Malware Analysis Report

2025-01-22 08:16

Sample ID 241026-e6hnrazdne
Target 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock
SHA256 edc6d589a66d3457c04eb7e5ec5d4ded396a78417a81fa307abc434306d709e4
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

edc6d589a66d3457c04eb7e5ec5d4ded396a78417a81fa307abc434306d709e4

Threat Level: Known bad

The file 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (78) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 04:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 04:33

Reported

2024-10-26 04:35

Platform

win7-20241010-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\ProgramData\ACccUAsw\aaMockko.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\TaAcEIcs.exe = "C:\\Users\\Admin\\nMgQocMI\\TaAcEIcs.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aaMockko.exe = "C:\\ProgramData\\ACccUAsw\\aaMockko.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\TaAcEIcs.exe = "C:\\Users\\Admin\\nMgQocMI\\TaAcEIcs.exe" C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aaMockko.exe = "C:\\ProgramData\\ACccUAsw\\aaMockko.exe" C:\ProgramData\ACccUAsw\aaMockko.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A
N/A N/A C:\Users\Admin\nMgQocMI\TaAcEIcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Users\Admin\nMgQocMI\TaAcEIcs.exe
PID 2528 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Users\Admin\nMgQocMI\TaAcEIcs.exe
PID 2528 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Users\Admin\nMgQocMI\TaAcEIcs.exe
PID 2528 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Users\Admin\nMgQocMI\TaAcEIcs.exe
PID 2528 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\ProgramData\ACccUAsw\aaMockko.exe
PID 2528 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\ProgramData\ACccUAsw\aaMockko.exe
PID 2528 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\ProgramData\ACccUAsw\aaMockko.exe
PID 2528 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\ProgramData\ACccUAsw\aaMockko.exe
PID 2528 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2720 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2720 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2720 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2720 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2528 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2812 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2812 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2812 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2768 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2664 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2664 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2664 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2768 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2964 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2964 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2964 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe"

C:\Users\Admin\nMgQocMI\TaAcEIcs.exe

"C:\Users\Admin\nMgQocMI\TaAcEIcs.exe"

C:\ProgramData\ACccUAsw\aaMockko.exe

"C:\ProgramData\ACccUAsw\aaMockko.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hQsssgoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zQkYIAQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SqYkcoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\soUocgUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YOckkcwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vQckIEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EaYYwscY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xcUwYYQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lSEkkssY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSoUwwYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oaAkIokA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tAkwkYIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xIUgIwoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tOYAEkEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkEwEwkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYMwUAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OesoQcsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmEkoMwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQEAokII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mmEEggMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYIQwIgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bmYQwgAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kgAUkIYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UeMsoYEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "115202722815158114581905285703448358946007631561894868915-1501155296956566501"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KysMUIcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MQwsAQUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgQkoIMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wCowIAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bsoccUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hegsQUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKIoUAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1163092843239508926-12092877815506701711979807995-1975371770-2145395312-229014637"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\isEMckIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmMIkgIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fCQscQko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15487115512059267857737657060748205635642781357-1091727918803640790-1091644558"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2067753003-285617951-1337572433-1851847926213413474-199937261413201060041254520377"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jeccwEoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WSQIUkQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-713118171-14202057431306839635-1757858328-11752708851754074221-11857571681658619023"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1177938480-14082616352567039151839958566-76631736-392180311-453573915376194166"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VUgckoEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18430479511548386365-766389870-1937398084-960685781286882764945550812-855251748"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2616836491511184097147009241128329680289013069323603459114241565881004087998"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYkoskAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "453545201-1754506334-839257362-1577944705-1081384657959095539208338102405904322"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8717521314492036001309653834-2041373528-148650691111594101761640671944-1751434510"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pgEkkkEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "129208331-1622261683-107183125521473320501500048764-19628004771628145482-761022801"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wekMoIMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "829594284708425366385694231-5992579194401000739802710420293700241166110367"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZgIIwYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmossMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BmksMwUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1644720271-1916342777-722611430-906536145-1945606467446661357-1425184894-1695738036"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YcEIEkEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18119970517806125067531458961602730381-1729968611-33435293-1178172966434438684"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1281852961917418566-305648649-6838490055639277471014433459866014884582851912"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "698404448-65455793289613721-145195929198792733-579149990-18797543-552359387"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fGQYAYAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1788755867-2136193820590295329-4765942021148506729-2140800707-5076426111688507691"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "186527897326066559110367624671675744758-629925576-1600825901-428812612-1801931511"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "349800609-210959864-8813918041529467528372055501-64689730151573966-508333765"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NqUYkwgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-101302772911094700811507085473-719187038189030651173621514520972228742084389164"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQgYYwEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1379868735-333258797409707672080356967-1168391001-150614591017763845801405520672"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IGMcYsEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-869250228-83310479033495436510784400531614893413729870774891690992124074656"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZMcYUYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-603600067-12236840391938801523-104231540417408253611365922043-1763465840-355575452"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmUEokow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "194107190488564665-1343888664-1422857821-4275426501263425347-1481759719548852994"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "465458823435303541-493104782-918856755-1799417654401187712-1658102986-1763981404"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LUEAwQUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18582847021901947352-2807131411280659709-292345252-2172239499406564381386759541"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "129983148-2380897545580149861674885665-18790193321565760494-188233527-1088584936"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HkYccEUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-12575595741082912807818065960-16280086127920407681323504162878532420-1536907393"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-17886629881256642205-390259426556111327945840858-28521454-15805979121399676386"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1220189963-14039786501474060556-1155531589-3193857722089171722-736494638-1018318855"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OSkIgAMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1047780760-1850804770-1431188280-11788173392137603782-19058475187942002871399640966"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lCsMMUog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4591061331351854156440037192967984276-1595690106-366359433-1952224344-377927474"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-101246951014981607795714045991400844251-11158476301970060646-1332648629278122874"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cscwIsoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15633783461463670788-1869845937-1063685584-16485845711053069942-1161969462-443775595"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fwMswsQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "965017412-1514975221-11736636441140274281-1778121348-1439321702-1152659038-775200347"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "662192459757670458-1855380794160853813-129257239-10959416091664122644-1627210604"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2528-0-0x0000000000400000-0x0000000000420000-memory.dmp

