643fc38727f9de122aa2bce2fe419dcd09187df2b721d80fcff2947
SHA512 8d93977108dd8e963cdcc746a9d67059f7b0d82a9d0c1c7d8daeb7207080d7840a7f1f4c52299bee048b86f366dd695e0c36b37ec72a1e7cbd35cd73d8f3bae2

memory/572-383-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2284-382-0x0000000000130000-0x0000000000150000-memory.dmp

memory/2284-381-0x0000000000130000-0x0000000000150000-memory.dmp

memory/2272-392-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cYoUMkEI.bat

MD5 043bef02fe06a3c464ad1aaec3d7e970
SHA1 371adf21df1b71ffc2d8006ba71891b1838bd05e
SHA256 3621033e6ff4a6e0b833bcb51136d6d7e86305cee52b4dda346a61bc22e4f31c
SHA512 2266fc5da453364160db02f5cd652caf4847d095a02c5545c32ce0132a9c0d10aebe7bb9788db3a436ba62d9d29715eb58fa5632aa8285a13197fa08e3a5e4c0

memory/2360-406-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2092-405-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/572-415-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EwMcEoAc.bat

MD5 87873def5754637eb9bf18663db05db1
SHA1 abc41894e1cdbb090358aea80fae39744b29b64c
SHA256 2bf5ca0077d8c6eb0c225140d82ae21ec9aeacedab0a62ad182a3c4a2d5b2f72
SHA512 4f291d3b0cef8ba70d96c10917abcc299896b784344b6302f6358eb4030a35b0511d722cc9caf7b1b6c2a276ec1b0c63c09966687e366395736f35cfd5a5f4d2

memory/2640-430-0x0000000000400000-0x0000000000420000-memory.dmp

memory/704-429-0x0000000000400000-0x0000000000420000-memory.dmp

memory/704-428-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2360-439-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rikkksEg.bat

MD5 0449f0635f582d3b32fd327b474b53f7
SHA1 5d52016923d612bf11177af105ceafa17c46d2ca
SHA256 f46f87513acf0f427866d4be335db976f5bc64b40e05a68a395648f747b2086f
SHA512 09c3753efe6c751e37c29f1807a62630e2f0df74a0d0aa9df27eb557fe4aadd126180fb64dfdb66943c28d43711c58f5de64e39a12aebb7c59c66dce6db8d806

memory/480-452-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2596-451-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2640-461-0x0000000000400000-0x0000000000420000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\KwIi.exe

MD5 3405a562714b5d407a7b77510b338ad6
SHA1 e8167bbe2bdd4ded6128e725f71bca2dda736077
SHA256 d88fe887e704fa51caf4042865afead01f3f08e12174a6bd1827d0de4d7815cf
SHA512 6dc470ae9fbee3f92e20d8d28e3b105fbb324b150cc743fea521e5a05ea1db3f363b70c79ba37931c661e942283980bc058a4a0a729b1dbb01b9f6a0508d7a3a

C:\Users\Admin\AppData\Local\Temp\NAsgswUQ.bat

MD5 80db7e3bf2f02c87c045824ec6e7f305
SHA1 e491952d23d5b53fad7cff4cdbe0e88b93a1181c
SHA256 e5b28337ba88e6818edeed23de90394142ffaac22029ec80f64bc10eefc25cb8
SHA512 47e8c7005a7262d11c8464b4b7c0f493fdfe90b7759c9d839f00dd045f50e59e039c182b8ec80765ab05f5905c57181b3fadad03197e1b37e30611ca78cdb16f

memory/1812-490-0x0000000000170000-0x0000000000190000-memory.dmp

memory/1828-491-0x0000000000400000-0x0000000000420000-memory.dmp

memory/480-500-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Mkgi.exe

MD5 568f6098ae35f52460c3c52a4d28e433
SHA1 80049300795e3a3e5272618ef2180e29425e11a3
SHA256 e1ea6bc12ad742fadbaa2553495d9f0c5bc6fe680fb9e2ebf67e526e186f3571
SHA512 2c98235b8a63ce4ba7f4df6f967caaeffb3956e16d7f2ec89e48a67ccb791f768944875f6a863f3597beda71d33b5320d92fb3bebbdd2850a81cff7231599019

C:\Users\Admin\AppData\Local\Temp\cMMo.exe

MD5 a8c5a3bbddeb9d68393fa329f8f2f900
SHA1 62d4543cc2a021ed55b399a572c4fe0c793611e0
SHA256 ddc8ab1dfdad3bb2c2ddf86837475f6f343a80ebc3b280ebccd869b2540047e9
SHA512 5d23b87261ae1b79f3525f58b023bbe762e4756c41f376ba83724d41c21633b3a84d38fa6c164d02d65e35f4e37fd68d18fddb8e367d63af9022923fd2c95097

C:\Users\Admin\AppData\Local\Temp\MMUY.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\cYgU.exe

MD5 69760fa8a4d9385a12fac37d15952c6c
SHA1 aed9f78f10b8cf2e9c1fa40135e28a2e421cbb75
SHA256 4ad80198c229b61df56f4acc4b3714c1da35e57f05d4c57e01039945db3838f5
SHA512 fc4443c5f297c3f6842d77543047f9109ee60981ebf6eab58ed9803ab8cc96e6c1fd514570d4a967782320f06e635a3c5098ea5c07709ee0f15d57ce88dd18b9

C:\Users\Admin\AppData\Local\Temp\BmsowAwc.bat

MD5 0398b1722ad41355ca80201c8e8cdfb3
SHA1 830b3dd0ee3535d538e204982eb4212319534be3
SHA256 ff692f616ba46fa268707c94c1f6e050c81e7ab9d09093d0902c06940c71e4e2
SHA512 e86e65e7199347eba84715ece958e82a430df8a64cf8ef24bc7d6fe90c07cf7c8b45106df74602449481dcb212cbf54e77c1a02915a14ef1a69a83bf36a4082e

memory/1864-549-0x0000000000160000-0x0000000000180000-memory.dmp

memory/1828-558-0x0000000000400000-0x0000000000420000-memory.dmp

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 cddc277b9483d6e043fe9a0b3f61716b
SHA1 9f21bfda1f8e5294e0c417acc3c4d9555a8367ee
SHA256 7998bebf5597da05d7e6ae6e5ba58e5f77f8e64aaceb2467f990983b33100460
SHA512 d7a7d812564822aafa5eee44e0c80e64fdf4964d454797ae3a03f9c5afbde30c12473b67782358ae4ba490f12f3f5c9b6cc0b1291e8cfa3a6bfd5f174c562cfe

C:\Users\Admin\AppData\Local\Temp\Akgu.exe

MD5 1ef9b41ff245856d645ce6c14749ec5a
SHA1 dec0d375ca1a7bca70bea6c4466be4bdb80f36fb
SHA256 a8e211d53d06892b6345cd50ed9f4d663fa7b637f75cee2490bb616d1c4e7f5c
SHA512 26282772c846e6a27b1624ac7380d3900525c34d34b39328bd0ac5f203d1f2e8bc9b375946b74451df60c8cca1d3ea022939e046b05f8c99ebf30b904eb4f83f

C:\Users\Admin\AppData\Local\Temp\POQUUsgE.bat

MD5 1030de0807eb637afbd1c4fcdd027b9b
SHA1 462444f57788b44d55283520aa0fe93ca4860440
SHA256 66fa1a135d4e50b0e30ed13ba1246b3bdbc9f731f446f00ef3b16dadaf7d5eab
SHA512 38cab0a6103daccb4375bd2035503d13188f39b2e20625bce32f53c1753eef852ef0814e2343a33bbeed911ad0454b871072a41e67a402e5594262fc9f012c04

memory/2600-621-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2796-620-0x0000000000260000-0x0000000000280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgoA.exe

MD5 91fd70770ec32e56a164440a619d2fea
SHA1 4d3b9dbb168182e2912749499eac9fe442edef08
SHA256 498e00886872f95769f2b484b16956e09ad5a3a7daae671a9985ad43d7965bd1
SHA512 69571e884adbc839b2f9fbbedff1e17971acea32882d618cfd11de588f114edf4b18003cf588ab7e52d91b47ead5aa86590a62d394487758ca5bbf42e043d9f3

memory/2796-619-0x0000000000260000-0x0000000000280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kAcu.exe

MD5 dae0fa24c3336dd1c112a7375aca25d7
SHA1 3868ac1e179d57169bd90c533f8150538f38be13
SHA256 23f956de4a193f0699b08050478d32d3c491413154b7d093a502c41f5ce5c3db
SHA512 c39b2b99515394289535ab40f564b1136113e1b34eb90a61ec80a0e2cfdf6f1014be2578a3874ffd3394ea9314ab6a1d9d0e0880ea7390257fa6810eee69f2d1

memory/2368-643-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aEAS.exe

MD5 a6bf77dcee5066939020ed7b72a0ca8d
SHA1 ededd1d128882e18e0fd66762599d4e621925107
SHA256 b61e6f2806d6f8b4cd522455236c982070d7b60fb3da7ecefd1b6a7eae2f0450
SHA512 12e70d30f311255337a4c615be35065f6ceb0e64c09ce982bd32505c5c0d8007662b1aa22365d6a8e35000373f5dfb92e225af99b54ec911d1c9279384e800b8

C:\Users\Admin\AppData\Local\Temp\YsIY.exe

MD5 aa85ebb17a280461d4961ca745836ac3
SHA1 8505ab135c42a516245ef4910d6b0534674383ed
SHA256 f1777301cdcecd294b18482df5843308de04ad60173b4e58d9054bf7f8a61516
SHA512 3f1b342bd1528e72105debb57d4dc951b592715c8b26413bbbbbaa542945471454fc92e08b4c8087cbd211dd34401e4c6c5124c6e45444c15d439e6909b2e71d

C:\Users\Admin\AppData\Local\Temp\KcMw.exe

MD5 bf3b537e88eec3e4673c9cab46a2399e
SHA1 7d8bc947d9e8a2ced304895fd2124adcdb54ee0a
SHA256 12e0f3ba7ff8ea5c4feae97b4af63ee8234aeba9655e85d8b0d86fef65f5a97a
SHA512 d8e3ddbe557a2cee9a0bc37d72d879d0b36662f151f772ea911574bf5185073d96623b1a85ddaa0c5d79efe3cca9fe2f87b7d08d54eca6ad2ee8011e36901e50

C:\Users\Admin\AppData\Local\Temp\mSwAEEoM.bat

MD5 bab9f021dbfa2624c701b50f12f841a1
SHA1 c0ab357709ffa5a41e332e0ba2d2c5e6d6fa40f7
SHA256 6b529bf01c1061a9be692eec5c9f5a30f8b1d372a204601b8a3b1f34df73ec73
SHA512 e86fdf748669b42aeec0aacdf44e8d65ca2fcc467a60ae249b94e2b5b5b7c74482ef812c3d00dba7e9828b58a5ee6efcfdfcd16bd294c848633a3e818bfcf10d

memory/2128-692-0x0000000000120000-0x0000000000140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GsQE.exe

MD5 f342402eec397e418a7c2e3ccbc70f21
SHA1 0f027c8c566b43035cfc7703a8dcfd00ae8e9341
SHA256 00d93d776f3574b46b27769b67160a2f62213a483bcc22ffb5ddc22d5830d6af
SHA512 c7f30288200d093f547f394881a49f1bb78d68a2a2e466f5d72e0277364c8ba141dca7e89ea711c3c06a3c6f68939c588e25edb91a3b3834a83dcea0b2a0e4b0

memory/2600-715-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2128-693-0x0000000000120000-0x0000000000140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kMYc.exe

MD5 5b2ec19588169905efe629e26d6de9de
SHA1 2489d1bc54a3d80460f6cfb69a578024799461ce
SHA256 0d9467983d47bd26353aa20b8ee8b945da7f633c68357944a8a93c6a8f8aa746
SHA512 4b9b67b05b23044f6f4e43e7da19039a19c3d0180dd3e8e4fe291328297daa969dfb2053fd72c04a74994776d98f7fbf464ff049cd3162946823b24645c3935b

C:\Users\Admin\AppData\Local\Temp\YIIs.exe

MD5 e48a7d8be3cea22568fd63ad59707c64
SHA1 3972305279c1beb161eaaa92710acbf157197ae3
SHA256 b86b96e6f2acdeb02b310193683d0a24eba65846eb75abf3ae30cd0bb1169602
SHA512 44709085d81aad0de0f2cb47eae976c866e80916aa5539218f23a95c10dc87952b027a3e0a6ebc90875012b2c9db5257c507f90e5c4e20c48c15a598e1844a06

C:\Users\Admin\AppData\Local\Temp\KcYe.exe

MD5 86397c6faae0c54b59f0375d4a6deb2e
SHA1 be9f0241549a0b0df6bad00267630cb7ff30351b
SHA256 c393b4a2caae99b6da0042ba57cc005cebee33918bd8b3406f20a9aa02e80ee9
SHA512 44e5364d9fb1badc480b388470fd199ccc88a50e04186f1fa47c7e864d00d0d3c7b3b12eb776a062290113e9ab22d03026e5bcc0be186c2f9b88348d76d8e268

C:\Users\Admin\AppData\Local\Temp\sIgc.exe

MD5 5d6edbf1735f6a860082aebca6553048
SHA1 70a3761cf4ba0032b591348a557eab02874280c3
SHA256 c74342f7c15937b266f8d5dc7eaf9525885ba712049a71914c9aceef3f5ce7c4
SHA512 a434452e4a1d90ebb2ed13a5aac5ea7cce02fa4aa2a68ab16a20b696bfa9e999e5df0105b7a0b0c05f9d3af6d3b0e98c7fecccdd0e4c3732558d1345a88962bd

C:\Users\Admin\AppData\Local\Temp\owUgsswU.bat

MD5 889b7524fab6adda52cec07ec1fd26f6
SHA1 5efca5dd1fc098fd64ff539e402179f3c4ad9895
SHA256 7e9cdc576e5bcaa8f1825a82553ecad274c7035aa54b252601bd9b5ec3bb9cd4
SHA512 3d836a3612ae227b237314bb877a2b4d2a6fcacb2cc7e01eaa3ac518155df6b2d0bc2baeba9cda4802d34b2a71522b1ffeac4742ea4e51fcd6f83590065677c4

memory/956-779-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2900-778-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2900-777-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/3056-788-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IYcq.exe

MD5 56089e9b10668cf1b4fedb3987d71ec8
SHA1 4e0de3723637728a63ae60b9d22c4b68fed97661
SHA256 e1bda394f13d7779e4c151e90281a322e2cdee3883f0e158d704590361450fb9
SHA512 9696ae72b23766ecce0a950bdec609902eae68223fea017a70fd4d306754fc3a029a49deeb1bd1bba6217315e87c0e00f7d02312ed6cdafaee7b6fa83a63fa7d

C:\Users\Admin\AppData\Local\Temp\uwcw.exe

MD5 1c457ed803dc2312cb2cf0b2dc3cd526
SHA1 c5cb0c0b81cd09b36d94c4be3fcd8baa1ea24664
SHA256 ce8830fb5a6068f5a85ef770c272312044e2e00cbc16b6ad065209aa7afacf66
SHA512 22809e3e9c5a2ebcc9984ad2f2691a0edbf269da9dd282686c268cc1939ebfb416ec15dc565880a53f5106fa6ecfe5e10ad3f8e9f4658442b106899d4f31b79b

C:\Users\Admin\AppData\Local\Temp\kQAG.exe

MD5 7021f4147ae3b5ddd45a16d907db32b9
SHA1 f0d92980e61d8fb1b200a826622db0e326f984c0
SHA256 e52ddaca753f1e0a336bacfbe294ca37820dd876bcb036378463de975032a291
SHA512 ee1b0774e379a371b0b02fb48a5c095239798253c281029d12674e1e0c83e3e9193d48e6fa394ce656faf816e4d3da04cb850cfe2bab1cae9a8de22fbd22a43b

C:\Users\Admin\AppData\Local\Temp\wMgq.exe

MD5 e8b494688cb75c0af61236b069c81c6a
SHA1 58314574b2f898c2fb68bb2eff8c076a6d794019
SHA256 cefbe886f3f0ab66095aeb7c998d382717245653d96043d0426c3cadad8b03a1
SHA512 7c0205bf888ed305169498e5ad82256c0aaffc3b8a85bf7bade7f17dec7be885b57a3bc033c7e83947053f98daf8faaef6de291952b41f97480ef019182c20d9

C:\Users\Admin\AppData\Local\Temp\awEkwEAE.bat

MD5 1bd659554880aefb596bd5f6230630f6
SHA1 d5baf7910b5ccac5a7d3c85cca9bf0d9495a3659
SHA256 b59889e0ccd1495b9a851601ce60e5ea4a94b0401ee1b7aba2a355e8012d257c
SHA512 feb11eadbd8f29b0227d7798a406481d10bd6c21440853d1f29a856b8e2ccad89d5ca5d8d38673d31dbe5758f21b45af35d2bfebaa51cb2cb2845aee93b11f55

memory/2624-877-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\esUk.exe

MD5 6c9d902abc7de63bd07cc7e12f7d0de2
SHA1 1e4f2187cb7cd21d1087d222bb90c3a258904bce
SHA256 13c5d8f73998ceefa428021b2b31149f631c313d1fc683bb9192a4fec932b5c0
SHA512 9c67e2cc84525bbba17afef5e379e95ed80b4fbd985dc9688314e3acf6ea595a0f344662b4a1029e2ffc05976dcea1d89a7707bbb1e7e885f92663bbe662f355

memory/1744-863-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1744-862-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kYEA.exe

MD5 f8703e606912b49e07c4bb72de671a73
SHA1 f35256ab501f875b35cc74fdb8ffe1da699c4ca7
SHA256 bd3eb51d62d2ae8625b9bb7787159451320222bdf97658eaeca0f01404f6a41a
SHA512 4091259dc9c0fe5d60751fb09acddf1f04beeeef039cced9ff23d481c41fcbfcfa9e8639193bcac42bf9b14e7076f630fb034886854f0885c7ab84d52d2e45e6

memory/956-899-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\agog.exe

MD5 38311a6eb453630254f6607a62470ac0
SHA1 e8d36fef7094efc2ced7eb517d7ef07d5978717f
SHA256 8d6f67ec301c8e9c6d67389c9cad3e2b8aee664e8d1e7566d246203c7cb1f556
SHA512 209abb602439ab252c38f902164c20fb5f62382540643f35daf1cb213af3b6e51c72f97c8bb3b281f8bb464739234450c706fe66589459639c2ab0cc6a535f46

C:\Users\Admin\AppData\Local\Temp\WgsG.exe

MD5 631e403e698391d4f0d2b5742799393e
SHA1 b39243d25d61e4e66a08e9ddeb771f9c367f3edf
SHA256 f810740d10448edd238824a565c950df3af4ea6f20580a0c2ddd08ae453d2c65
SHA512 dbd68ad2508ad4e9610fe40e2592a157a7d42ef40ccad38678e247bc276309df202b2111f52c7ec841836d447dcf2ce61dd49d21e5d2327a98c5f4eca8113d13

C:\Users\Admin\AppData\Local\Temp\mKEYsEIc.bat

MD5 635ac9aa3390bb0c34e8153275be2e7d
SHA1 76ba63bf297eca40e429a9b5c63c0424af04b3d2
SHA256 b2c117fbae8dc3f60ff689b4ee154145521d2c8496477bb164693a3ee737a662
SHA512 35129e0b72b8a9b10c27324689275c885e9b12079e238736669a43bb669b23526a4104439b878316a51c771794fddcf2a23e2540e130dcefa908829d9b1ec91a

memory/932-969-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2624-968-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cQkm.exe