\Users\Admin\nMgQocMI\TaAcEIcs.exe

MD5 6e13d77732b658ff884c155530b68f0f
SHA1 aede21b4af678aa62eccd20436edb18d90a9b425
SHA256 3c4452a09e6f672e11b9b37697455c1e13f9f39201f1317af9a3509f72970438
SHA512 0ff4bb9b91663abdd0cdfd1da598bc380de69956bc744f6eac466ad6bf06b8d83f2a0cd9202de31c74ca951e2ee1dc71efc7436b47170469c41fcb12eef270a9

memory/2528-4-0x00000000003D0000-0x00000000003ED000-memory.dmp

\ProgramData\ACccUAsw\aaMockko.exe

MD5 8d078a2b16cb8288f6931556f5c821df
SHA1 25a0d5a04ad20fa864f165994a060078c2172150
SHA256 949791ca7063837aced59fb5819dc4264137b0cd0c232eda8df434d69c1afc40
SHA512 dc60f0d24a8c96f6a5a0e2b02d0a4bcb9ced96380c33c5750457b7c3333d1a49365d934c651d277d3b3c107d517843458ef015d6a7beb95321feb01b7da93a44

memory/2528-15-0x00000000003D0000-0x00000000003ED000-memory.dmp

memory/1852-30-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2528-28-0x00000000003D0000-0x00000000003ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kSMIMMMs.bat

MD5 337cba88ed5e5b92824a1d873e2345c6
SHA1 6b3f929caaaf3b8405080652d8f2f95c6b05d401
SHA256 748a19a7a362a62ba89f0752e09134dcdd528f47812e4dc07e52515776513601
SHA512 01b813bc60a60b7f711c2245444b589c0d21417ef352d5cc21442e84b468068ff5dca5b84eb7c9e17a20f1610b267e2f183f77f4b07a777f620618c3b0b96ab0

memory/2720-33-0x0000000000180000-0x00000000001A0000-memory.dmp

memory/2720-32-0x0000000000180000-0x00000000001A0000-memory.dmp

memory/2528-41-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hQsssgoo.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

MD5 d7ee4543371744836d520e0ce24a9ee6
SHA1 a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0
SHA256 98817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9
SHA512 e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808

C:\Users\Admin\AppData\Local\Temp\iicoYkUY.bat

MD5 99df1e8c81c7592290f5b3f075f25123
SHA1 8cbc29fa696fb2edfd758b20dda22518a353f35e
SHA256 062321f3517991d99c08c7b7dd8b2d5f9035006ef98415ad06f99e9fd1a62ca8
SHA512 9980edc8829dac5e88218f54d8d1299c46ee67be2abc9504b5409f2c59bb446dc1e5ce2b6c73977d5d9dba6dc5c1f1e4451a83f80e73a52ed5f74daf35046b92

memory/2664-54-0x00000000001B0000-0x00000000001D0000-memory.dmp

memory/2664-55-0x00000000001B0000-0x00000000001D0000-memory.dmp

memory/2768-64-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MYkosMQo.bat

MD5 26abb8040f8a3ea33860e63ed44248ea
SHA1 d5f6af9fdc941a58b6e3315b239ecdf350153326
SHA256 2c2a3b0e2d81f3fdedd4516942bf6a1a752303790672dd6d80e047aacac7f75f
SHA512 41975f50a908ec181ed0df13b0e7bec448a8e8cf04b5be69ea29ebbc7cf6ad5ea613538919f26fe5a0a676826049099f59c855a6909056f95097799fa5dcd621

memory/2500-78-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2500-77-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2228-87-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QeAcAYQA.bat

MD5 9774be2773798d49991aed2b56d47547
SHA1 abb905474244a752563a2a5134d66f4746125f96
SHA256 d61be0e7de521478524a9df1b51beea57a1a3788a7c3c1897c5833aa88b3da8a
SHA512 561e69c4a36f6de3c0285a4bfd6ecfd63c1d684a6e6daa444f8b3e2a87d448a99676768102970ffad88248156616c5273ab12058e70efa87974686607fbeacb6

memory/664-100-0x0000000000130000-0x0000000000150000-memory.dmp

memory/764-109-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mEwcsMkM.bat

MD5 a667fd20f2ce472ea310594d9582e31b
SHA1 8a1c073611801f1b4251e764e176767a0d1021de
SHA256 e110f0f8fad8e764197181dee150936c1b9f7296414d5d441acb18d496a6c311
SHA512 b7662d4020e61fe6c2fa91135142f32c7f135ed281ae8af4e12350be6f66dec8a10e86d42fd9acfa93cc6e9bdf4e56f384b01a5656d8a6db2197460264f19998

memory/1332-123-0x0000000000400000-0x0000000000420000-memory.dmp

memory/904-132-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2448-124-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pMAcgYkI.bat

MD5 28b72679f130c634834e7a56eda192d4
SHA1 d231a3692ccf7670dbca1d31981cc2fee7e3ad5b
SHA256 722dd5fd9b9ac7d932097fa8cb812056318e4a6f5aa3c00d2b9c64cd8e188972
SHA512 87259109a837c039a7bbbf014ab2b3408128b71d3352b5113192f89e7ddd8da20450f75729bb710078e0c014d33cbeae3c8f043d7c6f2762a0ff055345a7af09

memory/1740-145-0x0000000000120000-0x0000000000140000-memory.dmp

memory/2448-154-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VSMkwock.bat

MD5 bdda88f274e269c0512b709ba9b2c90a
SHA1 21db38c8ea108d00954c2297f5f818878195d25f
SHA256 7791c3de4928b505a8d5833f97bbe41f16de180a6b1cbcb9ae8bf7903b4bbba4
SHA512 d1c693e8655e135c39d7423f23f70a66afc81ceaabb1b3af494b292d772c5f436ad1ca1eec955da7fb80c101ed3e6bb00da43f10fadfec15ff74726c7b8bdd2b

memory/2836-167-0x00000000000C0000-0x00000000000E0000-memory.dmp

memory/2760-168-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2520-177-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GOkgYEUY.bat

MD5 21c998bc66772ee4d31648c89a950fcb
SHA1 3a85c4e8ae7ffdb54e58ae814e092708933cb2da
SHA256 eadfe3362ca18bc1171cc3421114853a331e72a7d96d45d8f9aad8e024fcbccd
SHA512 971b3bea9b958eeace8b3b833811b51e00d5652e83fef9d2d09d84c3dcc6063b69e4ff93cda1983aebdccc53aea530237add34c183f0448368b688a8ffed4b77

memory/1480-190-0x0000000000130000-0x0000000000150000-memory.dmp

memory/2760-199-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ymcUgEQY.bat

MD5 ad1e5a996c2d16081e89cf5c2a5eb2d2
SHA1 881015166b7edcbe7fcdaa809e198eaff4abafff
SHA256 ca582d9ca2cba3cf13ff3fe7ad3d55b762aa94f2415c5aa5aab8af41d0999581
SHA512 79df0cdb86c7ae2e7231f291a97bcb0e7afaf7342ca32053b3b4da1393db6e596e5499720d9814b8c1d66d59e21cccb5f7a0ba0e20d5e0f42c7cfa2f95b009a2

memory/2984-214-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1760-213-0x0000000000120000-0x0000000000140000-memory.dmp

memory/824-223-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1760-212-0x0000000000120000-0x0000000000140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LUkocYcY.bat

MD5 2a893ad3bc2e3c167c312aea5fe69647
SHA1 fca622ade568c9d94ff48b9d3c122d490aaba054
SHA256 9daadcb5028972919f698ff84faf58c175f6bb39d47dad70447a64e95e933b61
SHA512 47029ba42cdb57df41b55142d839690767311406265de6009565729e133ce6fbefd681e54612c58de479bda4ffd9b227bcb9d4973072a527a4851b65d0839452

memory/2360-236-0x0000000000120000-0x0000000000140000-memory.dmp

memory/1336-237-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2984-246-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NOkQwsEk.bat

MD5 8770486bb2a9ef95b6ad8f62c6406237
SHA1 0665a844d0dfbd29a4ff2d9cd1e0a73cb93681ba
SHA256 98f53b2d2956d57af428a665096b0663ee5d2ae17972dcb5261d580a0e1dafaf
SHA512 0473f565679e040a8872c74c5fc8108b189a6b495f1758c295f31c0aa325ff0567d19bb521c94b2b78a980511df85485c981ea09cc5e2081d10681ffbde2229b

memory/2276-268-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2444-269-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1336-267-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xooMAggk.bat

MD5 bd665803be590a8ce7d030137dcc0a53
SHA1 024b8f61fc124c8c50fe56206afeee2b85ea5468
SHA256 c1651fa6f8716b3e9bd07cec31d407daab831e41760e0e5232f25eefc733194b
SHA512 7e673b71d2edc16a69775a1bea681ca15d3a7a41e9142e25b5faff0e5d9fc6037787b719ba8277ece72cc7b33c0ad6fc04acef93b3688ee33a05f1b1b684ddb7

memory/2596-282-0x0000000000170000-0x0000000000190000-memory.dmp

memory/2596-283-0x0000000000170000-0x0000000000190000-memory.dmp

memory/2796-284-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2444-293-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BkMwMwog.bat