MD5 de274d7d2c0b8f95bd03cafa9a0e0277
SHA1 9d0239642b4532e8b6aa26bc454a9e2fb68aaa65
SHA256 8536124180024d6a53ee96cc75bdb526a8f2b0faff1b0522d99a9b72a759e335
SHA512 fee7ab30310b070360fecd4b86d452db69c2e3324ebddf6b6bfb582f85ca387687d0b0f2aafc5179db7aa02ada0a6caa151ecac6f26616c7122f731908ff74e9

C:\Users\Admin\AppData\Local\Temp\uoUw.exe

MD5 4c4ab99458ced2bc25f76c551c6d7482
SHA1 0d1281c22f11567d2faecbf465f673ae0fc7671a
SHA256 06e74b0db7690b69425101ea4139021397acb184c50969227dddda5753e425af
SHA512 f349c2b3d9cdb4be9026a8ddea059cdeb65d56320b30ffa77e582c1c03c74ac34dda8bae5a6b78b06e1fc9b7428da1a54125576b2dceb14261c2f8a0e1217a4d

C:\Users\Admin\AppData\Local\Temp\iQQY.exe

MD5 4f4a23bf639f9d03f9878d72bda2c411
SHA1 24ed6b51f0055cc8fa80fbaf2a670b021bcd3f08
SHA256 f24182b1926c4bef19e2412d64813ad80419bcab6f8b741150414a755251686a
SHA512 6ac9f443da15f2149b24b2b813b5eb19f1d76d9828732a317b46174aa9179e371dea59db19ebb0a524465c62eadb2974b2af3796087153eb24810ba991f95de3

C:\Users\Admin\AppData\Local\Temp\IkcI.exe

MD5 2e8e5cb13e5bdbb3cb2ee551d671e75a
SHA1 2c99d7791ca4f8a221bbd03e1ac2c9bb08776503
SHA256 b9d84be42aeb485f77f8d06818be14d6b843d870871e4b5240c7f32ed63b0a92
SHA512 85438d085c70efbcf82d180eb2fa925e75203dc9b9049997ef27ebb8ef24a6c9a70120280b9490ed4c2c7debfea770c1c5f71c04afd39388f6c26a55dce845be

C:\Users\Admin\AppData\Local\Temp\UYkU.exe

MD5 b47deda3919e0c0b99fc46a4f0a7bdae
SHA1 2ca12293583b1b22325ff8ab21a16daa007be4f4
SHA256 0c81b7ebfb216aa5f6fb5a27316624c3b8955ecf730fb94f12c76974b6a845d8
SHA512 412bc86821636d74d153520801ef89e701707a3a6d2599e4ca6e3b7607f917f73258cd93ac379ba146ada4c2da5c3891984369b3b08f2af0080bb316f8d59902

C:\Users\Admin\AppData\Local\Temp\bwowwwkg.bat

MD5 a2a83356eeb91a81115f87fe31baff37
SHA1 fdb38c9d84a548e435d963fdedc26914e61d1476
SHA256 15cc1e5643c305177083295ad7096e43dceea50a0e8d95587cb91298cb56ff51
SHA512 90b41e032bef3c1a9d4557e13e825ca3d1248a60242711f729ea0774311ce7bad52cb103bea9bac789f9933df98894c5f23661513d6a9220989432491cdfdb47

C:\Users\Admin\AppData\Local\Temp\egce.exe

MD5 2477404c5b80428a0c28b9a0bbf72640
SHA1 f6baf30ead855700056220cece053e3efd6e514b
SHA256 5125e3c739e23713be567cfa1113ae8d1d57abffad367e8f54e20aa9ca1e6e95
SHA512 a8075197d97eeda2135f7e9396fbe0f76be658d508f1fb2eab9957b852f833fd59ab8e1ae81181d37de36c024c53315b47c23d1d688646f048e9b626be1cdd32

memory/308-1045-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3024-1044-0x00000000000B0000-0x00000000000D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MAYy.exe

MD5 6197218d36fbaddd243e0fafa3b2b4c4
SHA1 7932c3e1a2c9094bc4a7da5d62576d77b3e956c0
SHA256 a146c38a7aa1620b5ad6873270d096372e462559848ca460400f89fad76a44ab
SHA512 f281eab84494fda81fc20f12b181eaa1d33f402bf0def21d379a58215898bea4c95bef47df4e67dfaf84014c5a84e82c21403b1591c27f7de97a702aa5c4c11c

memory/932-1076-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YIIQ.exe

MD5 82d5d4a9a798d59dc2691d47e7f11d81
SHA1 effe0ee4602362dd278572b0dc9b5c3a3e4b5477
SHA256 2b0ae9f538ec7becd389a8389d380f7618648c1c0e7550a7b978979f73baee1e
SHA512 f5f73a84ec9ce0f38aab4989048b38052e4c0918aeb040397f7791cc8b02e247b4c8253b3db5568f5bed36fa238b123defd599bd08cacbf8a5a375a6455ad630

C:\Users\Admin\AppData\Local\Temp\KEoc.exe

MD5 2397253d88fdb445a88fa19d5563c7ed
SHA1 3350589d362409b2c590bc968c4b19d37884e312
SHA256 7bfa8eff74de2ebd2de15c14021f31592a8b7c478bf318789689e25c135264fc
SHA512 539694f90daba4c53b751affd45c3575a9a4e2afed59d228dc7b62ff3e40108818807966cc2cd7170326da8ae58d02a6405c0de9a2f4537aaab6511df916276f

C:\Users\Admin\AppData\Local\Temp\iEgC.exe

MD5 13cb9edda8df380229d695ab55bf67f3
SHA1 27439aaab53cd61e92a3d96509d278712e05c5f8
SHA256 1314e53e5b1261f5bbe39d86c9f80b08c2bfe40dd7c5dce8cc3a2c45058706fb
SHA512 a73367bea3c87c7ec157cc7a02cec83dfeb7573ba0bdcc1d27ccdf52a22ae4c7d1e3fbba233f853f372611056df663c87dc84c3a902992692d7991e6e15e08a2

C:\Users\Admin\AppData\Local\Temp\EMIS.exe

MD5 63b3fbecf76c12f374c39b93a77eeace
SHA1 1ea4fc88a5e6781b37f5e8f50ae3479cd0e0b3c5
SHA256 509b6c69ad5f8001e2cddcd9c4106ba2fd844fde905bc9177b3f69409ce2df1c
SHA512 0edf1c31eebf3481e2819e0c9835c09a32131ca78ca11ff2382e7744c689a51e86be82fe13422c76486da85bcd3afa2d5fed70edd9ee3f9325bd5afb615686f0

C:\Users\Admin\AppData\Local\Temp\UYIs.exe

MD5 9e069bdbdbd1ee618848c1a9ebc83ebe
SHA1 35fa22979cd133f0088f984d031033386a1d27dd
SHA256 f1a719b675c072ea6b8de7c438ab9efe796dac024052b9091f370fc866304f90
SHA512 786c56d29ebd146fe16c72905f1338c7d6dddfa1a0deeeeef38404dd9c190dcd8c7db2c694b84f1b9027df35e35b2b46569c81aa1f9370466fcd2e4f18e749f9

C:\Users\Admin\AppData\Local\Temp\iIwM.exe

MD5 80f0713e3fe54ebd036c14fb441c4ef1
SHA1 21062ca7ba0fae1f5e369b64fb1ec0db7ebe540c
SHA256 db88a808a670fc009b64afdb4091f4a018bef91a931b5c2925ee8a45d5b6f5cc
SHA512 93b78ad61db2745fcae14b846b662624bf9b4e518b701af91e8622bf77e768796912b4a71ee0613ab8e9843424f5a1ef6d533638cafc9efe2b81d5c4e955870a

C:\Users\Admin\AppData\Local\Temp\IkMo.exe

MD5 cff7275a37f78a2b842eafb1ed61103a
SHA1 b499aa8dde4921251f0b53a56f2e4ed552286b0e
SHA256 3ee68585e895fb1bdc79142a1b01ecd1b0e02b2d342bb6f4e4d5f4bcc8add88c
SHA512 41f003714bd5befc12352f4f6fe13ed93a70f277aebf8a8a7de2e45b3f7dbcf8868881a91f92b30b759a307233ec5c3f23be0f3372521d3bf1fce3ab738ff1bc

C:\Users\Admin\AppData\Local\Temp\JQgUQYcs.bat

MD5 d321148f7714c04d55d6b462eb76352d
SHA1 57f56aad54fcb8c4fb45cf0e9cc8b5473358597f
SHA256 7c1fb94ab9a9912ad22d8943caf1dc23c1c5949edcb5a1123f9e1806ad74eaf2
SHA512 15fad6131512c7a8884da86aa83de5aaee837400982e6fdbf44b586689c762fdb0ff37bec3ad503d79f10fa492e557805469083b5c6f2be648f9813c242453ef

memory/2508-1182-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2508-1181-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MgMa.exe

MD5 0a09813fad819aff43fae040c9f23d14
SHA1 789bd62598c686c4b90c060e1809eb3aa2757e70
SHA256 32dec941b622be7f723af80759d7389d093a7b36ff6da89983e82b9092a20dfb
SHA512 712df4cb40676a123f78b677814831d90a7f16219431d92518df5bf262b4ece9316b81cd60427f70879509f577c0d9881cbfd77b84d287a7aad108c7642548b2

C:\Users\Admin\AppData\Local\Temp\sEsY.exe

MD5 ed57a326b286254ed8ba6c37da703a45
SHA1 ff0e782fa771bb95a9bb444ddeabfb1b70bb7ced
SHA256 4db44d4670ec6c89f015a2109fd161879d18bba433df608bf23271d04fcef41a
SHA512 86ead42b979476a5f1878ecfc4d2dfe8a2dfeb9645d4bb2c6f52533795da02b33c0dd65beb176abf6ae0c2bbdbc7f4aa74791df2ac7fe33fc415d043e41b989b

C:\Users\Admin\AppData\Local\Temp\SgYQ.exe

MD5 09edef0dd2ce9f412e986b4786816520
SHA1 874ae6dd3a5d50d4e4887d4041367176e8b88f00
SHA256 428186f97c60d643b4d104c925e931e6bddf2a032227ed3e6441f3de0475f994
SHA512 384d25011c9b1ca4592567cec701cee4d2ec45a73db7a36fe1ef49dbc626edb950b9c91c8f7caf2e61a4d76314c1e73d86b81867821b89a65dfd2c574a945ccd

C:\Users\Admin\AppData\Local\Temp\EsIS.exe

MD5 06c7a220142f4c08ab88818d7bad945f
SHA1 1989fadfe28b478e2107f37de6bf2730d6335298
SHA256 f883017b49850f3eb6cf7025aac9862ff4e19f2872b1dff70344383029632d8e
SHA512 a4b6c5aad177c7fe0f7d0214e547a0044a2aa020ce39ff4c6a545f4ece2ae63fd398e8e756f39bc4cdc1abf0be04e2a611322528fabc9272eb6ea76d7ea16d35

C:\Users\Admin\AppData\Local\Temp\uIQM.exe

MD5 cc2de67ae695c2a4cd007affcb337e62
SHA1 133278140807eba9badf823d958bcb07a39e01b1
SHA256 986e235d6f0896d7b633d61e7a36d4114ac725087d26488e62dddb6bb60f3d26
SHA512 8d61a3f5ac243f4e45a4d4cfbce9cf72a3b31e87fc150a734304649485b8001a80ad3ac6bc24cda35807633216ac79b311781dd8790f3cbc9d8d202e86e6db06

C:\Users\Admin\AppData\Local\Temp\YkQS.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\wckQ.exe

MD5 1f21378a5084d0892e04aa9843621ef0
SHA1 c3324760d358bc13c34febffc0fb4b880c72a963
SHA256 651c8c91d5a3db433caede03f10a9b1eff523cc5a8decb5a81935474d3c81c45
SHA512 131fb6da91caa22c92a3b797ae784c8b6d2ff7851cab9d38d5ccef891ec5fdc0110bd9bbe76e7712c7501d92b453361acfa871dba823d0f81cff488aab239b0e

C:\Users\Admin\AppData\Local\Temp\ZqEcIEcE.bat

MD5 8213b2749333fe4b77e7a194f88e8abf
SHA1 aec7daf53add1d38d21527dcbee272ede3762cc4
SHA256 2b1f199e380cacb48d51786456138e1df5c938bfc83d77bf6e6bea9658dd7b08
SHA512 570c306fbb73f78e31e972c3bb68a6f4ef62a2e30564748470bbc19dd83e892b29acd53a344d971b97b0e3e5dccada0285626d4a17cc8452a0ca7d7cd12989d3

C:\Users\Admin\AppData\Local\Temp\Qgoc.exe

MD5 d68e15aa6ac3cf2e2a0c05a18176e8b7
SHA1 186c1f560264f9a4baa2af36fe015559cb2f24c7
SHA256 1df1bb197c307c6d42c7c0a42dccfe8a6e3fd2f13f3e5b60dd130afbc84e9f18
SHA512 3bfbd67d0370ccbd3a7c5496e31978636c41723d97f3e472f6e31996d038022b1a6a61b5569dfc09d28b79e10237931bb9bf7062ae9ed4e1645ff15a76f93efb

C:\Users\Admin\AppData\Local\Temp\gYgW.exe

MD5 222dd3b2e38eb3c270e29a2ad83f3301
SHA1 9d47bb0910450af7ce2b533e1c24e75f87618b07
SHA256 b75d218bebf824b516e9c1760edf47e17d71291b18a34455e7752e154b2a393b
SHA512 aa8b99155e53fd429c51e3eafa840d904b59d4db1b0564e466965b1524e8184d82fd748bc1597b56ec93b223d14242710ca419d4b9a19ac3b6f0a4c81d6a3866

C:\Users\Admin\AppData\Local\Temp\ggUs.exe

MD5 b1fb25518cfc02bd6fd954bd0ec80661
SHA1 03f54afa10ae21e7c1d8be396bc29816da0420bc
SHA256 13a69ede0189cb2199f4aaf3266eb58e588e11634b90135c45625cfe3cc3214d
SHA512 1fb0d4df882e6792de5aa04d940813477f37270c98efc6694db68cfee618dba5912801135e6ee59d36215babf5f347dfdc25aa3d3f0c41135efa46366b4065d1

C:\Users\Admin\AppData\Local\Temp\aAYe.exe

MD5 916f77d99fc9422c37de074bf5443933
SHA1 a2baf03af1d5864e2a0437f01434057ca30bb78e
SHA256 69262e0bf1ce497d9874fe0dffe53be068debcac63fe0509be654958c2187b2e
SHA512 4fa1af6fb6774e4594be27650ab1391640b8321c34a8cccc2e410cf672db1fe8c29e1a6bdc8d5bcfd29e0c78ac77998a265ccc4a09823324dc8879096c0ae069

C:\Users\Admin\AppData\Local\Temp\gkwI.exe

MD5 842df6abfbb5883f2d604ca0734a0ad3
SHA1 b7253680506f9029e62565db2c87d5b82322f5a1
SHA256 856b9d3218943aa3f850dd732228912bddd10a1913c3cc0f5d81fa50d81f059a
SHA512 9c4a9164ab50cfccf528e68cb6c8b8bcf27a152e1519a46518e931504ddcc37f7b68a95ce3850d3fedef32ef9b0a0aad0e48840b5e7ea57df673e12f99845640

C:\Users\Admin\AppData\Local\Temp\uMgG.exe

MD5 3e67ddc31648036a043d68b70715cb63
SHA1 6af645f50cc5534ae7147ddd925466e2e62cdf3f
SHA256 dc1a006181984a3cfbc261da6330ce86ed1dd06777d98bf98b192dc902941dda
SHA512 dc6642b68137b71d97ad1da988a90cdfa7fbd935a60046d7cc533cfa6d8d9eb0fad384a91046de4f2c13c787fbb7b5a1c4ad518a78745e08876f54f7c6105beb

C:\Users\Admin\AppData\Local\Temp\NcoUUYYo.bat

MD5 20c28bc97381d28f316d45f384998b2b
SHA1 2654f78b4a153ada5e603cdbb3c4eb7e4e72c818
SHA256 bbab8ad3ebde82f08898643e5fc4e63f4e545289fc03e0bb27dad2abbc23c8ea
SHA512 f183a84de5e98a6dd21a1fcc890d0474bfbcd80512016377bc5cb0bf191c165abcdccad1de7328363cc2063cbfa27033064f557368a1a66f4e3db1273b68e94f

C:\Users\Admin\AppData\Local\Temp\QUAa.exe

MD5 8fad27182dde99a419c4c27d465fde1e
SHA1 902f592175ddd956c23adeb08684924318fb4e72
SHA256 055dcc068b4276e7b51e3331993247d98a137ce076f2fbaa535fdb20627b344e
SHA512 3ee559902cfa63878f3165c1b2b17ba4535d25bf6818518f8767c5b7d0f8d4de9a6c0bf6639737ff5ac777622854a41d3145744247c06a5894311033defcf8f9

C:\Users\Admin\AppData\Local\Temp\Wwki.exe

MD5 126266155615b0d14f9f4a85ef13253f
SHA1 3f857e13feadc170db0f0c79ee084e88e0e09e1c
SHA256 0a9e73ebde6d45d757fb3af6be8b96057980613e4e5638ffe17a78681bb922bb
SHA512 d86c32ec658e18573ccdd19fc174e201972cf853e4aca043f2a7a789a0c56c5a223d2ef32186804c2ca3f8026751d2e88d192b80ba450997fc44966105584ee7

C:\Users\Admin\AppData\Local\Temp\moAm.exe

MD5 e8ee8125d181487a71edd880ccc5b26c
SHA1 5130d6a3e8c87b87ab0f69ab863edcdd615324d8
SHA256 a861b7372f061b46a0f3204ac0efab2a70b367030bea11590c98eabf3ce8d91c
SHA512 ba47ae3fbffb3b9572dcfcb84ff29ac37523e9c2e840c83fc58b041fab680127cf8eb60a961f3ca28cd29e930b8ed24dc4dcca901b7443c24088bc59c59626ac

C:\Users\Admin\AppData\Local\Temp\WwgY.exe

MD5 93a4207eec622e8989ea21af4e1f5d99
SHA1 c0c2a326b97c1c4aea88e7d3d015a1cba5bde08a
SHA256 a48c21f09635a21262205f3be22dd92b5537cc433b82ed58d239469c6c7cdf75
SHA512 443dfbebeee33da25059ae5d8b55ac2e272884b7b3c1c9841468e2c7d77f21313c98792946b30616705fbc6e50d94953691df0a7c6f7c62b2622cc898828123c

C:\Users\Admin\AppData\Local\Temp\oYoO.exe

MD5 98a42b3344d177d6acb18cd50678d0ab
SHA1 b81881eca2f9abf544f7968bd4ad994c4deeee30
SHA256 b3c6a439a3a0841a85799479293d0a1cfe369fee65e976176cc1ec25b8780388
SHA512 b6b8ad70bfb92d01ecd774ed1a179d2e59ca26aaf6812375ea35515495b9952c6de0a68a1bd16227ae7cac554e37e5c71731816c0fc82b9b1b6b3f9c3a14756c