MD5 e7a0f565a68a9a29e94ee3b651da37e5
SHA1 1806c6cf48facc4780e9251578e8f63cfa7678d0
SHA256 4f266e2e01920c65df851e7c04b112071d659b00eea26996815da1616fb5bcf4
SHA512 f57c861c3c296d56025184accf9b5e17890575f86df4bd545481c2830513e01d1043407f514b9d778a6f1dff4bfb58708725160d3c4fe44aa68df834b0ff16f1

memory/2728-306-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2616-305-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2324-317-0x0000000076D20000-0x0000000076E1A000-memory.dmp

memory/2324-316-0x0000000076C00000-0x0000000076D1F000-memory.dmp

memory/2796-315-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rcAUQskA.bat

MD5 6e6f3c20499b5f150b378817f0d85a93
SHA1 470c954a932f92d6c67286cea474200790ad318f
SHA256 9a806dbf61edbf98e5a2834878c39111e38e0edf5738d9e34862818400df2e0d
SHA512 139158329600f91e38a7fac951792cbd67a47190f60e99173392436796664b6a9864960e1e44b383fbe275d664ba22d9886fa09b3421d8ffef664a710bca3b2a

memory/2940-333-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2680-332-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2680-331-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2728-342-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IiMsMYUc.bat

MD5 95c5ab8f89b496d5515fc7f5b9d452e9
SHA1 19fd0690811f404870e54cf062e2c3200c12f032
SHA256 85359b074e910f75956c03c1c18c88d1135fed230828f4babc4ce8957e26716c
SHA512 faf17c2e4f2f2ef8716ba4f2b3c623b798ba251f939dae9a6c883bd8daf118ab0bf6d6dc3f84fa9ff4347a3df6b7d64d568d5087158bde2fbb8406e23c18fc2b

memory/1864-356-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/620-357-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1864-355-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/2940-366-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AsIAIQck.bat

MD5 eb14170e965ffcc3b88daee0225f4745
SHA1 81263b6ce9525850d7928e64ec1e892a2cb8242d
SHA256 5081512e1bdc4cd0d53cd572a9bf173c1e9553e7799fbb0933f3fa63aa49dbf7
SHA512 c5e793a2d50cc6b7d9b8c148d4443ec833019541e97e25be920b6e571e7f367b290b516c5c871c93924ebe609b4136701cb59b4c4dbc294275ea66a4d6f864ea

memory/620-390-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2352-389-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2588-381-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2588-380-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vSAgwwkY.bat

MD5 b9afe97ae78a59e70989206f0b33c8a5
SHA1 3dde34a4cf472eaa4723d1886df9e5340156b9f5
SHA256 d52714aaeeafbf2bd789213cf7ad078e2ae17521e3fb061599b523b22d72cc1c
SHA512 d6746772f3a80005108092cf9557fd9303ef88a83e6fcfd21f458a4612fdcea29964a74bba8f6f62c357eaa8203dee349838747931ee41922be256d9b988850a

memory/728-412-0x0000000000160000-0x0000000000180000-memory.dmp

memory/2352-411-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1652-413-0x0000000000400000-0x0000000000420000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\LsMA.exe

MD5 869c122b56557327a53afb77123c1955
SHA1 0f8a22e90abc84ae631be40f9b63391e9102ebbc
SHA256 d3a5e60f4a1436f74900a384531663abe7b02f4e5540e684538dbead1f89e2c3
SHA512 c6c9c83b478f609affc39ed344a71757817be500ee0fc420d2ad1cd5cf54a14c705590531a50bc2d0f3833a61ea34b7a44630d6ebf06cbfd65af430dfbefcecf

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\smgkgwQg.bat

MD5 f200867eeb616a8c09348c6282e9dcb8
SHA1 ba1fc280740207044484145262f7b11f78bb8159
SHA256 0032ae24a02762125ac7c1b3346436aa9b7ddf36eaccde26a6de2dfddd5504ca
SHA512 d8a19074195720a5ab2ac76ee604ea1307dbea96034b5137c86754a1ac74581a1437de1e30dfe0eb35705dcf3d0d97d598bb79bae134e009ff55be2b1c73f65c

memory/2908-444-0x0000000000170000-0x0000000000190000-memory.dmp

memory/2908-446-0x0000000000170000-0x0000000000190000-memory.dmp

memory/1652-455-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2852-447-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jUkm.exe

MD5 0955d64540240d744dcd049d4dbb5691
SHA1 c56e207ac4d1efecaac00e72d0cbba38c9880401
SHA256 1033ba98d70a2689eda8af9dc22f1498b4ad69fb9f32c352a63ccc5491471d31
SHA512 3ba09ab2e03bd958729702b1660c17341cbcd9c8ebbc3f42a66643ede03135423f735ca001da9233a98bd3158aba83fffd2113284a1f23f856865c65490c7a17

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 eb9837dabf67ae22a8e22e85bc561d65
SHA1 65810d164bfb50f0e8888eb328b538e8abdd9ff5
SHA256 d63726048a228db6eef4909efac871b5787f8d8b89761a6a74206f95a18310f1
SHA512 9f13d93484a90759c1922466ca6ef135526750896d499f030e68b8e8bba24d2a57754e850e8a68d2b4fd7ecb3654b35dcce1cd54b66a28ae74be1bb588d6bcfa

C:\Users\Admin\AppData\Local\Temp\wEwa.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\gEEIMowI.bat

MD5 4fd9960415b8494a883885327ce84e29
SHA1 38dff2184bab0a97b609b6ac3176c39af8d2730f
SHA256 3394694beb119b5a6e6be9c0cd31ec7092e9ff101b68d02400e5ea16c6d4ff1d
SHA512 f507931cf9d15bf588377e6d683cfc6fa87a0d48bb35992bbfa4ae17391623944f048a8aa9c1c3ca92fd67182248b2c8c50f14a0e80a3d5a6e6bfee05e89ad94

C:\Users\Admin\AppData\Local\Temp\yMMQ.exe

MD5 009f2634e3f36e41099257af874325bd
SHA1 f59670b83c4378c4ffbd001c1a4a8f2d90315a5c
SHA256 2e6fda003f6069e6c51c9e69e5a8d93564b5abf2c7a1f64d93d42a484671ca74
SHA512 0439fa706f1d67338a7d2b88f5f578c3b48c59be9ad06720efb19b0e7272f9fbaf4d9dec51e18fc06a03aeccab1ef678b00f9060d4e324230fbe5c31b7280aec

memory/1080-519-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2728-518-0x0000000000260000-0x0000000000280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rcge.exe

MD5 3e3fff5895a2ba7b53cd37833425d03f
SHA1 c2f660e8de72e972b5d47573ee7cdadf3a9e39d7
SHA256 a73d8ec8fa776dcb1e6d82f89aad235f01ced0f42ef845a7a6b543104436e3a3
SHA512 dcf38f49c52f46d4f68835a7c2436dd0b26b3016564588e18fd7c1b2fccd53a92b934dfb2f82a1f83c0e595ecb34c762730b84562a820d8d2ff079329caa76cb

memory/2728-515-0x0000000000260000-0x0000000000280000-memory.dmp

memory/2852-530-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PcMo.exe

MD5 a444a6f94e9a1fe0418f4d76690f7a0c
SHA1 daa64eceb470a63fa634564e63203dd16615c5b7
SHA256 cc7ac5f3e7c7303c0a689478ae5f07384c31c7fe0aa537d6c6082c269a501a33
SHA512 aebfb6323f327f1bb4dede3cb0f56d3d3d06a3c667d5d48efcf614aadce2d195f48a7fb8f4f3ceacc7dcad2db82599a7f3cb64ec6c85e624857be90b4f193e37

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 060f5bef7213c554b0d5bc89f98fd1cd
SHA1 709bdcb8653ad747bbb426ad39677b72881d95c1
SHA256 2b919500af9f289a22c816c1c9d4a9590e70aa4715843298bd84947a3400ebad
SHA512 19ba5dbfb438edcf186427cae76e7dfc774bc185b763f35cca12f91f5761eb94ae9714bef0502d570b8d044e35d9df67ab049c647440b8dbf35da2485ce6db60

C:\Users\Admin\AppData\Local\Temp\XkgwoQsM.bat

MD5 9a9a0213f74ba72f3f8f88a35b9a865a
SHA1 46ee95d3c42582a341605af8f2743df291d6297b
SHA256 0a25c64917ae2f37e1a56d9a3d47d73f143f9065093cc58d742eb99c3e59fe64
SHA512 22edf501b5607003c861867ee876b3318e3647c5a4f0f55ca726e9f4d3e886d29b0bf55887be98f67791d3401209640323b1f6c60924725b0aca21007c6d9ff4

C:\Users\Admin\AppData\Local\Temp\JwMa.exe

MD5 3679e15c300cbab9c5d1694f461f39ae
SHA1 6a8c0fba75c5da76958c0fd811ff9409498f9048
SHA256 fdb67ee41a9bb1c5537d981f142812776fb8cacf024cdc58c5e801fcc8c8a4fc
SHA512 364d35bea5fc261223a826fa7c3b8708ee99385e65aab5256b0b5f1afa7aa9b30c903fd551f2e3335341c9e30a55dc862b9e3a4237cfe47c069b142f44ea4186

memory/2388-580-0x0000000000120000-0x0000000000140000-memory.dmp

memory/2388-579-0x0000000000120000-0x0000000000140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fkIE.exe