C:\Users\Admin\AppData\Local\Temp\ocYMEYUA.bat

MD5 135fb81b534cbcaaa5319535985e07f0
SHA1 e3dda16ba3e8a935d8bf4b48983fa1c4b6d1dd6c
SHA256 fb0c1e88e77e0fd1f6b13ea7046b653ddc905bca7deb06a2276739ecfbfb8788
SHA512 b9fe1f6ce7c90c17bf197533bd33204cd91a56e3a9ba958e04db09e00f6f96fec7268e3a73e0643b4b2db4d9499b74e0ab5ff6a60afdb14d68e8707b7556dac1

C:\Users\Admin\AppData\Local\Temp\iIIE.exe

MD5 6b3919d078d3e1f7c36bc921ba1fde7a
SHA1 f8aae035809a250f795c47183578f27df837cba2
SHA256 9705bb58cbd64aab641707d0a68acaf19680b8d1dbe7333ab32174aaafd942c9
SHA512 738f978d783e1427bfa566d935092b64689bd0f4165aace87109cf8f85eef60dc6ee172c7836d7496d426adbcc62da601ba062822962b1045c423e7fa90f26a9

C:\Users\Admin\AppData\Local\Temp\eYca.exe

MD5 74410423ae241c20dce8593a2f1936c5
SHA1 f0e568c96a3cdae66f1bda94784afdcf258e40c7
SHA256 976e710e42675087af91c761ae11a791dbffe89e0a0cad997012c9f2f7dc86e4
SHA512 34c554bd1b3d4e591c2aad81ab0184f7d2fa1feaea635c31738bcbd2d801d0d9aebf9d3aade713e3848242826314103049839fd32cbbb4fc3a7637356aba3e3a

C:\Users\Admin\AppData\Local\Temp\SskC.exe

MD5 5035d01b6ddd359a6d6b462e02b600e5
SHA1 52797bf8255e0c73714415c58a19ff6d4240720b
SHA256 ab3c69382893c76384eda994021f6723b41c8bbfe9275b99d1e7cf854e94d5ff
SHA512 769d40688f977fc6a43bfba528d435f6481f854080562721120ddb56d8931462cfa76a1a36119692085468c4d257cd10effc79198d090047a9f2c782d5dd0363

C:\Users\Admin\AppData\Local\Temp\gAAW.exe

MD5 74c663049c713563b7f8bf8e3860c47b
SHA1 29034be40c6efa7bc4047471157945fb16fd102e
SHA256 8f350971631dc408e969a4937db26e51f5cd14a6ae8834ed3f2f0544e2d0ae9e
SHA512 771d041334e9833d3b2344a5ad5f45203221c35b00fba06d690c253b24737cb1a079ab2f5fa09cdf10e303ce376fa1da70ec63a69a6ba36ebc3739f8a8501532

C:\Users\Admin\AppData\Local\Temp\WMwa.exe

MD5 4db08ea0c400192e70640df786338e14
SHA1 b514a28099ce04efe8045c7c8efe31ad06c0e899
SHA256 b0ada228fa980937009c2a59502434ae7ff1a5bc3b2411199fc57d5a77fdae6c
SHA512 9edf2effea3f62cb74a55ad4e9959ab09856147ef69f367dc2b747c2b65cdc0808dde6acf24678e91d8e201fe138ed24aaa3adbfe41d0efd3d4f451f3eb94ee1

C:\Users\Admin\AppData\Local\Temp\MmgUkIEI.bat

MD5 e0975aa7959f6800775b95cf7b65afee
SHA1 5cfdc67a10a08fa7490dca7c6e94a943d7e65def
SHA256 05498c4aec1700a34a080367df7219264567fea13adefaa048352319902bfb1b
SHA512 7135c035b472c1cbcd06216123edcbdefcd7e045985f576e9b29f3b85f85aa29a587a05b67290e4675d6f22b59874bacdd31e6acd440f1a785ec5ec2b7af7cf3

C:\Users\Admin\AppData\Local\Temp\iMEI.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\SwQu.exe

MD5 10b71a5547cf49f21e1d5cc249f4a98d
SHA1 b1e7437a90b4fe58b22e679948a0fecc7af988e4
SHA256 68cc4899f9cdf3f91a18a01f9064d1a7cb3d1b305645b600bdaf6aaabe1888ad
SHA512 4547d5a7af4c38c59d93e9c206b6caaf9ddaef4ad1aeb0c9f779bba679c5e06cb748b31864e7768a43769e2521b9462096f57a7ec78f7aaf0ffd372ed3a898c7

C:\Users\Admin\AppData\Local\Temp\GkwW.exe

MD5 b8a1f86c2faefc14a8cf2d9706730361
SHA1 b550c041d0f99cd33561613691a28520c017cadb
SHA256 9afdc60ea13daeb074740f516d537b425a6cbdffabb948f6dd5e012774f1acbe
SHA512 6f8740ec72509357b16f073acd216ad86db4b9706ee6cdf7ab8930c87bb7751b92c547a878cababbc7827ea8a1c6e509d58d56f6003383fbb102df2afeee143e

C:\Users\Admin\AppData\Local\Temp\OMUo.exe

MD5 c73a8b786bc4aa8c2e906a56181a7092
SHA1 ba9e923c105b21538f5d517880e0f9e2c336dead
SHA256 2e885e66d9e77de2c5f319125ed940344519a4e02e473a2740cb19808ceecef5
SHA512 65631f20f2b2171018ee8a72609af8cc07d91a17eb2d1b2feacdd33baf12d912838d8a1eeda906609c852f10550bc78e00afdc6c7fa26a92dd3a2f1356280c66

C:\Users\Admin\AppData\Local\Temp\CskW.exe

MD5 b69feadda3c5c321a17e7a6e86d4fd66
SHA1 f6b2a947934e964f84159f5592ee184120275289
SHA256 e581a5a27be293c0bdbaf9ce313a751a808ebdd5f95647bb30cdeb0e1c3d6785
SHA512 ccfcada0805a7462c28c49bbe30755d078da605982d08b5d63765a16cf4359954b4824354288382127feb4bf6de7d9b25cb7956ec68feb009ecf4564312f16e9

C:\Users\Admin\AppData\Local\Temp\UUwUcQME.bat

MD5 2893091eea824bed39d6ae6e255df40a
SHA1 c8dec1e56157f6eff295e78fdf522a3d2a93af7e
SHA256 65e1f77207bad34cfa19da016ed1173aab8887b2f825677c766e8597f942e1a9
SHA512 d0f480b750af0c93c0a6b83a073f6db402d9f78505deb609b3e4b5b6f64e9b99e0531fe52d5a8eeb4f7fbd49ef543d1456c839226e5a3b2aa36e4f97573e2e25

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 d82a729684ba7a1ad7d8a016edadce2e
SHA1 9cf7a7ce9b707c813528158d94201cc3f21690e5
SHA256 4b46c2c8ac7f9593535f6ac7f0d00c12f3a2a109149f026ee6d3ab243c7cd0c1
SHA512 a7d8e6ccbd4ff4c77f22a8a5ecd05046cb3897c4662bf43c2943e8b1760eb038436012bbfd2b3b9705fab1bb8935396ccd9fc978fe0c8566f953416f9e65ea8c

C:\Users\Admin\AppData\Local\Temp\WoEE.exe

MD5 cec4b21fd0dc7f5b5b9064e9cf3acd60
SHA1 4906f161a62b4722f530b775e936adb1e91b05f0
SHA256 9d4001ace541fe5c8f9e8ef08255ec66096fd74cc54936e1d1275371be7a34e1
SHA512 db05f3c6b8207a2f20dd8ece57300efd299af73559d3594db18f33226f2db45fad9e39cc008689944461ee010b3cf34cf6fa23d98cc78c098fc05325f791ddb8

C:\Users\Admin\AppData\Local\Temp\AAEO.exe

MD5 f0b42a1e895a31e42e912fb74fee10d2
SHA1 36e2aaf833acd9612a57644cb8bfc04786cb2aca
SHA256 43edff4c8f531f559df70ead14a98538c5e750de6a522b13b0b0faf822996e36
SHA512 e114e65c307225c0af0e39566e9f0b425c05f5b9b3d97f35612e20f1a4be046a1926703de8f3bd3cdf3c758ce8b22166dbe69056d4e768edd456d6a15ad32fa0

C:\Users\Admin\AppData\Local\Temp\dyYYwcsg.bat

MD5 0ca06e20600096c0f477ccb7121c389d
SHA1 4dfbe5186a8c78f6949a63c05032a0add283486f
SHA256 ad3b7ebdc60167b189b544d0854bbc682f7e8a22d2da1a28c0bd645d9225e112
SHA512 221d9d289d469e4603e3529e7b7a25e15a96cd300e08eb566ab67ac571a95e46d0bdd8dd2b0267521a470e8c1153b3de0fb64738987618b3a0d66b67a376c6c1

C:\Users\Admin\AppData\Local\Temp\mMgq.exe

MD5 5988933577f670f017624a419f115012
SHA1 bdbe132f79bce318703f33c5cad326ec6eaed8b1
SHA256 0c8b06bdf1a91b20e14836f1786a22e439a4fd40c51328d1500a82ef92471908
SHA512 8675d0be9f6017e0b32bad27b690ea20e46c12ae53c6f2b98b6c69129772814c739dbb4b2b88b4e9f618d646cca3748cda2bc5cd326a5ceaa98fb728b00f7e00

C:\Users\Admin\AppData\Local\Temp\MYAO.exe

MD5 43c6d6ab7d55025741d22549e17021bc
SHA1 6bc67b2bd6b63df511eb5cfb716c61198cce5b4d
SHA256 38bbc20afd1118248befc45b57aa0a7a7beb98b0aa6b1e653feee2fdfa36e609
SHA512 390621282c0626daaad494f928eafb6bd296f8b1f35d4a675ef0bb5a3aded34e1f30e95442d4f82622b9c74ccea9c2411b092fb9c892d9a63f4079cb108999bb

C:\Users\Admin\AppData\Local\Temp\SYcO.exe

MD5 d1b8e4e1e5a04bbde5acb795edc69db5
SHA1 79460bc65ec369b74db9326c91cbaab080000fd8
SHA256 a6695c724f16c7126fb7958ef901c7265deae2afc2708fdf1cfabeb12daabd4c
SHA512 2fce3f5f102b63ec2d14cbb4bb0d253c9260393038c21bc1f172de470fd70e849e5a3e63f2379f138b543478c341e8bc5e7ad8c3c52fc8e3f9e0f4eafaae8af1

C:\Users\Admin\AppData\Local\Temp\HOcAQEYA.bat

MD5 5603988b2c1a42a53d098174213b722c
SHA1 1198e2791fb7aeb58765def5da6ec7f2a285f5b4
SHA256 d4581e71790fc6a721bf6428cfb75c6d2d4a4533e879d5bdc3e4b7950162a42d
SHA512 1483e9b5f3ec67e8be0552dabb29d850a14046705d391dd719926df1c6f48d5378ede1e3062ba60eb01ece762f31710eda02985fc74e81bc7e1371cdfdfd1bc2

C:\Users\Admin\AppData\Local\Temp\IYMG.exe

MD5 0583db8855460cecf982232510d6b147
SHA1 af87986296e7a4bb8c90f7996b69c0b3d809519c
SHA256 6220008fe0197256dfb7a6223f06d58c8faab13a50b966a8d5e21dd149c35fef
SHA512 f86aa4fc7745ff0db9f7f2ed1f11385b2b24e5c58220e2817550754c8ac1e1db185d88b470e41427a8769ee7e58bac55e2182661f7d8fb6c328a38bc8508ba29

C:\Users\Admin\AppData\Local\Temp\SUke.exe

MD5 cf1cef666fe309b9afb3e7de35c8b907
SHA1 6c8bac659a40c22fae79deec6be6e9c739cc9ae7
SHA256 30fe831750aa7b58a5773f50b3110cfe2e2898eac130beb3cbaf4f882c50a3f0
SHA512 c3571b3d03c18df6e5c9cf24c49b594f142939bdfbb4c776540ad61bf2d2d2f44d02f66c9dade73492874f0fdf7e02cdf51362661044d679e3315b22704648bc

C:\Users\Admin\AppData\Local\Temp\zCEAUwIM.bat

MD5 352cf243c7360d68809197dfb9cd99b7
SHA1 4c7675915ca32d9a2ed49814498b133c5a846dba
SHA256 94d765f68c46ebb85a8863683117fb4c98d2e0540cbfd75c2ece7bcbb3fcb4bb
SHA512 573a36bf43b43260db9c333c6ccbb357d43597f6b65359b8c55e231cea5873896bb8fa9d34a0a9b5336a43684f5e448e638502e6ddddebf9f3be2e7973938bce

C:\Users\Admin\AppData\Local\Temp\Ckok.exe

MD5 607cbc52bd0b44d8b5c3224314ee3ed4
SHA1 2658c909107e3c9328ec8815d6b8e862e8a64e7f
SHA256 eb8573c52378123e2644fbf672e3a71fecfe0e5005b6026f5831297e16a00443
SHA512 24f1acd5e8680f31da32ef9f3146bbc4082c39fe67eb20b556787fe8d59281ae26d4d7455c622af2738af39b0bac54f5152e2fe319fed468c62a31a5578e6398

C:\Users\Admin\AppData\Local\Temp\WwUG.exe

MD5 7a9d68735d14b6585f7b9a4e2858b389
SHA1 f5cbde754c444a2e23385fad8e0c1eeb5323ab71
SHA256 c9aa424740ee1fe83c782186c4d109701535f317524bc7b2b03acdb3615594d2
SHA512 3cee716fb714c91e25420cb9e42c76775337285145c541a067fd49eaa7d249d548b50a2aac7be173f31790a4484cec5e8cdc8329d9b0ddc9e5886e36874338e5

C:\Users\Admin\AppData\Local\Temp\GQoq.exe

MD5 17f3d9f5834e8c148dc7db6d7f6125f0
SHA1 e29ea7baa7f6fba8cbdb7ea5c2ff495e8e6e4385
SHA256 eb72e4eed2a6ee432200db194af94c688f93f01604b241dfea80c583a116e210
SHA512 9d395edf4327be6006b29d3aa149a11021301cd12363b8573ab172e966e8cd6343fa1ffcf47b70806f0d55605ce5582d2c9f62897312c245f454f70c6443eb2b

C:\Users\Admin\AppData\Local\Temp\ZeIAYIUw.bat

MD5 f739fffc705e83ecb616396b59daefd9
SHA1 83367170330045d86a042fb03a1771230a3c9d0f
SHA256 5826e2e76f3b0fe175b423db6b72929ebff03d5fe0eda215630d9bab860ab88c
SHA512 15f2c83e3c71a5263c089fc946639473943c921c76a80d81f044232929b253b433697902cd5acfaccbaac042d516c7cf39414f15d6d04478b21cdcf2b488044b

C:\Users\Admin\AppData\Local\Temp\uYQk.exe

MD5 6fa5dadd175ae5cb70c1043892b44e99
SHA1 68e3a700eff72bae1c28e35d4f7b8992bdd6938e
SHA256 ea5827419116c8f0c1906a22ca4c60f60e517aea03ef8dfe82c57a990efd4359
SHA512 867ab0915930c085498bac588e9ed857ffd275ab1e00ab0e59f63e0c37d4147ebbaf1ed29fcab02584a54f2aaf26dd3371f2db1d154b8f27654b0d107115bd76

C:\Users\Admin\AppData\Local\Temp\oUEK.exe

MD5 b8bbe928c7f995d39063872d51272465
SHA1 08c05faf4c02cca46f7004c603639c016ba1088a
SHA256 eae69fbc10a3493eec657e52f9b548326199df1a765539f71356b1933a5c7eee
SHA512 89a02803099123095e36e9aa8026707c054ca68cd3e0130cf4ca8b4e828b246f2cb74b0139b9333f944c50e624bf669c5e227bdeec7f952b36c9b018ff895918

C:\Users\Admin\AppData\Local\Temp\FYAcgoYA.bat

MD5 29548a20b8d5d1d5da539bbe0326ed7f
SHA1 912dd0cac9d3cfa38d8f40c368234457b5930ea3
SHA256 2e1d67293d585db034723910f9d0e6d767d84086524d1edadcbe399fcfdb3a72
SHA512 9db6e7d4de1e9025dfc5640d039ba3a281af17e36b08774549aa55827f4309e579bc5c0d17e6a9f393746261e1c5e4c067c3323280227db0b4f3f51ab095cc46

C:\Users\Admin\AppData\Local\Temp\qIYc.exe

MD5 9ecbdb75e202214b9014ec62f417e87f
SHA1 8202d5b5b77391480db1a80f5c19dfb8f1dd7702
SHA256 d9b248460b679c2aa344a5c02898b76b6344fa37ff1a7a6d22217f7db93a013d
SHA512 8ffc68f5637639d7c64163ca8d13ea8c2b9988ee74f1b73fbcd2d9def0585933ad39c9a70439c2756fbfc3ca680aad19d9a64dc38b46769d8be6b07caa76f147

C:\Users\Admin\AppData\Local\Temp\eAMU.exe

MD5 b2f69aed2d9942d31f63dad36748b0c4
SHA1 5a26c2cd86ad6ad8bcd0c8336e34242eda97aa37
SHA256 706ce8e5cbda2fb3568a9fb2e037e7dec2b75b8f108a34c7c6cc090223672226
SHA512 32cb911b766f0cb3eb72391ac644d119fb3ee100dc85d2e796f101af1c22c658a2b2843d4f8539fa5beb3a00bf8c4c3e587e94849faead346580b94ff8e12437

C:\Users\Admin\AppData\Local\Temp\WkQE.exe

MD5 169174ab8e279068ec8fbdba1a1b5a7a
SHA1 6042d2bcc5d7b7449c41fbf77c296d7578e460a6
SHA256 5437aa8599063eaae45dcd60d1ca0f3f641b160dd044bde91633d662c9700914
SHA512 f249f23595122e3c14baf044d82338f5ca18f7a57afe3b53ebf152de098f0b65ed08b7f0979d4a541636a4d533d0eaa4a69864678fd6cda1495c73cded8a8bdb

C:\Users\Admin\AppData\Local\Temp\Okkq.exe

MD5 ebded924054baf0f615a7218d7f8588c
SHA1 21a3b2da8e5ee3ab05785350c966bc6a12825150
SHA256 de31a8b37c6441e034c95b351063a4560f5d414a8a4ef9b0666cc434ac91bdb6
SHA512 1e8f5ae466c3000ea435df37e1be98ff07e8b671bd10c5412fd638800f5c48bee5e8aca27da66747ea9a1d29d48a21665e891927ab0edd3c1870b2d63add9089

C:\Users\Admin\AppData\Local\Temp\gGkYYMkI.bat

MD5 bf2beaf17ce735f0c60d2b4290dc48fe
SHA1 1fa38e7c3f53b0323effc82d26257dab7137ee7a
SHA256 58d8f64e84b4d0884c03fcc2e642beda3a463291be8426fccb86550b5d2ce1ce
SHA512 9e5ae03fbf1ee0108bd7a6866cd90bf455c8ee84c4e86ac8e6e2185d40c47b3c786c092961f72e07392dbf530b50e42999b3069912ce17031b0538b9f39ae225

C:\Users\Admin\AppData\Local\Temp\mgQC.exe

MD5 177e321b727f67fa5f680e9b94fb0c0d
SHA1 d1f6d02706dd2e1e7534e50d51b77b728d3dcd84
SHA256 9b7bcc318d396fbaad6297ccff865a73b0ca0d54e945a637a093908f8659d11f
SHA512 fbc271b101023b363f8ba4212db8e49bca5103c8fc0cc9a9c0271b4e4c3aec63cd6abadcee15705e87e92dc41fe43b2b0160ed3d7db2b93232d3bdea2fe9f4cb