MD5 65e0610ae7ecff0e9e4a93fef840d443
SHA1 b619a73a751ed85e861329ea28fa50d56921c4d8
SHA256 c562297bc9aae4435f239f6eac1601dba323f64e4f0efbf1067a240b60d86abe
SHA512 4c4075872343797b111fee7bee3c257b453673232c10a5a9f0073232cd8c6663ececa62b0e94604fe45acac6fdaedc77e7dce8ebf2fe6518a3feb5baa2c1eef3

memory/1080-602-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JMUG.exe

MD5 f2c1cd05f76c26874a3b5a9211ee45d8
SHA1 83a126bd19c491b5737c910f580d059ed0cf7e84
SHA256 c461a784d7ae899195adbfe38be72b43e4f007a9572fc049e1753068683fa4e6
SHA512 92dc8591d0b05610b35dff1640033d5508f1a2ec22986a24e0059bf775755b160551d3596727c513e0b18d635c5e0ed24bac0e7f8ab1558f47b8e692848317c6

C:\Users\Admin\AppData\Local\Temp\bUwU.exe

MD5 daf68733e0669e9a72da976518f60236
SHA1 1de3111a6d7d027ad36f83036799af3fbff757b4
SHA256 4637d5e125514449b67042d32a56084a4bc38135cf30d5288dc75fd12ed8835b
SHA512 dd944beeb74dd0785372e0270100a6627913661199955375f055a2414ba69c86ada75dfa745389c86bd814563fcb9adc3838738dc74ce103e396c19bc866dc6b

C:\Users\Admin\AppData\Local\Temp\vkkI.exe

MD5 2d90246716eec56f45e871ee733f1b52
SHA1 4fcf48f5a891e0cf2e717009363631942feccfbc
SHA256 b15d3c96032cb7eb00d32498f67aee4a8e94fa7169f95cf56f88400d1a0b5950
SHA512 0706f3f480d1c061fa0980c1c7ae1f0b17970c425725c11a08a88a1dabec302c802df96bb08f536f342fbee616d57a2f6842c2711b10522490b394b362fbd25f

C:\Users\Admin\AppData\Local\Temp\xeYoAAss.bat

MD5 4de8ac80590ee4dbfc0152d41c66c50a
SHA1 f49246a1c9edd9b23b5f85ca7ac20198ed7b18e4
SHA256 b77d4eefeabd0694f43a93691eec4bf87ba97d086dc08dd6005b1097c5920b9e
SHA512 7f6b4592880a1523334533e6d88e9c30ad5bcb4767c4c69db3b7c36864129aee789fa91a4391263d22a9e4fbc9f59f9f6ae09f38e657322931bbe604e017e56b

C:\Users\Admin\AppData\Local\Temp\GQoU.exe

MD5 e080430901a733ec1ba3d0bbfc2d2a77
SHA1 5c446dfb01065756f27ee06bd654335b6c7550ec
SHA256 9399e60c3b5f4cda9cac889d2f26eeece80fec513ac1c543d9e6b56ac3c1a93d
SHA512 76133edd98c019bdf6c771ba163f291281873272a3f971ca33f7a7f21309ab36a6d3d1816b1da6f96fc16d7acaa654173b0ef8798d791978651a68ffd10311f0

C:\Users\Admin\AppData\Local\Temp\pwwS.exe

MD5 31efdd736f12c472c85d410bcc1652be
SHA1 6e5f18cb2cdbb8a75f0af7556869fd002f5c8bf9
SHA256 b15b5a279df7df252485ef576f9e7fe021b28fa74a6948b0a3c51b1561df613f
SHA512 140e7bfa6a06c91df984a868ea0e30537361aa408a0aa61f670891f8ad4a8a842bfc84c8024e7517e91c2dff3165ee99e68255bd4579dbcdebc328ca12f21095

memory/1692-678-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2548-699-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QkYQ.exe

MD5 8850f426235a2dd1c96a0ca428ccae2c
SHA1 d399c7a24feab6017c04c281f7a8086f4495e97e
SHA256 8a20bcab720fd0832a3e011e60c8e5e592ca8939a29e57a8f8a298f08fa5ae9c
SHA512 bcc721dc251954583c7507a40242c5823f55db5bda3cbb2d9c70470635debaf3f8738d5d59fb87411f20ba9164ef4299183f5852f95d9b1483dca53248b15682

C:\Users\Admin\AppData\Local\Temp\BosQ.exe

MD5 6b4c10278245c526b733dbe51966c2fc
SHA1 0bc4d2ba9ba0117a2a1c015ad09493a8b398e405
SHA256 00c4dd6172048d4c30785c9df4356d9ef5f88eb4dd6214c6112dc0fbb933155d
SHA512 4ac218771939b64aea5c4b69a2b98c81f040c912fa6e23a12ed69c6b2aa34b1a6a33fb60645c113e1b988efbc4e45f3fa607c09645b4a6aa3923bb1984cf65f0

C:\Users\Admin\AppData\Local\Temp\dMkG.exe

MD5 49d2fbaaa9f49b5b9c0f38cf1ca34746
SHA1 f1a63beafaee8f1c0973ca75ec0116b588dd32b2
SHA256 6c1929dc7ed36f8eb708592958b6c8d15d4ebed724c16dfb953388a99bf6a254
SHA512 358afdcb9c1f0bf06f0fa7e32e5f1f603b4c32db032231ce574524c46c2cd1caa44da1bce2c6097d42309346e23a61c6bdacb25bb8ff610e7ff8ff4904189aff