C:\Users\Admin\AppData\Local\Temp\CUEU.exe

MD5 2fb8eda14d7305f0f235c27c527606d5
SHA1 811e3f0fb465b794f339d146cdd013d9f9eee63e
SHA256 08a55ad850b02ddee1241651304dbf4ad586da4695a0a401f31d3b2c529506bc
SHA512 1b5852d260662c23de79fbdc0c431bc9dedac06f981125e9ec038756d8be24f0e9a122b487d42d449c76ef0a69960aad107667d8a0130263a08bbaa4c5286cfc

C:\Users\Admin\AppData\Local\Temp\YsMm.exe

MD5 364ed5e0eb319eba1e2b778d89cf34fb
SHA1 a53caabaeb7e062fde594253ce08c1e29761970b
SHA256 0532f4c9712dd258d0a6082f73adbcadcff3ab72c5712e8247aa02b49b72acdc
SHA512 c97e090422df586a34a6dab678b20219f304daddb6bdd9cfc9dfbb7e2a4a05d6e7fa2a983d7090e92ade8e6e77afce5febe456d22b23c60c92b4a0e3e16a9921

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 1bea54c8b49d2cc26f1aa21dbf5ccf8e
SHA1 df074627c6db5bb9e35e28b26155a17eaae6bd45
SHA256 e56d5efc69d6689e25a2307bdc945c52b25402ab251a1270f510e4d4a41295ee
SHA512 87b78bcff7400f12c40b68493fba7e0fa4c9978171c087c05b59d22e134e314a98dddd978b1a939c8895039735f2a3d8758e38177ebf1561ca6a83f951a5b00e

C:\Users\Admin\AppData\Local\Temp\esAe.exe

MD5 6a52b369ce0dc901aba50e861e1ff305
SHA1 826b5ca7e9c8ce4120dad10a3a87e89f7fb83c11
SHA256 8043f8533674acbffbe1d15c832ad97466e2c61786859870601c147f2eff3a0b
SHA512 76761fe9baa46b1daaf870074bf1b6a0a49c3dcb4001b9bbeb3ee9797f2e696b906dc4c3072034c1898362ddafd62dcb8186dc4c0390a530c00799836a895c5e

C:\Users\Admin\AppData\Local\Temp\sKEwMIQM.bat

MD5 af7679eac8558b91f9ec4b3611894acf
SHA1 c32eaa94a0b67887f1245600c36ef6bd04ce070a
SHA256 086ee4b56e6db4b488a2ba21e87cfd137de85f4cebe6ab84016e78d9d3c39079
SHA512 d94fbf8848027aec680f6bfd03f7ad302428892a9c6797381deab755db12ca988699b920d6f3f83d76ba2f3dad1131a979fd335f049d1f5e32a2f9f96660b34a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 f1f4ec18ab2902c6f459f42e330146e2
SHA1 dd345f9d0121217b4dd4a39d1b7c473fc82e7ec5
SHA256 e2f6c1002369fea4265fab26bc1a92e19e95320d15cf50a093cb7ff89343267d
SHA512 5770fb280ac2d663523b7407b0e61e944d2c8600210e9b8ad9f0970b7a623ccf8d96f44a56dd2db302f0463bb66ee4a5d86b0fcf0aefd136dc591311a5b7d436

C:\Users\Admin\AppData\Local\Temp\qYkw.exe

MD5 a1079e1e1f085dd3b1030701d9bb27dc
SHA1 039b2e1244442826aec2898d9cd094eee0106bcc
SHA256 305c6bc35a12b1e133c96e75b4b49747aa737a3a4c04df573ac6149b004b7616
SHA512 07d0b63eab072b9842a82e244556e13f655351d0d73feb6f2714cdd089a96de4b46d1c2816db56ec0224672f45f48efbcdb33bcc2a35735ffb2f0cd5a8d66332

C:\Users\Admin\AppData\Local\Temp\WUUu.exe

MD5 d03118d32f01260c40b336b0ebc66011
SHA1 f21a19f44f562b9967ae121883aea42b0f5393a1
SHA256 8ec6729d3ddfe864422b73624a841c60a91e0d3e4b3b1390d63233ea6c23b174
SHA512 f73ce014a8e786d56de9bba004fdda31a72ac5ef36ea79c580a19ad161efb9cb0f1b9fd9a350b697512823ac7869e5bb5537b78205e3231fbc51935705d46a79

C:\Users\Admin\AppData\Local\Temp\gUsMUkUw.bat

MD5 ab933cbc833b985a0e3b1d77aedbbc45
SHA1 320d9cc550b38b458754dd59645929603d721a28
SHA256 740b6c8182c80daad08c066d5d5030bad9b12908324b42da3310ce928122ec24
SHA512 484318fa845aa65c7a73775346763fe32a919d0c06a4866f97cc90f287658c6c2980cec11300cd32426323e0e1b12b51eec64b0c4a172cd3978bd11d3464f3c0

C:\Users\Admin\AppData\Local\Temp\ggcI.exe

MD5 d05b348bf85c35b411e9dff08e930c23
SHA1 de80328af871fffbbb59f3802c5634cdfdf1424d
SHA256 9ffdd55367242d6a6122e14f19f89695a8ed07bc2ed568fb6c1d9f2097e87336
SHA512 9d18ec5f5c5ae8937d4f5033efb537aa3f096c00c7b73a361f441808999e15765005ffb3030578129d3f5116890d7caa17dba6b8e47e1245e5a87f069a2e295c

C:\Users\Admin\AppData\Local\Temp\mMMg.exe

MD5 9579edad1da8ad9e5300a81f45c4d436
SHA1 f50b8f36e514cd97a1cf2eaa4b350946b550b458
SHA256 0ccc63ce271677a9b65e2ebe3996922685068d630207a7ad2e8ace3267ffb781
SHA512 0f09d0323ba40ef6ab0a2f8c0b19933eec7a4d1f33cbc7c36dcf599132dbf4f6149e317074f24eb061788d922438b70b4317fbf38d8df82642c9e63719dd5323

C:\Users\Admin\AppData\Local\Temp\eUEG.exe

MD5 2e30d6283e01a9d998cb2598b2b37e8a
SHA1 0aade10fbb71bc1e0acdcc2938d43ea1cb4f6bda
SHA256 d57451c6fa015d702565645b28def340d1657cb643811f0eac61dd2e261c732a
SHA512 74104b5826e1a5367add1815e7f4c9b3b1edfb28c67e37879a326132fb2fdd0ec5528ac580e3ef228ecd48ee8ae4d0163a0f9db5c9c9fe117ba22d5cfd9b774d

C:\Users\Admin\AppData\Local\Temp\wEoA.exe

MD5 d91835e789c484fa812a14c5655197f6
SHA1 e2515d6971fb6e2d3a1597725f7fb95334844f96
SHA256 e930d648837de2d80258bbd1e80339e58959bb4546d1c32e905a8a7c021b4ec9
SHA512 5a432f731e39aff37d7633ff72e79565892d5250580a9025f9546e039cca437d12bedbd11b784de69dc0acdfd46364f5e74df2a49394d4545ba98baf9c2318f0

C:\Users\Admin\AppData\Local\Temp\WCksMYgE.bat

MD5 0804ed47132e98ebe7170ca616b70e33
SHA1 5d8f59fd7f8e832b3584f2ab89850ce2cc18a48c
SHA256 eda8a33604514a9047c956da87b68d64ab7e481b40426a897ddccd0952b31fda
SHA512 e85729c05b2f2a4b88f45dd29c4afd95e478105e0f04c92736f2fe96505cf9e7f408179cfeaf8100eedd1aced19624de08d562cdff1b6574f044d5b955a50bde

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 3649c2755e578bbc26f4aaf8548f8fe0
SHA1 b48a3e876d1bf58ca04ec8c01ed401b46301c5c4
SHA256 ba8c5efc061106625aff0ed5d3471a910e76878485ffc54ad65d27da23870ded
SHA512 d798655bfcad94a38768ae087fa51056a575b3c4196671a67fb7512656266d444bb9210bbce4614bf67c748a715903450542616c8a887bf7efecd1122d874a1e

C:\Users\Admin\AppData\Local\Temp\sEwu.exe

MD5 2ee734f7bc3ee558f8938e4200682d47
SHA1 978fa63a6feeee4a15a009e58b8a3254795c4903
SHA256 6cf5745ba2b43c4d6329dc89feb9f342ffd1218dd06dc7b98a22c6444eeee91c
SHA512 8d0973b6f109e1fdea249d298e4ad72ba83f9d4e05432cf73c3acfe4ffd258dd22e61bce96a816783862718665c8e73b285377c22a3b147fbdd2204e06981c04

C:\Users\Admin\AppData\Local\Temp\qYkE.exe

MD5 58ef6e81f9c9216391acd3c7fc166b09
SHA1 2f2bba9af40f92864b975d5bbd6b84800c0991ac
SHA256 1e1cd3f88b1a6efcf3e6af103686c87e121d4c5f7f078b2094216e1a6d18cbe6
SHA512 7aef4f9502fcc0248347a8b9b4a84c76d16bc5c28146087360da452ea915bf9ffa4f03c38ea8a4baa76c99bfd905e61ca0f62ad2312ccce0fe45101c2bcd5930

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 ff2bb075a851eb0b91cfdfad502cf7af
SHA1 3eda2a5aaf29dc6680752da1d50f4fe9cd2a134c
SHA256 17a185476db7b0c50ba831e28f45318c951cbf6312bbfbdd5656197c78fef2d5
SHA512 8f38d2721d8b3426c9c2af5b15de8be581c268cfb00fd7b8916b12fff8262c11dd4ea07438ca859e0b6285198cac46442e4f798a628077875d6183637543d1ea

C:\Users\Admin\AppData\Local\Temp\zeoEwkEw.bat

MD5 67764ba5b4793ec20758712835f61c89
SHA1 d1c9912d67f4b0d273c048f0e108ef9ed3ee010d
SHA256 5b4a76eb09b71703ed0bfe9cb0b7821f9a3d9960a911186318cd9ff90d784b32
SHA512 a58cd92943ae0049ecdc8514bccde4d8979312ddd86fea6a6b99328ebfe7f79ef0437c6fd6ce586bd55fd32a291f4353f1547f80b273c86e2c573902c616c8d6

C:\Users\Admin\AppData\Local\Temp\mEsc.exe

MD5 7095a85a406c49ee3302aeb57cfd9e2a
SHA1 309c22dd94d68dad0c966615b6297a47230d3096
SHA256 a3660d5633837877d2f4df36bdb63be142cf41e986b0a0ce432fc84e4b73a464
SHA512 3ace441aa007072bcbd95f3aed458ca635fe43a8e2e459fe675eeedeebf7c03a2a48ae9596fba75047b5de90a9bf6b96132f1e4442298aeaae0f682d0f9fee9b

C:\Users\Admin\AppData\Local\Temp\OosC.exe

MD5 46782027b095dd3705befafd91be2422
SHA1 848393e89401844d565f5dd84a364f85573b09aa
SHA256 30b911999a0070198c60d43bc4a4beee87051eb260c501f93b9f8f7699ea6181
SHA512 c2f0f66cdfb83860c93951231e362e9b94e5fd5750540d52a27c3e2b4b4bb77679ea004553b16c20bf5159ca3cacdca8f04c076d038df30e95144381ecc43206

C:\Users\Admin\AppData\Local\Temp\AwUw.exe

MD5 094da395f472e1a6312475fa9583c1eb
SHA1 2b4335e424dabde2030309a6859e781c2b8bcad5
SHA256 ac8961446df3ea8f56d3b9c19b019b86e47ac279ec09eecd1d6ffdd084d63948
SHA512 c118e7a0e151dbd6cc06aadd4aa7dce59834bca16294268204d719ac3be5c34e2f1148f20a9303505a55575dca675208b26e52caf6df6a3494725d3c184d7587

C:\Users\Admin\AppData\Local\Temp\UQQy.exe

MD5 037b861fc0bbb70d4bd78253dc5d5cdc
SHA1 cda24cc4f3300d2446cd6772062e49d4b89c2443
SHA256 9bb17e6d702044c7c750142a9b3f6d13f10b5777552b3feb474265a970c5ef90
SHA512 d89ee24200ea98f13b8453cca5b44eb496975fbd28fe77341ef2ecfdff84f55a77a9a455911472f1935f23af69b75451a1356e37e908ce8d5cb890e6897ec65d

C:\Users\Admin\AppData\Local\Temp\jSYgsMMs.bat

MD5 0e2add877a29423690fb1df3bbc0dc5f
SHA1 256683d6535d4d21ad5423659bb536f33d1933f7
SHA256 bc920bf92a42ab3424d66805ce8dc87ec9924042fab838119c2622ae9a4cca45
SHA512 4aaf06561729cfa78dfb14cac4bbc312e5050cf2e0458e3b858146cfa5ca9af084c189460f78afe58395005f6c7765ed3254887e9926ff2fe4a23d301ab93c6e

C:\Users\Admin\AppData\Local\Temp\YMoQ.exe

MD5 72883c64c1af35cf5cc644f08cdae874
SHA1 df0406a69d59d870e3a0fa0c1c46cb551b2b40ea
SHA256 ef4bcf5d651688dea75f76255cbc378bfb9af5e785a07c8aec9ae5ad0239bf40
SHA512 51e9f81f86a501c2718102d7ee4e15e20d05b2f35c32b77ad76eb8ec4cba7dfbc2348ad65f598cd3cf06248d54764499e0dcb2337f25ec0cb995d4eb71bc0fa7

C:\Users\Admin\AppData\Local\Temp\aQEi.exe

MD5 8da857cd2e6c037f9bc697318eaa108b
SHA1 7b206ddf9460f0be5db67063cd211118b9122fee
SHA256 afac116b816bc10d53b786c50a3d93cdb101dcaff7f578361f42d46ca30b3dad
SHA512 20173ab67f2054a742ee37ad7a7314e92bd7021fe0daf9c7533457a75de96379a56a4bb05965de479e359d1e938e9ece368895a5b9a24e9d716a3ea4cdf9bc99

C:\Users\Admin\AppData\Local\Temp\vckwscYU.bat

MD5 1442f4d9067031580939d81ccb711f97
SHA1 fb8a639e12a3753259e16d83fb57e652d2a7d8fd
SHA256 c6da834cc345f9d5c35bace35061559198f4038b6b95877cc2d9ab19bfa1c506
SHA512 0cf7c87f5be11e71b31291790533c7087cc00d3dd871e867592dff1548daece64f12fd774204f8e7900d11faef2340aaa9c74f4d2a48d85daf2aac2b15be1a3f

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 ca3a393d65cb463a16378f50ca653083
SHA1 c402f31a139e4d2ffa818d024eaf138e1a95692a
SHA256 b1114446319820f0c5e71302ef0999af77fd57129456f103a47164eab2093352
SHA512 99d0ed0533d616db220a41b19ec541b932898e94e0ed6f0f3d0df7422dc85d45f80070ce72eb9e9ae28e27ccf23454b18519b31fbc3cd095b784bcd0ea531238

C:\Users\Admin\AppData\Local\Temp\UMMy.exe

MD5 f95ab85062dbcfb49cee3c23238f57d2
SHA1 572507a60be2a5b43514dd8e0ae373ff7059140c
SHA256 d25d434db3922231ed5cf94a24b0709dda5563bace83148803e28c592ca80097
SHA512 b2d725e47b2f9f9419121739689c84beb1b8cb5f2c9398672f1460010d55e1233207a9db35b02a21c91d54645f2ed2628a00d4c61e47550338258fa28f8d1187

C:\Users\Admin\AppData\Local\Temp\bKsIwEog.bat

MD5 58ddb47ed5734d1d2e9171a0c14e9a8e
SHA1 a98ec69847f119fd17ccdaa6f7147cb9e8aedb76
SHA256 7c3c70335fa9280cf02afa16523933b7f95eab1d006d89154d0d88e4381ffa6f
SHA512 fb8ce232efeeabf1d7700b81919b4355789544eec8660ad500abc6aab29d8f1fa81c536d7c42fe8fb9bb92ca015af97a27ec413e3dd458a5b51c6691ec3c551c

C:\Users\Admin\AppData\Local\Temp\kggI.exe

MD5 43865403e5d226c50622d2d27598c165
SHA1 2ffc65c5b48a73223ec2a97338f87c817996f73b
SHA256 3de04948db28554e5215b9a6aef244f114d069758a4258c0039f9421a414f9ce
SHA512 94ae7e66fac5edb08da6037cfd7c42832bb46f7153af4ad105976216f8c95e7ad1e9f891f7806144619182528309771f411cdc3905c8c14dbe254211e99fc1db

C:\Users\Admin\AppData\Local\Temp\KEkq.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\ykMK.exe

MD5 da3e93b8d12d47e89262f201c154ea1a
SHA1 c44f092322a34b8c5562a5538df30f7612389e61
SHA256 aa9c264c6be66c411ddd44214c557e8ff23c0f2aa76be801d941e27f401c2dda
SHA512 c8c3bbc9f615456b403e673d01171a746edde9b116c8c34df4d43e64d15e8309647d2a8f8b766e4361170120dfe23e05d8ebf78eb1f2f540f301fc4d10254e02

C:\Users\Admin\AppData\Local\Temp\YMIu.exe

MD5 6807c508c5002a840340889624c817f8
SHA1 137f7b11ddf3ba6c9fe3bfa929826ba99909391c
SHA256 427da194a180948c824335bb59ee35203a086e70555c04bef9bdaaf10972166d
SHA512 8a3d9687135241626518b3a960dfaba7c822e7e48b9e192798805008ebc25c2d899c2a64b57bb55a3f05fda9ca106704220211639346d8760065ee1ea63f8225

C:\Users\Admin\AppData\Local\Temp\MgAa.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\gEgU.exe

MD5 bffda171a25b17d1bd38f789deb7d9fa
SHA1 832a65b9da1cbc9aec95df64acde9e98b8dc3a34
SHA256 b53dd399db3724f5c2bd6c2e852e028770f6af5289dfd28e41786436281ed99b
SHA512 f94e49352532958ccdaa58d61f05daf9952e352fd1604e1992fdd04631bc302f8bf085b6185f428280191498ad52e65c7aabcc3f044a83c425b3d9c1e364b408

C:\Users\Admin\AppData\Local\Temp\ScMcIAYY.bat

MD5 64000a25e646ed03fd7a02afed173ffd
SHA1 98ac0f6aa1e09224368e0dd337fc9e01f3e191eb
SHA256 10696f45a089cfb9ac09f86cb53aec4e1ec8d9364bcd766ad921fc32eca61d4c
SHA512 cda663ce3da2eb05e88c144338c1da1f09da87137c97b64822decd5a8a1471b32f8b024c51cbf063ce8e847b205821e4396142873dad1b126fb972077ec2a673

C:\Users\Admin\AppData\Local\Temp\MUoM.exe

MD5 6108f1f9a0de11a96d42ad6de754babe
SHA1 71a105786cd2277b0e056fb597dcb624b5721bc7
SHA256 8d25ba1f7ff417c56bfd67d18e4c82cfbf2feb0bc2c50e861d07a095c50f6446
SHA512 2f9863c2c1571cb58bec281086a3542c51eaf5c40ee0bfed9c67556ed3e6a4e2c980514cfe953afe0a8b2f1ff6df8b7946d0319f8ae86e16c9254d5e10146d2a

C:\Users\Admin\AppData\Local\Temp\McMa.exe

MD5 379a364029ba85d9fd4c61dc47110b78
SHA1 0674b3c98aaedf10c2b708ebbf626fb4fc495622
SHA256 0aa6f1200ca0503e497310e69ecc3b290da7ad5a6503fd54d1b9d5872ef7fea3
SHA512 4e26e19c465a99f4413518c0e9c0777b402b367c4985bfadac8af27b9d0609acbc981ae5af0a579612e2755ca12b2248c6bd0fc78c13b2e46a05ccab27815df6

C:\Users\Admin\AppData\Local\Temp\IscY.exe

MD5 57bd53a0283fd615e1828b5d96e5addc
SHA1 b426acb70610c34e10dcfe8a8d839871a904e722
SHA256 7271d8c62cf568d10b4766aa2dc427995ebd6dbb309aa3d4545d36350dc4dca2
SHA512 66ff1e1a41f43e681c178f2a8c9b6df73ad6e6dd2d0334f2bb90b120de78b4a1adbda7e025b30d0b6300ea2e1eaaf4866ccfbd2e4f8a72c09e36147d35775bc1

C:\Users\Admin\AppData\Local\Temp\sewUEQQY.bat

MD5 13e0b21edcbff389c8e871aaea1a0612
SHA1 ce6afe954a10f38d2a12e1fef271bd2219b23f07
SHA256 e144fce869315b0cd9a1e24f2ddb0d5f31f7f671d0d8f8ae186583693feb9c2c
SHA512 b3d574e1f4b9a219791493cd5a7240042f2194324cc34c0288cdeba477d6c15dc570893ab9810aeea24aaa79b516cfb1d991f9233dd9a22281b3d522c59e30ef

C:\Users\Admin\AppData\Local\Temp\wggU.exe

MD5 a44a7eb23a71a06fc51d8e1c26669b48
SHA1 e11d4c0d328ac37a771982c765706e867bb079d0
SHA256 b954cdae4004088f50ebb83a256a4162c337f4566eca97e1cbce7381f50a1896
SHA512 02986ac14b9cf6343ccd5653fb90e89c2608862fed16e794c84637a821fcfb055d11a1687e4207ea01acabcbdce0056477d10c25bed31acee114079075933eaf

C:\Users\Admin\AppData\Local\Temp\CQcW.exe

MD5 ad4886766c8a13271b0f4a0523d56166
SHA1 3e1687cb09a2848c1fd1063676d7588bd0aac0b4
SHA256 7f474af99b578808837a3ccfb9f7bb090aa6f2cae5fb4422dbe46b2cf4725a71
SHA512 f0a16f5a5cef71ed76d4aafaedfc5dd09ed6b36ac68c2097634e2b54973c99dcaea5cf26e18ce05418526d86812eb43d66ca898d2bc22a401d4801af283165d0

C:\Users\Admin\AppData\Local\Temp\SYAUQEIM.bat

MD5 6459a53ed05962924f2068acb30bb5c0
SHA1 8b957cfb502e6273368a3a000033a8f9fac5afbe
SHA256 86cfddbb46e29732b34509290f44beb94971cae3ed457316b4abbab08d80234a
SHA512 a8d9cb7b076d915d2ec83d6a31482975fa83b6eae3e698d38fbe76447f86306ac55cd72f74fc05d623e9411376c272aae246a4632e9e19b1c2fc101374a6338d

C:\Users\Admin\AppData\Local\Temp\YkcK.exe

MD5 cfaa5500ddc2d61eee90cca80d345a9c
SHA1 82ea3bfad038cc76c82e7f6dacdf901e0dd16b19
SHA256 6ba074aa8a85cc68bd1311c926cc1353ed23a23dcd0c19ebd6c380a27ff9f7eb
SHA512 99f47d48931363496822329dc62e236e26045259dabeea3327ddb2bab5ad281b114f4fce27b24962d7a365fe394fd00fc2e90086e3a0a6148d020e319539912b

C:\Users\Admin\AppData\Local\Temp\uAsAwAog.bat

MD5 ca4b8246915968c5a7b5901b0ce01e8e
SHA1 577a42cc7fad837c2e79874a3c560e088b8dbebe
SHA256 118e906d5e3277fdb9b492f11e73bf9b0f22edf5f116c3948d3cfe5e3804725c
SHA512 acb3b1b71c45163d6b6f7c5c99eb97a5970e703c5ec950f553ff1183644c7462ad32388b2f3cba355a3fee142fb5b54079a1f71aa812401fb1f6d4deb26e02d9

C:\Users\Admin\AppData\Local\Temp\tyUkoMUs.bat

MD5 43d07110b0bcc68cfe70f9da45cb2578
SHA1 1439a7d4af8696fc19744dec0aa2c32b04ea47fb
SHA256 7ff4d15872ad213babcaef3dc58df00dd4e5d6218aaa605b43a326efe270e75d
SHA512 c1de5c0d070b3c981d5db0755c076c57d3e1c44335ffb9f2f51ab783574d2c7317b8e3e3e06178927e1e395dee5a60bb3ce0dc88ddba216c7c94ce46013cd405

C:\Users\Admin\AppData\Local\Temp\DiUYUYEQ.bat

MD5 11513667156cf99762c266c0ef6205a4
SHA1 09a3d31b7a5d9b376963f3569e4f92229f91b009
SHA256 b23a426927463b09146bceaf6332d7467ccbbae73fdeb1975063beb9a926b136
SHA512 7f5c9229cdbd5e313a2509ae8e98d6c40940cc68433c1f5f19b1362c3b2fe2b5222ee4fb65817c87631e8a7b0c334a98e10a538b8072b7b2d14090d30644efe8

C:\Users\Admin\AppData\Local\Temp\vCggcsYs.bat

MD5 12d4643850aae003554beba4d048fbfc
SHA1 a3a9d19227018766523dd5a1b57ed2bf82d49029
SHA256 381cc1b3c86c95d49a68cf79529b3ba4e32208968f21f78bf62c0d88cadfc333
SHA512 a02aa57df4d35b1310dfc8ad535532c4b7cebbb89e60b793dba46ab365063bb1fa4b0196899d8d0cbcba05ea180fec792decd6d6110aea64256db326dc671026

C:\Users\Admin\AppData\Local\Temp\AAYUoAYM.bat

MD5 935d9e8e73e29b9b01622f79320bdb8e
SHA1 1529cca453d35fe7c2a36791f85da76d67a9e893
SHA256 7e1a5d14b1966016a99eb7f60fbf19aae2364f1c55b3fe9b5cd3434f0cb103b3
SHA512 57cb526b26e6d2918b9fdd957ff259d566caa1dcae36f79b06abeb92288bef642d3a910b5f2d6800d3814256f1e0a5a2971e9324dd83301a5c45f356283aebfb

C:\Users\Admin\AppData\Local\Temp\QaQEwwIE.bat

MD5 ffa0a54048eaa096d7c430062245ce48
SHA1 e00a9446d68cbc98bd52cd11e8cf21df6ce5589f
SHA256 371015ba374c40746305f01307a1c0b06f198dede4c77dd7ee6feb81c261791e
SHA512 c106733398bee32074fa32d99ef5b1e02c50481172baae4762625b092d3bdf06ab03195ffbd5f3e51ca58565abaf0e33754ab0e829b4784e6d140c5f37a86c12

C:\Users\Admin\AppData\Local\Temp\EyQsMoko.bat

MD5 79464e3d9617eaf41011fa33295c662b
SHA1 c586786a8764324b0ab344694dfcfd5b3b4b3e1c
SHA256 3effc6c5b6cc18f3a81af239ed2ed00502955f29c72ba7527e3b0235196f6f2b
SHA512 99dea1f2452a7dd23c64a7467945f4d1ffd5d715dcda0148aa09432ea7775f03e71374d5a09aa6e31eaa6aa3f81b0e678abcb8dff88409af6fdbb072082db522

C:\Users\Admin\AppData\Local\Temp\SaMkQMwM.bat

MD5 f35aa336631723f3227b37210eccb2d5
SHA1 3ef8834e3b607ce1aa9e3cecd518c0dcdde097a2
SHA256 04db1610fa8063aead6e3df27251a6931ace8ec58654166073c9959d9d09ff91
SHA512 2bd002d404a5800d9b2ea3359f710636143253b13c15771aefb0bab09df4b04cc1449a2988c045964058101f49a2afff08dadde5c74301d12493182ee5d20127

C:\Users\Admin\AppData\Local\Temp\sEMocsAA.bat

MD5 e895cb519688d7de5fb6dd1fc3408dd1
SHA1 19c4af2563464444e3d677ce524d286de7563e4e
SHA256 bad8c0e0bce4ff4dce4f72a6d5e4357bef91479554435eef898070550595e7ef
SHA512 4f1520511460b17df9bacbd5a1f46906ee78dcc0a5c6f7697fc12ae2ec1f515a15d49a79723ffad4b52590a9b8a4683e5b80a10a9effae4a4f5831ef41be5654

C:\Users\Admin\AppData\Local\Temp\NOYYQMcI.bat

MD5 dcc3e69ead0a5965e9ac33414588770b
SHA1 443ab22c666f29e284e1facce19679ad2b6e9d02
SHA256 f5c1f2416da579b4656452dfe9e1fe9f1acce47dda13feefcadefc4037923ca8
SHA512 d9435f29f3da105469d82252a7d55e236cb38c31de9bad840fa956e20b59ea98523334e30ce4b797110deac48e4cb1b0216672f61d5b04ba0b0b6d3ecf7f6304

C:\Users\Admin\AppData\Local\Temp\NgkcoMgg.bat

MD5 578a005f896e38fc047a4a99c847a24e
SHA1 1073da263700223d05b2b6df7a3d5697500c04c6
SHA256 281565af52f5d1b44f3fe8ba59c5d4cd6f051a225cd7b845a0bf3d618d5cc8f8
SHA512 d3fd5ed5598efa8ce9615b98bc5470851dad8cef562f93a9dfd0e19a5a911c50d7fb0054196280f93d3312af92e1564d08c2e918432071b49e114892aacf6981

C:\Users\Admin\AppData\Local\Temp\JcwkcEIQ.bat

MD5 7a679d7aee49ae093ad9482f8efb9344
SHA1 84e887ff22568e7992ed5d8ee3c271830a323454
SHA256 8b1c23e59a3ba13a98bcc4f081f07343157ad70bf1141fad290fcdd596c1ef39
SHA512 9cd97046fdb9d00b5ebc19ec6a043fa570ad1143f6f2beaf1049388d95ff536b8fa1f3c799246e0de01da3b101d6029889c2946f7a5b84a7f025b85485099f54

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 04:25

Reported

2024-10-26 04:28

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (87) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\ProgramData\AykcUkwA\SmYYccsc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZssoEgYQ.exe = "C:\\Users\\Admin\\rEgYoYQc\\ZssoEgYQ.exe" C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SmYYccsc.exe = "C:\\ProgramData\\AykcUkwA\\SmYYccsc.exe" C:\ProgramData\AykcUkwA\SmYYccsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZssoEgYQ.exe = "C:\\Users\\Admin\\rEgYoYQc\\ZssoEgYQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SmYYccsc.exe = "C:\\ProgramData\\AykcUkwA\\SmYYccsc.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A
N/A N/A C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe
PID 2264 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe
PID 2264 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe
PID 2264 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\ProgramData\AykcUkwA\SmYYccsc.exe
PID 2264 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\ProgramData\AykcUkwA\SmYYccsc.exe
PID 2264 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\ProgramData\AykcUkwA\SmYYccsc.exe
PID 2264 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 1928 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 1928 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2264 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2264 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1816 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1816 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3292 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 4104 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 4104 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 3292 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4476 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4476 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 972 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4124 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 4124 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 4124 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 972 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 972 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 972 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 972 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 972 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 972 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 972 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 972 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 972 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 972 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe"

C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe

"C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe"

C:\ProgramData\AykcUkwA\SmYYccsc.exe

"C:\ProgramData\AykcUkwA\SmYYccsc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEcUUcww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKMIIgog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raUMwAIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pacIUcYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKUgQckE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKskwIoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEEckAMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwQkIgkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMYQUYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FysAwQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKoMoYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKUcsEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puEAYwww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muQIMIcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OeQQcUgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqUAcwUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deQAYkwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaMsoAYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FekIQkoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmkIcckM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQIcYMck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIAgwYsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuQgMoUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyQQEIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMcUMgIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcEMkAoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUgAQgMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWkYUYgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCMkQYsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOUEMQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IawIEMUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgEEsYcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgAQoUwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcMAosso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGsEwYMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwoAoEEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKEkgAQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SckIMIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOAIgQkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgAoYYIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nioUUUoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faQAkMQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYkgMMQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSkkscgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amcUgMow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwowgsEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bokwwgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwgMMcEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSYoUggU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQIUwQgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQwgMEws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyMwIAco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgMowgUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JeocsosE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwAQwcws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmUksckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKUMoYYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCAsAQQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOUIAwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsUgMwUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqcMEAgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMwcUkIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwEAMwsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUwUwQAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EigsMwUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSAAgQsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgcokgMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wowYEwQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKMUIQcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCYokMUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BisUMcwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGsYUgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmEcskIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QawYYcwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiwsswQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcYQwsIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwYsAUkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsccAoco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCUssYow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qeMMUEYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAcUYAko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKUQIgwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmsIQcAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEIUAUYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyIEIAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQswUowM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWkAUQcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSYMEwcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoUIIYgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSssYgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diIswwEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCoEYogw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmkcYYQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqUUMQsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUYkUMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGAgkwkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYMgMwkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwMgEUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zssUUMgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkYsEgoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKIUQwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGkIUAwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOoEYkso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqUgsUUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv HJQDvHrxo0WG0ThDq4j2oQ.0.2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIsQEAow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 139.190.18.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/2264-0-0x0000000000400000-0x0000000000420000-memory.dmp

C:\ProgramData\AykcUkwA\SmYYccsc.exe

MD5 1bed39333097a4829dcc9a2063395010
SHA1 e9563ca2608e20f5190a6118fc52cf7cd12ad759
SHA256 76732c77d71b07b69b06c9df463b74db935412561a00841c9ef58c3a75994e88
SHA512 43c597d335d46c407fcb4da605744040584c988441feb9f3fa72674c15c253aa2793520e4e22768603bff82f3b5468cd66bc5d098427afade25bc46cf4d81f32

memory/4224-15-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe

MD5 d50ecd3fde7558a9a864cf8c882646ec
SHA1 7e674824511a45598312e9cfdab3732ff1c459bf
SHA256 d6a33664b027b99c083ed050c85a8b0945ff0bb80c04a02a65d7549bf92cba55
SHA512 34ebc9d3b8b827a6195534a702106baf1d353d08ab58af6ada1908aa48160fb25af41338a20a9c7baa4257df5dc0085838c8d869666e431b15769dc2e5788f61

memory/1176-5-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2264-19-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VEcUUcww.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

MD5 d7ee4543371744836d520e0ce24a9ee6
SHA1 a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0
SHA256 98817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9
SHA512 e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808

memory/972-27-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3292-31-0x0000000000400000-0x0000000000420000-memory.dmp

memory/972-42-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1136-53-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4000-54-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4000-65-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2284-76-0x0000000000400000-0x0000000000420000-memory.dmp

memory/944-87-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2392-98-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3968-109-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2816-120-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2284-131-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2460-142-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2180-153-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2428-164-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4860-175-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4668-186-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4896-197-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4968-208-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5096-219-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3484-230-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4412-231-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4412-242-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4256-250-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2476-258-0x0000000000400000-0x0000000000420000-memory.dmp

memory/944-266-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2264-274-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4136-282-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2896-290-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4460-298-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2196-306-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1052-314-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1404-322-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1532-330-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1056-338-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3908-346-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4556-347-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4556-355-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3264-356-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3264-364-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2284-366-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2284-373-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1128-381-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2388-382-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2388-390-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1532-391-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1532-399-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3756-407-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2284-415-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4988-420-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1536-424-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4988-433-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4356-432-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4356-441-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4472-449-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3256-450-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3256-458-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4576-466-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3292-474-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1632-482-0x0000000000400000-0x0000000000420000-memory.dmp

memory/336-490-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3452-498-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5008-500-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5008-507-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UAAO.exe

MD5 158ac500ae6cb5288c555edbed7c927f
SHA1 64f86a2fbcf8366b15ecd55ceb8540bcce7f7e17
SHA256 c0dd2ad57f2760f07950d65e80def207dda63d1da237da32f77e473801c28525
SHA512 8b47b6cb435f6c3f10a970323e562684f15f7f150e5c9d5f0f6976c2a61a4598d1224ce1bd920615929b05ce2fc11d262111411391dd1ab3eb94cb1d6fd9f3ed

memory/4028-530-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sMke.exe

MD5 c488a7e082286c3cd00481bcab2d50d6
SHA1 3beecf89bf0f47710dc7992a2da56f61f23c0b1b
SHA256 6a43035778896f1b200027a96881df4ea258b9386be8e044a3df3e0db1f5bed9
SHA512 b3e66026d48da9bede62d23c54af1f2c7fa116a2e6458d173bca50d58369e9997c1daf60b2c9ea5873383d7d5d0e8dca10809358e5ddd2b977e2de2df489b935

memory/4104-566-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mIwW.exe

MD5 63c9a2add3d8b50c1d2cdc07dbdda75e
SHA1 642d839db7b2f9b3738a7333d102ed4302fb97e5
SHA256 04e5353ed6bcc6280a8be7ce01e623507b02638d1694326b9d75c2a8fd41782d
SHA512 696cca77a0667961afb232b8e9c1a796682f704b41f9e706313b031c4f95fb3a13169297983929a86c08da79d7694dcce6fa29b592ad43dbdbfd833af58f4d3e

C:\Users\Admin\AppData\Local\Temp\wIcg.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\IsUC.exe

MD5 f168887f8ad363ba474e3388739f3a50
SHA1 bb53854f7c71d93bfb8d117b3a183c92d49e4445
SHA256 7261a7aa52711523c4429c3dfe4dfdd1c0f2071bf592a279398cdc7125f24731
SHA512 33e0c9f8d483cbfe674ccbdbeabd8252512a5e23d2fdcedd324963fb8b2a1b85638d4f340b5fb39ac6ba38dd62fa749f69e1a225d498556572c272c977ea513b

C:\Users\Admin\AppData\Local\Temp\YQwe.exe

MD5 b0a515101e4c75b5074be01cad0de68f
SHA1 ba96ad19a8a91a6ad44e74d5757ed6fc4e59a897
SHA256 528ed5c5ef9c744f8577763b3198ab466298709f0a658b61b9438b2f5a2804ba
SHA512 c08cc5526794ec34ea01dfa26deb8798960d1bc5782ea6be1531b72554cacc20ddd77053dbd4b0bb4e0f682228b87b005a084d20980d10773d1db4d6552b29a7