C:\Users\Admin\AppData\Local\Temp\pMgO.exe

MD5 ed1d2f19508acea8397a4b019e82dfcc
SHA1 01790050ba26d68005f1150a2d9e980b338411c6
SHA256 31603d598370afddd13765eb16025a21a2e2b15bc021e55ef7e255e74e04676c
SHA512 d8e8d719dcf59b5fec09744b181b1bbf73d04b13ca43f60369d30972516b70ad4f65fdbfbda7ef2256fcfa52e330116a0174fa7f8e93bf6d06dfff3fb54e3a52

C:\Users\Admin\AppData\Local\Temp\zwgQcUMo.bat

MD5 1ed17667e77fb667a5680cf54f7ca1d8
SHA1 762c6da4850b5646b1fbba9a221c5aa76fe97df9
SHA256 9eb3a324e2b28b046a964cd9075eab7d1b8576c248b32a5bf2ee324dfeb9ae8f
SHA512 f8085f2d3e72ea75e1cb015e6a76ae6b063696586699e314f723758ae8fe9254e2ceb17d8a3123efc2fe3e6421e20301977a2e2154ec90718aec56f8857337df

memory/2940-763-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2212-762-0x0000000000200000-0x0000000000220000-memory.dmp

memory/2212-761-0x0000000000200000-0x0000000000220000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ksgs.exe

MD5 a9c471e2cadcb9569e9f81dddf9500b7
SHA1 ded3b62abe1ed06d4f471fb9fca61c42e6ac47f4
SHA256 563f093ced2b380a98556f69af69b65785b60fc376cc6cf43303b463b963daaf
SHA512 f93b88653ee5d8dc9f7f64e5e83606b755070f4b16974fde26b775240ce27fa97e2d39f122ae00cac2ed7e089e3ea4a56fe5f57eb20c429154c9e7fdf57b4eed

memory/1676-772-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lYks.exe

MD5 0c5da46719e4f3d736d10c9976d1b599
SHA1 87febfd3f7e5792d4d518ce8948807a976de04ee
SHA256 f806c0b831ed03f16757d7a7e02a36b3223e34b113b2400a50ae1c49b98fe68b
SHA512 faff92c577dc552869c9c9804fe85cf1bcfe6cae10784b09af880c01e0c3cb90065c6ea2eb908a8df4a5f565128bfd30a238a6e4a82434b02219adc44d8e641c

C:\Users\Admin\AppData\Local\Temp\PgUk.exe

MD5 1419c8953888be9ac6018857cabb7195
SHA1 82f110eec394b3e655846c41c10df810067a9abe
SHA256 7b924dfeb5f2885bb95bb9a655043fcffbbafcd0d8313bc730c6e9916a596a78
SHA512 2c0df8c1d1da203e83ef5abcfe16b1f055ac47a450889d8048482b3d128ff4b3159dd0419d82ee656fa53ad0d6c2d40ddf44f1dd273b0406897a535b22e96334

C:\Users\Admin\AppData\Local\Temp\PgEU.exe

MD5 5686ac4872a344ff7951bc162f3b40e5
SHA1 9a533b8e569f5d6a6c1be83e7d8faf5cb74df8c4
SHA256 18eeba70bd6643a41b523fb8440a0540c16f7b2900af356fa1824d0a731700f1
SHA512 8d0298234934da84842428877ffd140e3e7f8c9d2c195b01cb5e5aea2caa6583cb059c84bb39adeecb39ee3f19cb61c2b9a83a581f4aa0b6ec2df5d99b4100df

C:\Users\Admin\AppData\Local\Temp\CYEM.exe

MD5 853acb8bb3b26bf770fdee40eb7d340c
SHA1 d2170e3c0737b0c8bcfb4204b1646470dc8e9b62
SHA256 96c78d9e99f23472ea964a95acb9afc2cb4740f5a5e76300de97a506469e3d85
SHA512 08a17f1dcc9205ccf52cb1a1e6e437d1924a2e79be67e942924351439986a301deb6fa2b84aa129b47749a7b5e452020d3506a9c4c4700e0ec5ad7a82caf0453

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 a7419fa024ed7714c45bfa27219840fe
SHA1 ab5d8b05d1bbad71976be24458af29e445d452eb
SHA256 88c15cccab776015a1ca8606e5a8312fa7801693ff46c9802f78181a95f3f470
SHA512 5b22b4a4ca4d7f3401ccff81fd20faafc1b613e1beffcccfb623f3b3cccb52f22ad11095f902dc4b71f6214c8d13e8c6d07ade9686f0baeb4d0520b00ca40277

C:\Users\Admin\AppData\Local\Temp\mQUsYIck.bat

MD5 b6617a579bfc924ae0986453c81b13c0
SHA1 621ba2c5eaf9bafc15a737baf4bee17fadba8f59
SHA256 8f54a12ca01fb8c83751a43cd938c8452562467348f9cd0e5c337dd8d1289d0a
SHA512 42a34ff82b15e51981dcbc347b6e80612f0fa8283b6adbceda562ca5eb1dde30d5e0af88b52543624409973eb53c9bfff929b03018d21d91e2bfca78a82b913f