C:\Users\Admin\AppData\Local\Temp\wcgS.exe

MD5 ebe580c8d5bd749766cee82345e51123
SHA1 bee65a8c018261b565d49c8becb8d8ab366022c7
SHA256 4243e4c2038ff92cd4b927d37648dd199e30b49cd277809e1895ea1faa7f132a
SHA512 5d6022b1f764610dcd6237e4fcf0e7d5d46ee711440a5de049ec308ad5f2d9592a00ef6340a1c55c913794528381a6cb8faae365f17ce0ab377430f236228dba

memory/3856-630-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GkIi.exe

MD5 61b42740cd92e9a73be6af341d7d93de
SHA1 8dc18d30d487fdb08853d4c76bb36a9c26299e9e
SHA256 64088847a7b8f93e3d6d2a9f0f4903fc3100ee30d6947cb5d0395437b25d0528
SHA512 1202a66ce64dd8b63a0508843b7b743d9277b176700f8728360315ef231d0a7ac10af10b69820c195c4513f0e30e55e8a0f8a0f0a4ce379205f6919d1932663d

C:\Users\Admin\AppData\Local\Temp\mUQG.exe

MD5 742ada8c9a8f48d853120da8fa4d7dbf
SHA1 1d6e8e93b7f2e2ede78c7cfa3b63ae12359691d6
SHA256 b06022e084e7fcbd166ef2d327d4a3409778ae54f1acd1eca1b9910f5ae279ed
SHA512 f8d27ad4ab42fc1bc4cf22952b7d8ce1b8078bcbaa09c100b2877d80ae12d3739f405f94a5299ee5292a16256e14e786cd1de8abab543b41df1979ec09521269

C:\Users\Admin\AppData\Local\Temp\IAEc.exe

MD5 2f4af79add1acac3ade940282019d0bd
SHA1 3a9caf738eba192f1caaa4ff2eb764601fd1c544
SHA256 46c8c27fdfcc8761cea1d595cc17285a544b8a13f39a0751753ef57744e8c1ae
SHA512 84b4fc9379f1f324b4a526938be3656366e6b11029b797d8b181912f8430261480819abadd9ba4845b59765f765ac83a1497fb7bcde6be6d5a46535154043b85

C:\Users\Admin\AppData\Local\Temp\aMES.exe

MD5 90c90f806d22945d2c2cfd21aa557938
SHA1 0c601c69a0740b7bee8be23ef9fc2481a14741fc
SHA256 2688be81fcfbbadb9dbd6aaa2979e59300ad93bb982724bb62fa25f0068b3007
SHA512 abde7ba3ea6a6f14d56ae855ff890a4ad468e24e268c2f4b54d58206501e657647ffae434f09d4d596474eb1a2c5a9da309fccfdd4c9eb959b7afef5c1eec283

memory/2624-677-0x0000000000400000-0x0000000000420000-memory.dmp

memory/380-681-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UAMU.exe

MD5 9cda929a0b2cbe51c9a0a8c792807a9c
SHA1 dca17e8be5cacb29acd50877dc08d7caa7bd9412
SHA256 9166f1238360bbed935a7031078e99d791095ef8001c2435a60174541cffed03
SHA512 14db5a6e2146e3b9959b1398b6185abea72f204174f0669bfc3b3fe1eb48657dc1c70c2fbe63e40f5046d926ceb1a2ba8cf3caf4f7c8b43c440ecde6b0279a63

C:\Users\Admin\AppData\Local\Temp\aMMI.exe

MD5 15646c058085e9dbdb0ba4ec2be81466
SHA1 04dff898cab9af418898126c47807183ba464882
SHA256 1f6fb7abfecf4c7138a003def10fc8a0448dcc4b9c6155ba0aaf45f8d6a4ec86
SHA512 c02bf2f4784b99987cfcf66fc5f03102bc96f1e85214b3e0ca078517717bdde67862376c9a92a4f5b56ca91569b5045732cd4813e8a70d0d3fb7da866d5015d8

C:\Users\Admin\AppData\Local\Temp\QoAU.exe

MD5 158ad803de9ca2e2ee53ff9c65b86866
SHA1 132d758139678fc5ffa9270718655d63daec93b7
SHA256 632194d107ae53334da268fe92c5ab23ac360cbacd98c2a7f3f1b36f81511d39
SHA512 661844b4f02454bd44cc1e40c2e1bc3cdc7e59f48a2a1a4d482310dffd59e82fe86cb1baf1d285d36aaf52a40865997fdb66a14afe43339eb779546a240a8cf8

C:\Users\Admin\AppData\Local\Temp\agEw.exe

MD5 ca14ad064856427767471d23396c5692
SHA1 9c86c129bf8d8e32341a3a0af00ca778c4375c3f
SHA256 8e4d421df874f412f214fad23b407a1410c3d405460810bb5b0884b38f9536ad
SHA512 36e16d5e50115fa7235398c848fc6dfcbd1addb4dd8667026a29c8870661cfe1197adf4251fcb074bd849fbe2ebca79d07e26325b8ae185193783290a7149bab

memory/2624-731-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KkgC.exe

MD5 17a01b67e152033b13e9ed6fcdbc07e4
SHA1 614506b18cafa25a64476b7a4e01085e77560d6d
SHA256 78078ec8ee9fad2fb8eee72fc61ed3fbb2c9485da89430e4be274b47da326213
SHA512 e391b053aada70002aeaf5fe96429b9590ebc73a704d07232b45ae39d0405996bc6b3985024b0e37d052e0fb665aa654f235e653818b53ce16fd0641f315bbc0

C:\Users\Admin\AppData\Local\Temp\AgcS.exe

MD5 fe25197622a9e536920a4407031bbb80
SHA1 638405f3e70f4ab5994beb4d6c75a30ffc38ed67
SHA256 50456c3af7b9e189613a993c155ec4faa664c31d566266be8e041d1237501d7e
SHA512 ff6de0c173c33bac280073271f14675c793024dd974b908202d5b5ac089c12f5dd2fc6bbe3d1fadaadc8cfdbd59c16c613ee9134ea24997569b4632a03f43832

C:\Users\Admin\AppData\Local\Temp\qgIo.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 6b1d3ecfbc75dbf14984eef0528898f2
SHA1 bf4ea861fba6f1ebfce6f9406ae82130d94df425
SHA256 ad7b3bc934b0a32a41748b5337ba90c8b2634f7847049a92523ffee4306bed9a
SHA512 29f76658f3e2c90356494c1a3c55e09d451e5a91686187c1e074bf98a35fe00e2ad26e6e2db6bf4160490b09a5f1a082cf89681f2d20e9296cf26046676e7733

C:\Users\Admin\AppData\Local\Temp\MsoS.exe

MD5 4ed5c3ceddcb9f3f400fd02617d45398
SHA1 f04d69815a9e64e76d6fc15866c358560b1be046
SHA256 7a03d069afc1d02dd036b9dba2470c2b799dd91affa88c2f030d391be8e6a8ae
SHA512 5e92e00627ba39b2f7301480ee7b5306edc332dbf5abe87e561976af6128b7126b9f11cedb1c85b50a3f69cc29970a261540289a4d844186dfc8c243f5b26085

memory/3536-809-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AEkU.exe

MD5 1bb1b52cd400c4f417976025d3577dc5
SHA1 88a4518770286a72f10d3b983e780214ea5b19ea
SHA256 005206873d66ed7f080f938c6126f7baa48c4167730e7ce1f5fef5ff7de08d41
SHA512 c87cd21a36492b3c0a2ff120b2b8e7e91ddfb9dd4c42902078922efc52c8585b71d6405191957bea49a33f9c952724648864a5d7a3d6629711d3449f78ede005

C:\Users\Admin\AppData\Local\Temp\oIwU.exe

MD5 313314f3dfcec3f4e60e8f781edd1570
SHA1 1a69071687a3f302cb7d3370d3f2b3fe5987b1e5
SHA256 32d4ef65b9da8dce0deef531b253f60c335b3af80ec7a827c9edeca287f1520e
SHA512 4f86b5982bb6d98a6c8c8c03a08fb314d13d33b4bdff9a545da3da192c5489dd363dc3dfaa0efe2665140db84ca5db53a76112aa1473bf2652ea57890e8e9d63

C:\Users\Admin\AppData\Local\Temp\OQMw.exe

MD5 cbd20e0c7f4cf8cfa20998044b91181a
SHA1 1ccb843d8852a8c8580b4ee18a642a78f0a9d491
SHA256 f303bed30701d5022cf1a7c609512456469b25603d78e962bb0486219e7e1cab
SHA512 ae50718b5b62c6bb471cf929b771f07ee2c898c9495e6140315e925043016bdafb14f5fe25aa8ffa4b39232925f571cb48417fb064e9d7687115948da0dfad4d

memory/3032-859-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qYQQ.exe

MD5 cb5630fc087602134c73a6ab27a13ffc
SHA1 c110b00dbc7f8cf26078f1c495c276647353d85c
SHA256 ab45be08dfe0e570fda47d925eade5917c8678d4e8f509a75441b29193693611
SHA512 8ab640ea8397f9abc2d8a85f4059e20c3a565ce0bf3615db059838466988c89f5e9980049ebf29fe966f0ebaec7637ca69ff4fcd8b28bedda0275c838dacb85e

C:\Users\Admin\AppData\Local\Temp\SMEe.exe

MD5 9c1d902b81974e4d7f850c49791ef551
SHA1 6a2fcd7f79ae205c5beead4cca0e7ab262497b0b
SHA256 bebf4e58643113bbce23247961f8f25f5dcd01216edd01733a68dffddc7ced6a
SHA512 4c410fb4ec88a4b0d6dcae7462b7e1aa17b6733414c573aab31f7ce8e34f48c4979fca8dbaa1e68498d7e1f25ca16b4d007462d835e2bcf9cd6ea9699ff808eb

C:\Users\Admin\AppData\Local\Temp\ScMY.exe

MD5 edbb20ed99b87f1d81421a7836c2ca7c
SHA1 b93f81f9f0bacd613eecb41ce6809e23944b7096
SHA256 b6c9179acaecdf73ab68acdd985dab3e03bbd365122f38730929008a2a93cd0f
SHA512 7f72b3679dc293475ab900dc863044e69c5317c1333508262c4a0bb8767db9e22a2123d8a119f976ad75474974b16975de411544707796b39948fd42695395fe

C:\Users\Admin\AppData\Local\Temp\kAMg.exe

MD5 c0adae2c53b6a235a86199f1ad917ca3
SHA1 616b5940e42f0676a2c0a8e93b4a9d15167889da
SHA256 a66c09c3cfd23cff52537f66f0e229c60de7efad780dac6bc8a51bee17628af3
SHA512 43d3b758ab84b64b78be87c127299466990890ec31bc1e0fea0c8daabcd3e3315d2153ca2cb545c885041cf6a97aceeddcb0b31200f564e5ed3b5282460a5bdd

memory/4412-924-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qUAE.exe

MD5 41395108371cca0db306a88e05969e87
SHA1 1921c74796aa731d31571ab2b3b8998211b329e6
SHA256 d7ab1e8cafa13d8951277e8ded18471a4bf5d7818abb3ced43abd90b07131de5
SHA512 29a8c39c049fdf577f759b3e7dd952414d87cb71e88bdb93a4a88c507ff73a9f422672a5e8279d9412afdc01aecb210151ddebc694958e74fc9a9445005fafd2

C:\Users\Admin\AppData\Local\Temp\UgEO.exe

MD5 9aa871c2613a5bfa8337ffaad68bb862
SHA1 0218e734c36a03dd793f1e8eac85f67d7dc8e91e
SHA256 bc28a16fa51f642aeb51fdfbc1607f99a95ec328d2a83c7b9249be5def16e386
SHA512 5bd6c18507f457e0e2dd51ceb54e90185ad2252b09f1e68791713d3d1cad78abc55493c21880bc5fa6ccbe12c136684adfbb7b6ba173e433cc1c4a9d63e71816

memory/3524-956-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4204-960-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kcEG.exe

MD5 3ef207d9a8fef22b979cbab0578f3772
SHA1 ea78fb5cca5c61308ac6298d6ae9a1e6b17d6103
SHA256 00ff9a68ea1a3fc27cde58b1c2f3a5e55250d0defd393eb755c0f20dcc766636
SHA512 c28d970aa9874ace8c14cdfdedc25caadd6d875aa3f4f1477edecf8161496bee21e44b5f17d9b29b1471fe573e7f2d8335046fe6a9aefeabf7ecff956d358110

C:\Users\Admin\AppData\Local\Temp\AAQQ.exe

MD5 9a67a93550d60980be675967de43df4a
SHA1 718a05e173663280f86ca38d55125019a33acd4e
SHA256 acf115efcdbbcd06c525c589dc8a065f589d54f028e39293c11ec622a926ecca
SHA512 7342fcbd47b22461f0efaa7d5701baa01b545f78281dcfc5ce7926940eb15fec18cb034e2c058ccd8bd9365e00cb549310650e62250b9940da03fd7a3848a590

C:\Users\Admin\AppData\Local\Temp\GsIo.exe

MD5 c0fd03a557f2256b3fc88b1a47d87ee0
SHA1 e5e311a1eb42fc6bcb0686e6c5ee9252faf25eba
SHA256 57a2d70c8921d80cc314ef5a62e6f4cbfcd0b086bcdfe9b0d774be013d3baf0e
SHA512 e743b745bfeb22365da5df01a2ccf7922d08d946f88b2d632c68b7e9faae8c834637efa41334ea0ce63a98b602aeac51e4fd470a4590464e0f152e4367a943c4

C:\Users\Admin\AppData\Local\Temp\qUAu.exe

MD5 5fb80b6713d98eb54436b1318d2176a2
SHA1 07bbef49d0e488199aa0d91025658df6ddaacb33
SHA256 a7e16bb5d5cda849d5e86008f2b39cca9535a3e99702081f35a5fe3e1569c4fe
SHA512 e6643c76de91be16538dcd7617e98cef06b609fff35072f25f46f42293a725e48d9eaccea27891c2ddd2109ee69205409aefab6d9618cced49861e493d384cf1

C:\Users\Admin\AppData\Local\Temp\MIEG.exe

MD5 01324355d70d6e19c0dfdde3a7f241d6
SHA1 4a041aa3c185bff81dda28eb07f3b2e29d8587e9
SHA256 0ae0c52e7d11aaef4c73b8a5f5d2e98018a69105231ee16f20e27e5e69c6553b
SHA512 273ece5cbc0717967f0ae97903e869393ab3a9a324a6962eb4d589ca3ed605d4881f2667a2114a1f8a29a3e6f7eec909b28caf1b23d8c4e3fb1b2fea6343dce9

memory/3524-1038-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WYoe.exe

MD5 74bfcef0fb28a241440320f7f32cbac7
SHA1 2985013603a183c197b9c35539a2bdf5a86e6b88
SHA256 c1251d59281359549333051e8de5f897291f5fa5502034507d86a648ae88c571
SHA512 d7e7ac531977f07c0cf78c75a8de6e018d3ea49579f1ed7392f7ba953306cedf9dd4574b5357a663756058d85f02447b3abeb960e2cd1e7b92b426b0616fe544

C:\Users\Admin\AppData\Local\Temp\asMY.exe

MD5 870ce430d8f71c3efff053e02b571060
SHA1 cb2deae73916dd7f42bd0a50f9da765814b78818
SHA256 b925b42dbf55618414b97ebab945dc1c4fabfbe99071109065e7240c23981302
SHA512 ae2320a8dc049fe9df716fc1df44274b85d97e1a72d3091e3718f0624e4f3502f9cdf3671d91267745aeadfe6303609e2f6de21056895655ed5ce7e7ff29c1f7

C:\Users\Admin\AppData\Local\Temp\uAgG.exe

MD5 be14bda4988a94ae5a57509a47322dc8
SHA1 91a8a56e1334e9d2234ab23df15de80cda0169f6
SHA256 ccc7221487acc21d6048c84a2c7ab959f11d44ad32bede63d058b5681f32ab83
SHA512 150fdb2e2c3fa1a6a57f13cb040ec019ac6cd9525ab979ff8c77ed1c23232d23bd812f734515d07d8e32a5a09469eeb2ba6994671e1b6fb21e136d42eefc3d8c

memory/3196-1087-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oQoQ.exe

MD5 df020e697f00fdff24e8f3f974c60d55
SHA1 0a46a5c73b698c3fc44d160ae7f0b29719f50184
SHA256 d84a2bf1f9bcef3833c1589bfc0e612f9f370f3666e84d9666985954a30bef3b
SHA512 7ec68658c5383739516889275411c4ced00cc863ce10cb5063a6496d891d5171246379e004c204099998ba8a82b93218a3fec72b21f33aefa02a6c44a0ed04f6

C:\Users\Admin\AppData\Local\Temp\UMUw.exe

MD5 2c57ace4e91fef13ccc86f5787079a1f
SHA1 f64f000726db3e6d99f7efca94882d16f635d509
SHA256 8453592b5b797219b9b1dfb9989a2d409fef97d62a5559f0a9fd08bf38cea656
SHA512 1a9804984e1addfc40d8814a792e52c812180671e342db63e166557ab38602143c211cf4772e0452b8281a8214b8c7f359e86a6e1f6adef89c8b98d2ee5e403a

C:\Users\Admin\AppData\Local\Temp\eYwq.exe

MD5 b9e4038d0294c9c2f2955f2306fd4676
SHA1 176f81a5a49ecfb0d407eff4def4093228f21b0b
SHA256 40915620811404fd4f8a07c783091c60c2fb11d8e67ed9ccd9cbb63978e4ebf7
SHA512 3af3025815fdbab05c65d4d6b11a1d5eab06bde4e623cfcc2f800fddb81636926e48ee238b3cf606ab2078b308f965a653d2fb72f9117aeae712ca35de52bba3

C:\Users\Admin\AppData\Local\Temp\IoYw.exe

MD5 61335fae337ce9b0239b66e08448c9fd
SHA1 446fbb8ca6634026e475d6bde329eeed76cb736c
SHA256 ce086b307cceaaa44dd12aba7a08435bbccc04bdf58c2a8557deab8977b98158
SHA512 b7a95aeb98bae41113e0b5baf4d69944bfba3dec1df537606ba7ac241adf666f573d00c71441c3edfe07d1da45d149e540f0596a297327866ba9d9ecd506195b

memory/3928-1148-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4476-1152-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yMQq.exe

MD5 a2e84799b11743d275946cbc55de8161
SHA1 3d4d85b69aa772c89e7446789f8a9463ac01b952
SHA256 b2f6abac73caf7c840720ab9766b6b211e75c41b29104632cfd7c5110c06380c
SHA512 a3b67b991713bb7d94d73200977686dcc29e5e4d33322f90dc67eedfcb0325e669a64733854e094dbc3b0e806720f4833b46f689cd94245f4551fcde796d4c68

C:\Users\Admin\AppData\Local\Temp\YIQk.exe

MD5 6f0330f779f7cc8ceeb80ad138d07a1f
SHA1 70aaf5155be116cb588ed570abb33902100c6f51
SHA256 4f357cb84e51c3f18de54ac4e097ca957f3e36f122ec61d0d98fec83332e5d0f
SHA512 7b0d995073a15ada65a79fc2a54b50668d0828f2b4f35f2d94deeb08e9ca6cc7cb1540b82e8cd78cf6183130e1d1d402583739b43140c9c4c6436741543c8769

C:\Users\Admin\AppData\Local\Temp\SUwm.exe

MD5 45c45f37365d2c5a3024093e1184366b
SHA1 07af4b3756cc04666a959cb2f33384592ce6cdbb
SHA256 052d39a191fad22bc6252b0ca0592867f6a8e8db04b864ca5c81ee24ebd2bb8f
SHA512 4081dbf830b6fdbb49f613e160ed6d3d627b0d34837fd6a230e5436dc7e7d7a4894af9eab24b7b23cf1ba1b0d096df62c4e2e586ef036f147a4793ef0320b095

C:\Users\Admin\AppData\Local\Temp\oAQS.exe

MD5 a7b86df10d05cc91a25b4a36db865ba7
SHA1 e26cfe5c3c0b7867edd929d315f8cad8b7de2f7a
SHA256 05089f76bbb66ad210990ae420085a39eb0123d87b5ad3498550b181ea9c71d1
SHA512 28d6577f78d769e951045e085aab7f48eda9de684e5daa276c039c9c1cdacdbdedc298797c861b8efed0f1d7608fafba2fff8f1972c976ee2e02ccd517f5bfca

memory/3928-1216-0x0000000000400000-0x0000000000420000-memory.dmp

memory/492-1217-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ocMm.exe

MD5 a231ce430d948e6aaea0e06363313699
SHA1 978180e0fa8730c5627579eff6f61d215f104785
SHA256 fc8a983763ace03495681ae922da1cee0f5d2308f0b7b765ee41468c9408b82c
SHA512 bc8586dec11e3414ac237841d92fa4d9a1c3cee828b904f4b2364f46b1ff5f53b7fbf5cbb83d2cc749a62b7264fa0e487f9f768dd97beee7125250e9315f1dfe

C:\Users\Admin\AppData\Local\Temp\SkwI.exe

MD5 937aa8ab0439fffa13cd37b4a9e4362a
SHA1 f1221f3d99b9d06b7001f608c18010d186e06750
SHA256 09cf4652878bede08a5b4fa5efb173716838caebe4c0bcb12e0adda1328b02c2
SHA512 7e5e65ff5092e673b684ace3ddd7a72360a9725cc20d935f3fdf76ec42e786ed70927c5f65571323e48596186b52aed1501fab869225133900a3b72101d72a3d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.exe

MD5 ae63c02b263e9ecc8af5e3ec7eff5511
SHA1 3a121839bd8981a5b81d6f49a9e7f9e7891b74bf
SHA256 278a07be7a0b48b61352390ad07582bfa5a22b316ddec53604a19eac9499a8a3
SHA512 be4163057fae2021ba8902e56043821fb6ef021b6b619159c29ff073d0907940d303763ced61fdef2b690bb5de0eab598e149b3f38e72040c0d0574b5e0791d4

C:\Users\Admin\AppData\Local\Temp\KYoa.exe

MD5 dcab48c8014abcdb817fb5dce50e6df4
SHA1 f36d0fc162db65711ea74a7e8629c73c046831bb
SHA256 0fca84245b9b3c2a0251d12069fd6fa7f0a33cb0d63c5332619c4db26cf45854
SHA512 6e8ad950060ae3565ccf940b7bbe1b684c070c780b45172646f97273a9d94985a1cb04547fd3ea14dd9be534668980c2746a04ebf74fd1f307b4cd5cdbadfadf

memory/492-1280-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUgI.exe

MD5 12a25d3823df8b1e2b6459564b4a372a
SHA1 0153a0905326c3cec6bb611712cc0943a194de70
SHA256 9a57cb5c441f2e6c05e7b158b09a5a1df15c6268e2f0b6a24400f889bfed41ad
SHA512 f7517214f8021a5510ed5696bea97038b0d764218929c5142185dda7690574bdd718c5fec80a836ec75821edead7832ff36740696612527a9bfab2d14bb15d74

C:\Users\Admin\AppData\Local\Temp\qgQo.exe

MD5 c516f11dad6f49bb0e8a5dcf58fee14c
SHA1 1a66047d974d2c3bc1e46429bb3e22eadc95bcd4
SHA256 4c809d3b37d8559a74957d4fb620f77e00c2945a8a9d38e4d2f52225485b7762
SHA512 700117bf732c57262736a722ca54c7246f38879e5b10923e9f73234f56ae536b0b5e6b75213c59ae6cdb1eda00de8adc4c507901c95114ae22752f260ba5fc3e

C:\Users\Admin\AppData\Local\Temp\yQQg.exe

MD5 b73ba4f69eddda98f59743851617f961
SHA1 952b5284af883fe21eca1ac7663d8fb526963c95
SHA256 279b2a87d30267a381a994223b3e75e920219ac1cf810ade814b5e8479dfe70a
SHA512 7ea0d8c1e5f3631f00ae438f3dd35fde44e90b1538e9c5ba7e4c8c0658411371bf0d1b7849c5f6b129606b481e40e0b3d1a0f5966881b2c88c546db75739df33

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe

MD5 98b827b900161ebc6a54562f906ab261
SHA1 302f9432c8bf75c163c7da1c39e002c16d7607d5
SHA256 00c7b00e68a9217ce6a1d7d74dfe81eb418ad1ab28c438c5ee59224bf84a25a1
SHA512 93cc6f1d177c9096ae9fbb65020fd1ebbfedbf49e57b12e79a67cdb2b56d433deb599fcf718449aafb3a4a03b2e1f5eb5f2cb25e4113a9d59e5446e2c0897b18

memory/1552-1344-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mgEw.exe

MD5 540b0cff2d2f255f83ae858fe1b097e7
SHA1 995bfa90aaccb248a4581436b265a3c309d4b835
SHA256 dc91065a886ed9f0163077a7f216a51775ff0f62a988897155f7201198f5ac02
SHA512 6bc84e2c1e34cedd364100d2d3f4acb4d6c1f467130d8afb61c1da04afb00c35e5f16934cda4453cba215fa6e1b8cf3fcd63ac0ddb55f1d52d54e6ef6adcb7e1

C:\Users\Admin\AppData\Local\Temp\ykYi.exe

MD5 180578f01a0dad566efeb998c12f0283
SHA1 e92d5e85bb8bc302dda8ea58d82ca90bfa2e8a73
SHA256 918a3bb26a0c97d1cb211cbb17d915a3514e7748b5d38491d160a1504e32d00f
SHA512 ae216f8b218ac7b994a66cb70b9f786da249b00639a69d980fba89f47acd11dc075c1a730717edbcb8c5358d05aa9d0f96897995c752dcc2a98b60d66c08150a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe

MD5 54fbafcf881291927e49fbda78171192
SHA1 4c945221a5ef40c101241323ec0dcd442a2e64a1
SHA256 f540db9f82fe3a33a9b91c859bb5c6ba445ae9e34c76d425ab60e80fbb8081ff
SHA512 d368c12b1d3e3077fdaa0390833c9424b8188cd9426a9c715a76af52161b82584ab40932771eaa108df2ca14bf2af901add392064ba415fbdb92d6068f982775

C:\Users\Admin\AppData\Local\Temp\EQUs.exe

MD5 04a425666afaf8d3e19fad17065f3d35
SHA1 ab8df7d6f33b5ccc4d692e24d54e359be23b6cc7
SHA256 19e6c5015a66aeb1291abe51ce5a4267f26c6cde63072de2bfa061dffd214574
SHA512 1a8f8932bff9493c2a25a20971db714135de07803c8ddb014155f8c4660d6a96582d2f8db6e4c8ab6e5d6548bce4b63944e996e1c0af088ba4c0baf5bdb7f9c6

memory/2736-1409-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sIwA.exe

MD5 383c64adbfe6e0515ac473e78d6a54ff
SHA1 92e24c547eafbfff4dbf0b0f651e3a79fe59591a
SHA256 6738315cf561c7bc3233ef7672aa9b90f4632f93dc18bd2da1a3634fa71aa888
SHA512 2b3ed3f00535441347b8b8c34c0af46b2a1acd492642457b9368e1f91c186d684f154362545642cef299519da8c3232a65e3082780d89113256b466d46b930bb

C:\Users\Admin\AppData\Local\Temp\IsMe.exe

MD5 d175772eb65ee4b1119f4eede4a22705
SHA1 6f3ffc77b9a5a50ac3fb71afa45edb61be5818ea
SHA256 0de4faf422c6138ca9f1ee0aa588033decea2d24b9f595f73740d5d92414fee2
SHA512 f4edcb8572138c311661617afd586e70fef27b7f0c91ad4ca5c17be46756c6e2b1c2f349f5feaf2ed695c892f1984a93b9cc2efec6595746f0c54d9f5d829f6b

C:\Users\Admin\AppData\Local\Temp\uscY.exe

MD5 46d986215ec8ec262ca0400cd08312ae
SHA1 c0f2f4016c1485f0f4b1d51e1f2477320bb4cc8c
SHA256 9e73d1002d752cea453064c4e51b31248cbe4baa674d6d78c611ea121431c636
SHA512 cde1678d0f1e36ebc523ff54f1dba22bdc8b868be13bd3cd42c97d6987bf3b76445d95491da4fd0a1af98e6f71b2913074b32c0ba8511285e9206ff150f5e81c

C:\Users\Admin\AppData\Local\Temp\koAk.exe

MD5 0ba140e51221b09458aba61e6902fc6e
SHA1 906e75b236203e9153859a18528da9dfb5186829
SHA256 2e3c496bf4cf121608a70277cc4bcdfe87aa26e68ac57d9d3e9073a26d11d3c9
SHA512 cbae34467bf03d84235f2b8f9fe26a7a3239a54c8798ddb7f91d3c5f8a3b4f6a6b7da68df6dacf771515c750ab6d7e2ab285c9a89ae132bec692677343ba78cf

C:\Users\Admin\AppData\Local\Temp\wYIe.exe

MD5 875c7a8a6aae936475624cac88b4229b
SHA1 5f23c545002d9c84a7c3ce473268e82a4b943057
SHA256 6993090ac5bc069f51300726a5561c691d6b627c784f17316819ebc8e840c748
SHA512 c3f023ef199655316f54787ff09857bf22191483456463d1b87b53d1ce1002f27c0c0b39418e97e5e989b71b588fe40badabe57ee5e0127098e3140a7dd0a68f

C:\Users\Admin\AppData\Local\Temp\YsIg.exe

MD5 af57f77b23d0893f735b35a2baf3bbf4
SHA1 8988f3df231d603a4720b8b5e6f0e3a5c882e103
SHA256 4de17ba2e654bfa74385803cec19ca966342daede356224e04d9092a17a29aef
SHA512 5f95a3206f0a97488ac88cb1019332f9838aad32fa0e5ff76fa57ea1c396cf82c29f98807903191f87fddb309d5cb87c7177cfb98d854732899d14a8cb4e236f

memory/4540-1499-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\igYY.exe

MD5 97c3c7395d4f65b32f4f78aaf70ca4dd
SHA1 83c13c60357165d325d79ac9eaaf62938d300173
SHA256 eca874a5a4e11ac099573b0db7c5804adb3759bf578bbc051df810b9e37fe95d
SHA512 4ef493b76386c96c4a0c85c7795fce7e19259edfbd3bffbb25decbe6648af69b870c08120ae76ae6231dcd88731f515eb65c5c7f77ed517c7d9e948de93ec650

C:\Users\Admin\AppData\Local\Temp\WEEY.exe

MD5 d108ec7a0997defaf76fa5281c88ebf0
SHA1 d28fddbf0e66a55ce68afe82605b42e84511d86b
SHA256 5e64a1e6eccf408d9fd947597df882d6a1186fff4f6ee8908835ff05e0c3e7fb
SHA512 1c014b612285baf828a782ecb9fca0265343e0b43c1763094f55abc54366d663e81f3e9b3a1c8bb36dd0846bc384be147924536d71d5ae91b455f49424c2368f

C:\Users\Admin\AppData\Local\Temp\KkQy.exe

MD5 6310c4a5172531aa46b8d26a88274b85
SHA1 3c35571a77e59c9afc059dd911ff0ca7b68e7401
SHA256 4c69e1efb078f6a53040fd254d4f4b03f10ac80fa894454549ac7f2876c2b3ce
SHA512 95f52b614e916d309193a1eb3c51bf04a801bf6fdab6fa3ae5d2acd8e42013fc292f1d236ec4623ca3539abaf184e3711acdfe0b6fdcd08ebbdc6bee48fdb65d

C:\Users\Admin\AppData\Local\Temp\qIcK.exe

MD5 515dffc3aa36340396c78cfdc5a4cd46
SHA1 9d19530e1ab83c114cd81bb1c56fd83d56103547
SHA256 efaddfb7ed695af47e320a303a8170496fdb2f445e5333ce11433fdd61e8b160
SHA512 2219250f3a5c5c0c60f9dee84907ba08d3199e886128f75589240059dbc8a6d9c613a7c99767b9bc2fd704449290797306e3003056106b7abcabb2573c1b2600

C:\Users\Admin\AppData\Local\Temp\eocu.exe

MD5 a3060fd3774b758432e700fbef544081
SHA1 14baadea45d941499431577b8f7c93c01aa1a576
SHA256 4f42afd0b9424cdcdd6f490337fd349b5ab20fbf427eac1c451b71e6feb33308
SHA512 d7cb15f452e8f5b135ec2f5119459551d82f2c48473e72267024e86da301ad1eab6ea54c3576015f12de6bdcd265881caae2b2b498db5379457d5114658f476d

memory/4236-1577-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iwIk.exe

MD5 5acc00c9cbeded79e680749b2324584c
SHA1 e8cc5e431d7b275eaf3f56d0bf66f1e5fd974e49
SHA256 0239272efda5dda5942c838416977a48ffa143b9aeb6cb85f2eaf4b6a1879ca2
SHA512 9bd6f2782ce0d7abf1af74a10ac9918870f8ebce264bfc8b001c3a16c020038b7fedd25452372a5793ce1c3c4a8a53f2b193e1b24297a6c1bb9f72dd684b94c2

C:\Users\Admin\AppData\Local\Temp\UYUI.exe

MD5 11bd44e12999ac559842c81fa1ca20f9
SHA1 d0180b5618d54954230bc2522086eeb0480b29d9
SHA256 e1d6727b5f417d3a28e049993d95a88466acd3125b1d3cc145413705dbbd02b5
SHA512 db75a7c92949e6967fcb5e6507ad4ff488941afc6e7d0978e9e501e614456a3e652f42a411ecbb6d817208e6cd4212a480a83445cd9ffdd2a3833a93714ecd88

C:\Users\Admin\AppData\Local\Temp\moQc.exe

MD5 631a53235c05109429552ba40d380685
SHA1 488d284a86dbb1646671f9917ab83912d46543ef
SHA256 da9440298e827759d474aea7c336d6c41a45974789259f4ab1c27d99c18a5ebc
SHA512 4be909ed00ad1d240b67f4fa8b34cb46b892dbbbc57c3d53e053660150f3503332644072f88a6c3e8a608c3f8b957a927c50a43571d2db90bd08d61ef846e6ee

memory/5004-1627-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Iogq.exe

MD5 484679b0b2ac11f9ab725a101ad03faa
SHA1 24a1ea1d37878241e7f3c37dee3db7b01de0d542
SHA256 cd5b2650f2b246e85304b6d06820f4576f5b8abd328cc0cdbb642414e2e41cbd
SHA512 0ede32ec231937332cee9fc99e364ef95770c614f963604b2fcebd1f747c69e40cc9c4f86a4596a1fe0afc15860f6afd974ce784a046d30c342ed20e40c6fe95

C:\Users\Admin\AppData\Local\Temp\ysYu.exe

MD5 fd47c91b649fdf36f76757a39b0f4b04
SHA1 b77f03feaed38e4283df73e9bfd4e103a148846f
SHA256 e02f8e7de145b96e0ef97ec466dd6e1c1a98e26bfe687a6479959a2951aa6463
SHA512 289195a15529a5e8dd14b0375144c951940b89811c16ae991b7ae22580121ef5aeff6819998ea72603c5211b86897f267ff5c395b7bb334ae776ff441003e4a5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

MD5 119c1aa90e8b30ae5dd47214a1745ca5
SHA1 242427c25ea8e3f0be726a4db52f6f6e266de2c1
SHA256 74e4fe85545297f92e9a629fbb3a5b872eed6d8f02d566b732a8897b9e166605
SHA512 fe3cbbdb586ebdbc98f349102d71f77d7afbf90a9a9ad037849f5f5749cf2d3e68d960d8ff122198da63cfffe82efcacd8a5622312fe1ce4ec0ac98b90fd086e

memory/4896-1677-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CMgk.exe

MD5 72c3d5aec14f4f1d1bbce1cfee1f12a6
SHA1 3fb01915e66c3f5129dc363cca4c9eb82227a42b
SHA256 b804a94e38650f0cc54a3d3d280fe700db358316793da5aee7e4a7e4d310bc84
SHA512 aa0bf020284163998b60f5e45b7597b3350d67a75f5c0f7392a73b2934d4a937b9be1a67c7eb520313140205068a3943359dc262a557d980f23db3cf44f2a6a4

C:\Users\Admin\AppData\Local\Temp\swoe.exe

MD5 72919bfcfc772510cef1db4cd8091e79
SHA1 89161add3355127b74c07e13b1cee2a5f8e37cbd
SHA256 1630e0ce8fbeb721ca0b793f72a3bcb09d4c6c384da264d28be157d76b23a24b
SHA512 270a48f735d15c8b319203243b2dfd4dc1fbac9ab24912503d2ed2ccd02b524a1e21cc714751605729aa8f4781af14c4d8c50816013db1e7fed560d2c01a112f

C:\Users\Admin\AppData\Local\Temp\oUEc.exe

MD5 36ff4dece48d5eb8b1a73eec20589ed0
SHA1 9d9de12a69f5807fba45e5315fe52b8a4940d956
SHA256 f6424e0519f90d2dc38d32d1ccea8e45ce20ea788e8bba120d6dd20482a32c8b
SHA512 453738da14dae736096ce474cf252837f84431804e61daad043e7442a1526998f38957b5e53585cf78ea896af2b6e5bb84ad82cd16e4e97d938342cf88998a3b

C:\Users\Admin\AppData\Local\Temp\sEEq.exe

MD5 fb86ae240f7c643aa8ac3b22e79c7f2d
SHA1 1d84dc8c1525ca5a350cfac16dc70cec9839f0ae
SHA256 011387d6c43f3659432f013d28d9907ff6c0fb1f2cf5e1347fa8dbc2171b4d1a
SHA512 214a75adf6a8083e4eea197e5f5d5998790ed88b67b0c97289e3fa750a1398245fa33e688ab775b95debe77f8cc3374eca3c80320a95c43749ff65ca7954cbf3

memory/2408-1741-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3756-1740-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qIUY.exe

MD5 c702955770bf28977bf329faef76831e
SHA1 4a233cee3ee98cc2f09624d0c6e2bcbcaaa238f4
SHA256 92cb2469a7307f3be016dd7920848f043ce66e7ed7d532fefa8e0b82d660712a
SHA512 6de8c81d12411240877eca136ef4b7ae074c3181d57f79c1ad65e01ed752de62460ce32de0decd6de63cf9fbb7bd8195d3d0c33b12eaa1ed2cd672ea2a1bea8f

C:\Users\Admin\AppData\Local\Temp\QcES.exe

MD5 a0fcfe4a4ff5df81d08ddc12335308c5
SHA1 e9c46813d852fb32a5789d5f4626bbf29192fd1a
SHA256 fa0a0cd0d6492beb04405b2491e94a3ae4ff8360ad455fa3bfb78235db06d900
SHA512 b0ad6c5071ee11259fd1f91ae8ad335f1d14fdef86c177b53a6af82f6f71b259ac84473af2de927b81182b983832b7d10f965c14a91f31c5cb59a272c8d4c903

memory/2408-1777-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ckMe.exe

MD5 7329fcf6d0defcc7d3120ed406870be2
SHA1 6063597f93c53c9bfcc1c9930ddd748a031ee5fc
SHA256 8633ade2173efc94124627776c8b3371be68437bf105ea95f9246e13f67d55e7
SHA512 11c8adea736594f8a78379aa474ffe8650900c1e7f844938c7abfc56e9b1a6061493a1c7b5309ef695015a101971c68c2036758029ae02b51bc91f776f6a3b67

C:\Users\Admin\AppData\Local\Temp\WMEW.exe

MD5 87bdd598e421291f7ff94768ec78c41f
SHA1 45aaba38f53d815f5cdd9ddc2a6220dd3955401a
SHA256 504844c631445c00452a0ca09d5b0ff424671ae9a56388ae96411b124b6f926b
SHA512 a4b5e4f0dc2870d203502f1974fcd4a5a22695f26637c5860e2e69b7af483fcc473470429e52385e2460e6cc259141c9a0e642bffc610576328c467d87737378

C:\Users\Admin\AppData\Local\Temp\KYQg.exe

MD5 d881c8838f5f3cee730bc263a9802a09
SHA1 6e66e1b0b85730c73592a477c89b236b76b24ca6
SHA256 500d2ad41ad7362cbb55dc4d9b9e6262cbdfd56dcbad65fb877053028341e568
SHA512 1a0ac701bf0502fc9140cec28f89e49a4c336f721b34da02e87c0baab8c1d2a46350bc97639bbb80e6ec04cef4dcf1dca5529b3d7d5bee0f3ef89b6adf99b883

C:\Users\Admin\AppData\Local\Temp\OkQw.exe

MD5 9f5200eaad25edfa758b47a56b3fb437
SHA1 20e0a780951379bde6b9c160524e6052432d81ce
SHA256 46dca11489334100b17c4fe223b69a3694002f0f1d83e4d87f76858cc5364baf
SHA512 a946da1274fb32c96a04ad00410efaefad90d019e33d461c3e75c16481fdc79077f73125c613bf52052d124323e824de2868e8c2032954f680963e37a3fc507b

memory/1588-1841-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GckW.exe

MD5 168669b18fb38a2323fe0779e121ed37
SHA1 c45de4f206e4fe44ae0d979d191386436592448f
SHA256 7c8bb6f67646cc5377980168b38fb93239d493e3ac105b009f6448baced09545
SHA512 ca2e22e8135efc79e593a0459c80c6b172b3f2d63c8c2555f2b7fddb7e0e448349391473f8949230adc944e27c20a423e33c80438e0f4dd0e784790579419c60

C:\Users\Admin\AppData\Local\Temp\IIAs.exe

MD5 160544f0d3c976eecbc05e2c7cf8a0e6
SHA1 2e656f08194d1bb2d28a54af1e7aa71ddb51c8f9
SHA256 05c117ce53fbaa7a6a1d938c3ac5747cf8714b5f1b06e25df312ec42676a3bf7
SHA512 1bd3b4908fcdeb5ac99cf7bf844b7f8f18b4fa24c3676b4ba6f296c5682231c486d62bf7d1ad43ad364eece0a0f499ce2578ec1667383bdec97cf15ab5b407c9

C:\Users\Admin\AppData\Local\Temp\KAEo.exe

MD5 5e7ad656a904237eadfd2318cf14d9aa
SHA1 3f8629eabaf540bb134423e0e6f1483d6b33438e
SHA256 a32ffef1ef37fab0deb6fd068474b370d7b25f39e570c48b18b99baaae7537c8
SHA512 0164cf9cc747a2020fddcdb6f7e65b4d446e3b2d1844abc6332f5dd254ce6ee6b034a600f3f258e860ff6d93f6ba977f4e680d97d464d59adda8e73130b1a8a7

C:\Users\Admin\AppData\Local\Temp\KwoA.exe

MD5 a144c45d798934c5d1490380ed190902
SHA1 e99dc994ca362481eeae22bb7940cc6d87b24c5a
SHA256 b16ec0eb63d0d739e633cd47a0844422f1a3ff1a999bb18de043ca653ff27254
SHA512 f1d6f8c76265e7200f98d9ba61883611f6289889b13e1a5f7814a91fc84f1b83522f46f669cfe1c462fa4483e3fc590e6e195977118d7613eda4698d9210a840

C:\Users\Admin\AppData\Local\Temp\MgoG.exe

MD5 9731752c57112624cbfa0e48bcb77174
SHA1 c9fba245cfe0c69c049cf791cc677596132593a7
SHA256 079453b927a282d635b1926caf04b31eaca03bde1dc18e4ccb51bd82bc27d76e
SHA512 9a81617e58f52ff038a44e5698d6c1a15fb0d48fad455db7117fc2f653d6dad0fea9cb4324ae6bfd99a9dda859c6dcc8d8fd7cbe895d563d2cb5cc2e3d2cc28d

C:\Users\Admin\AppData\Local\Temp\qUYc.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\wIUq.exe

MD5 8388a96df980df6bc46a8c5de981bbea
SHA1 f1c738f1ef5a557a5a4f84717d811c67c3df65ea
SHA256 3b2d92a0ab7cf581c8b242fbae569413f8d7b5fc0abb0c543cc8e84164b0d860
SHA512 4698e82da07413b7afb4b11c97d654db2cea8d52df6b69bd5e9c78f2bd8c2334f413530e5b907556056e63436752664a8af5eeab470def98cb45b21f302d230e

C:\Users\Admin\AppData\Local\Temp\UEoY.exe

MD5 27c985a2391e06064fb3afa9060544af
SHA1 3d6524a0f5b1c0c29556d9c02a95425021f4edbc
SHA256 a01fc154b51281f70d473c1e5747d8a9ded96edd56ad7531460549d6fe659baa
SHA512 e2720cbdeb47715aa31a923ee7c57c55a19976f942551cd6459eecec76343759be84571596b559e2c6943aaff77d40c0fe8e22217d76f0680f8156fc823d06de

C:\Users\Admin\AppData\Local\Temp\KEUG.exe

MD5 cfea6e0b1edf1620277ad52df04512a2
SHA1 6706ef920d514fb346a47cb7e1b3afe7201b0f97
SHA256 03858fe825792a4263f01deb9bc967992180ae8eb5807f5f469b05d8ef8601e5
SHA512 efe9e602b6717bacdf77ddcbbed8091ffdff909741ddba3a45b4988db137c5b728a9436837917ff419dc7ce5a79bd10538e95942bcb2f16348ec2a4ce0c37d50

C:\Users\Admin\AppData\Local\Temp\AUkS.exe

MD5 6e290389f119b84b491415ec0fc3fabe
SHA1 08bd9fc98ae9fbcfb822bf36884bad7ca3af009b
SHA256 fe04ba9c7b9660431f87cba4033ce4dc4a20b90af40b1b77a16e8897cc9bd5be
SHA512 35bc5c3446393d0160b01aeff0b53f068d072ee965e379229e26e444e6e8482bb343b4bebd540c95f59b3be0b8e6e1a402968909ae93ca2b5e7a167104ee9e4f

C:\Users\Admin\AppData\Local\Temp\WMEI.exe

MD5 f6b78b64309cb82eee3273bfecc7e2c8
SHA1 48760691a6e4e9f52cf68bded7d81d5d60d7ebaa
SHA256 172bb436071a617371348e92fe01d8ace6ffdea3e11a02d9203c359a833596ed
SHA512 c6138543706c2591a43d5cccc8dc50b7875dbc3614faf2b3da317d7cd14d3e7b9c0b7d15ce3f24b55a8538cdb7bf0d5647e163413e32ea81da097ca4e1d6a5b6

C:\Users\Admin\AppData\Local\Temp\akEq.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\YcYE.exe

MD5 0e6c37a74923ba19d967e5f2b25def79
SHA1 4078d3329cf71487bc588bbd8ea4ec5fead047ef
SHA256 4b19ae553e123a77b4987093035267246fed40110d31e0d2804b49ee8048bbb7
SHA512 8f0c8a61f33f1eb784a9d4623174398abc42ea1c381c1f6fa7b03772359cab2ac4ad9d6bad0dd63c206717288639d2add16f78c633c7ba6c912011848c967520

C:\Users\Admin\AppData\Local\Temp\Aogk.exe

MD5 01da0e476dc28c1fead278b3cf94f0cf
SHA1 a0f50b7da037026519030048f8baf17a6289362f
SHA256 11009d00ebdc7b0b03f619d548f5b3298389e925fbb00adcd7593da47183ac25
SHA512 ec0cceaefb5052e075c6c685b85281889cacd89f13f266ee734e5b333b48316ebf26e67376d62febda9fce1db7d1a27e2c0233536354d6295b7183cf5e2be543

C:\Users\Admin\AppData\Local\Temp\AsEc.exe

MD5 036b5b63bdb3b8221db83fc813744dc3
SHA1 7c8c3dcf4e9c2ddca22d83e7feb23a736ed28c4b
SHA256 1bd3cdf44f8fcb55846801063a5381e9a959013e22109b4b0f7cf0304070a2cc
SHA512 e394ffa362248628d2bef396be5b57152408abba296c5ab3975b9a1ac5a9690c1d4d5544077f670510cd7b7db8426cb01348f7aedff775b644ba078d1f2655e1

C:\Users\Admin\AppData\Local\Temp\sgks.exe

MD5 571fcef8dd90c26e34ddc01fb98cb125
SHA1 d7248267134d17e097c2d6d97e23d8fe29ff3ae3
SHA256 670800f4ffa178d011faaea4eab8283103e2945675bbf22b96ea16cdca5aa394
SHA512 8e54dd2787eef4ff77b1c7b1817e03b535a128832560eabbe6c58bc60a5ab85b782aced8b4dfa6af805f2da7d401f3ac79eb6fcb29b736750f1a00b948328c5d

C:\Users\Admin\AppData\Local\Temp\mgMI.exe

MD5 e20d9e76279835d671156c936b35c8bb
SHA1 913ad32e59ce436393af909a6a38e32a6a834f7b
SHA256 ceb2bc5e4c9b3909e16cb0ebe04fbb89d35fb6205e23b720649e200fb807024c
SHA512 16de9253fb5841365e3873cdfc2a8d0d0bb20aa87203ac80bc62e846b04ad3250dc02158b7bf34a1eea55680a943af3ecb9f9f2fd562d7f757bce4e9621281ae

C:\Users\Admin\AppData\Local\Temp\mgUm.exe

MD5 44608c1cc5d0d7dfd6b4acbe0c5bb7a1
SHA1 b42038a4baab7bc2da8ff980b89bda30d8f666bb
SHA256 56e95b72ea077eb81072aef4a9f6c7b22ffb4323468d05bcb8418c5639ea6a53
SHA512 03251cc8f44cfaf70f669b7eba72eef43c688abd4f2deacf31d4ad22ee7b3e98227b205d2f156a02287227b4edb14b67be9e4405da0e3c3827312efb95d11542

C:\Users\Admin\AppData\Local\Temp\yoAs.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\yggC.exe

MD5 34ce5598e1dced462e4ffef8103d93e6
SHA1 3f482f3156a296ee40ae03cddbb69d5c017ebdd4
SHA256 a4629e6107db7f08ce3a5153e70104c75dd0bf1fb553ad1a355c1fb25a204617
SHA512 76fe4b64e0719de9434a1278fb8ca65d31f672ea3d1bcd7452c15c29237ca4758fa29c417dc009e9585b4ae442fd469931660ac16fdde824c5e6753c867a8ea6

C:\Users\Admin\AppData\Local\Temp\iQks.exe

MD5 873559cfe1c1b31efc947fb263045b09
SHA1 45c1e2e08e1f3c24a00cc3f79bebbe1544530b24
SHA256 1453599ca1fde8de97b3827bc7e97765fe9c70db90f73fa9b8a058031b29a343
SHA512 aed6497c9cfa6b5cc5cdc6fd2655b5a6c58b2c7c36e1a9c1dd8c020191c01c7d36a28a1024c43c9420947fd382f6741a341b855085add924dd145b86f288b413

C:\Users\Admin\AppData\Local\Temp\GcEQ.exe

MD5 08e2e5fccd334b8c0895965a11fd7923
SHA1 6d212a5cd74fb0ac97b574d33a861c4079d4ffdb
SHA256 28d7539a8c5ec7bbcd828fa374ad5ff83b18ea23d70064573dfaaa48880bfdec
SHA512 1a44bc8fbe9db731378d6c0470373dd2ec72d71d46510019963c00fc2451be0d4ffec5e844c41b8ef58cc0ad63f45fe43d20370666a697d18125f5eeb4119199

C:\Users\Admin\AppData\Local\Temp\qwoM.exe

MD5 c09fa95523ce03638b84bf34e8b4c9b5
SHA1 068b05c8a5040a73005bb60cd1ba28274ea766ec
SHA256 3a3a163f5b7f351c286122d3dd19ad179330a089bb3575877ff0996f2560e179
SHA512 610243727fe7b3e44c26f9a0d5e6fa5d19f0e38f3c300c0dc8cbc60d6b69a57a8f25fd231969be15e40db38bdec3e3d7d3c44ec9d3aba14191aae1434d1b39dc

C:\Users\Admin\AppData\Local\Temp\oAYa.exe

MD5 29fc6398aa26dcbe27222ce4a29389a7
SHA1 e33f9d23dea2008cec70d524374747cbcc1c8519
SHA256 3901dc77e195b7545112815bbe66bdc1aa543f8477e7226d0c257f880b3b08a5
SHA512 b9fda2751e895e7768d3fb97322d309700fe4778b765c3255e16c398b53294b1129c7bff342ed762b33f33d71507e9a5dd5891127b2e9a12f733abfc63fb1281

C:\Users\Admin\Pictures\EnterMeasure.jpg.exe

MD5 6df4ac60fc582f0ba55dd34e3bcbf331
SHA1 d63cf515241f002e6fdf80d9dc06a7aa8b184618
SHA256 bfa02a29e2425ca7ff9bccdb14e7156943cd0e9ef9148b278a0b85e293d6e7bc
SHA512 e28244ccad88698d11e5eb3a3958d4f7ddf1500b6f6921d06b679b0cb06c8bda00ecffca56660369b1d5f9598352429ee6a3719a2f971971beb1061c39b44fba

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 cc2cf26e51dd1734bc3475d9f3dbc5b9
SHA1 28dc531611ae2862bfd26e66f1129bc7cf764e9a
SHA256 3d4ff6998534810bbf226b616c89d82da7c90c620741ce79cf703eec154cddcd
SHA512 c8553f16a2de6b4a99681a2af217df830dbe66a94a0871d9950f332f4066069631fcc2e3aa41fde40fd485a78b53ea1f5d37266755312d5bc7e8e152dbd3de2a

C:\Users\Admin\AppData\Local\Temp\WUUQ.exe

MD5 2eabeaf43595e1a86ad1b18a37253c8e
SHA1 65d8fcab6afbf94e507fc7b75d167fa86f4cbbf6
SHA256 92aa92aa80706ff30578672edb57f56ed16ba2416484679e377c1e0bbd530971
SHA512 ee9e2f2820605b3c94670b8e277234085159036b6380485f4868889135496d662e0b0a8e47cd9d5961a0365e7915fee8027a7e5cfee072c7dda14d85773b595a

C:\Users\Admin\AppData\Local\Temp\cQsS.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\ScEu.exe

MD5 9aa0d55f66cad88df547013f52a4ae83
SHA1 52eeb138fdbcf8c7525d13baf0ff3e036aefd1a3
SHA256 5f41e8dc225d7fa1a4e7e668d8244fac75c75f1e64c9cf722b589d8c64881521
SHA512 5eec0889acad8a2d7970c5397ae99728f913d349b2769967d5f0e4388e900c22e4bf47d520cc415658e47723ac54bd7b4a418f6c1338f17856976854b80036e2

C:\Users\Admin\AppData\Local\Temp\osQE.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\ucQC.exe

MD5 1dd868246a9b94c4ef37d201b0572e1f
SHA1 ec8cfe1d2695b158cad623e8d3f258bbe10f7d86
SHA256 35cdcc63475059686b099ff64e757d7bc6e52e293a266e42178ffa43efcd04a0
SHA512 cb715903d110fd1ab791826e5b87ef278891614c54f1d6c4850b6dc650a6bb26e9983c0429b3eae50abdff31dffbf2a58940b8e28ca7368d988d4751534ca6b8

C:\Users\Admin\AppData\Local\Temp\MYQM.exe

MD5 9e5ed11b6de5f913262ae99cba948207
SHA1 6e28c37128d1dbbf1095e916909b9a8b029c10ed
SHA256 7251546a58a04fa452441abff89c2553f856a23e1b2a890cb501a850206c8cad
SHA512 3ad1c2384fa10dab2ccdc067a80150834fa2508ea98edf23ccff52206125853f183828dc1bf06f03a386d7d21ba160c98a0af035d9d62aaccde21fde1753b23b

C:\Users\Admin\AppData\Local\Temp\eMUa.exe

MD5 87763abaf88d42edd475ddfb949b9bc2
SHA1 27552730f6b7070da7134df80f298bd656ece670
SHA256 aa40d7b08a40544a866cc08cfbbbdf00c310ac3be0793dc2df34f8724a659c5d
SHA512 49fed7165ad39b6509e93b4ce3f64a2b0f37554376a962adaaa597f404efb9efe0f0a1095219ba700f74e2f2904d1c2326188bd1526850e86da37ced4ee5a03d

C:\Users\Admin\AppData\Local\Temp\uUAQ.exe

MD5 dd93f02295272c549cfd3cecb88f209c
SHA1 f5c7e7274db6dbe5290e82e3abdd517364d6e2cf
SHA256 2176de87cf1c2b3024ee7e8b880a65ecedbea2962ab0accb36d9da104903da47
SHA512 7b8baeafa85e9cf36c951f31a0ec6bdc1a91baaea29ddf1fd2a22999b27c7e9430ba66d48bd28a9e7c09893cff2487e57aa07101a5135c19024b7c93a772f2f1

C:\Users\Admin\AppData\Local\Temp\kUsm.exe

MD5 8d76a7c7e81fe2854e280d79ae8f541f
SHA1 87746bb01413b40bb3341be42625aae19d0c865b
SHA256 40c494b8d34f4eeb9e1f109bd9f18fe80227cc85e729d7862fd35ebbc4b0b985
SHA512 fd92d671eb1e79490a801b5a4d5dfd55d68bb357dd350a2c841979fab9e6ed336869db7f4123712c4efa857f1cf2152bc9e98be9185135e819bd30bc2147c48c

C:\Users\Admin\AppData\Local\Temp\aEoi.exe

MD5 0f4f4d5890d862dce0bba9939949fd2c
SHA1 d8e1f13b02ab0916a11e5b839f3b1cdc1e83bbaf
SHA256 22ae2b42b117cfaa920f469983994a8055dca46aec419a8d0a98f6d9834ebdc5
SHA512 ad460a40026d713b7aefa8903aab42681c41c81836747c846e9891979d76d84f55bcdbfa44a4c550fbbd875310ac8e00f0f2d6eca5cd7f0537955addec2901cc

C:\Users\Admin\AppData\Local\Temp\msMK.exe

MD5 144f85460f324f42406c0a3d3c54d134
SHA1 f1ac984443f7f5f677c72f42caea270b12985cf6
SHA256 06b998eb4582a21554e9861bb92b9a8a7d7fba05542fb1c678ff590c85a2c62f
SHA512 81b8f332ecc4443b93a61f9d5e0fcfe619e80b651d69437df0e885bbbb5cd4bf914af9d6eaf23d5c4dab0098b40dc0944cc3aea709ca0fff68d7a141f884b146