C:\Users\Admin\AppData\Local\Temp\ogMq.exe

MD5 d7ea08cacb57babc7f9433c23eec0a71
SHA1 a9c12c735e71df2233476aedfacf72cd855ce19e
SHA256 bc898ede731315fe5bbd7db083ff2876a1212787529521f56d0da47587f3a482
SHA512 2d602c0de0c929ebed3a80dcfa7641f181bbded1881514db8ec5ef1bcfd4ac48926a5c89d68002291787b240917f08024b6534728673cba08621fe83fdb1303c

memory/1552-862-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pYMY.exe

MD5 b32b6b100591bee9f6a51f7564b083a1
SHA1 dea0537ba0aee6c16abb65e29d883ad129320b31
SHA256 0ab5b817ffc5857f5e4419f28bd478600e95cd9331e0528056f1ceea3be5729f
SHA512 085c706cb2fbd3fb5120be8923a65ad3b389d5417d94a1364c3e325e315469ba95b092ddc1d817e8ca78c36a272df7c9bc9c5d73a2bf7b2dd543a4d2bbba1ad7

memory/2552-861-0x0000000000130000-0x0000000000150000-memory.dmp

memory/2552-860-0x0000000000130000-0x0000000000150000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lAck.exe

MD5 60574bb6fc37fa354ca024172a7c7af8
SHA1 e7c06281014dfc9de16e688543f7f97af46fb78c
SHA256 cfae300441912b836bfafd64e7e89594a29b3c29a44550c0df4cec6e0112a7d1
SHA512 8ababf37493639a9b9f32f0fb405bd3df97f2d299a0b1aaf7f87e459607dd54da61980134224ffe6f2ce926a49ec2523b86090e6759ca42d82d7fc0f6aefc1dd

memory/2940-885-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HAsK.exe

MD5 28b1ca5783a612497a67da26b5802d2c
SHA1 e5370dfee1bc037fe949b76682f6ef14eb2e7919
SHA256 f2947ad9af3cf55b0a6376d82455466e4626abecc5ae483fcf237bbd056f4cb4
SHA512 f6dea9e700d4823a76feebd8e12f977cd06245dd9778f0a9e467034ce660c382042aa696c39dc6b948b33fe62232f254d3a339d35ce19b347708eea16212aef2

C:\Users\Admin\AppData\Local\Temp\oAQu.exe

MD5 0716c88b2df7f6aab2949763dfb0f601
SHA1 bb4650cba83dfb9e0bf302076610ef401c7e6dea
SHA256 b3705730e9742e8bd35bd1263df489940a2aad383a64854b24107b11b3f7a367
SHA512 cfcf3e64bfeb286827e54e9bf5b95c27c947557514ba2dc406fa762aa9e2eac673e4499ffd0123359cbfe83e1cce7e01ccb9fcd2b77f319f80ce941c83110609

C:\Users\Admin\AppData\Local\Temp\dEIm.exe

MD5 4f539185021f22dd9c863873665aeec1
SHA1 fb768da534a639bbb4d63e03bfaa7bde898491df
SHA256 a9e5a77feac2c647ef181e09b9c293ea10852e6c2b8251530e96c6c109495ef9
SHA512 f32ed680692e0c2172aa2beb3e4e9b225831cc601333c99d738aa7cc659877f759fbad8ec244c37197cd0d146ec65e467c949ffc720dec11609b1163f357dbea

C:\Users\Admin\AppData\Local\Temp\hYsc.exe

MD5 3654c21d21f835383c4b920dcef258e8
SHA1 12aaa292b8a17db5f3da039ab95e2df8d8be7684
SHA256 9c561af8965079be81babb18ed9cc29a66d9209cb8f4301f38ca39cdc70d08d6
SHA512 672bbcbabbb94307082f5a9fecebcc9bf2a333bd81363bfadd69740cd13e12f781b36ed3a52202aaed868f57ebc6593554c5aba66c279c3049e756a8c606633a

C:\Users\Admin\AppData\Local\Temp\bYMs.exe

MD5 59830fcfd635dcc0a81fbfc1781b7b7f
SHA1 99bcc803e0664514bb0941c7259b5eb3222cf415
SHA256 0c1bf08c1ce01824630b6ccf452b4ccfb03dfc5de68dcd4e74c2e68324ac9fff
SHA512 ce8d51f68d6c3dc8effd32bc44e309899cdf40f63111513f7b4750f527b820874172d2546d08aa81c622e27f8ed7347ed7afe37825dbdb7480c57aa2eca61504

C:\Users\Admin\AppData\Local\Temp\QMwe.exe

MD5 3a9d3009116ee6a7d19bcb3a0b219ae5
SHA1 087e2751ef5f36812be243372559ead790768e66
SHA256 9956b1858139aa960858175b4b11f1773b80f961872e4ad06f9d7f01e22e61f4
SHA512 e4f7f78c08380e44dfde0019b3ce8471f91027866ebc94206c72e07057a86625a8698778c4e0490f7d4d603f0bda12eac71ba959113ee626c7a29dc8403c7199

C:\Users\Admin\AppData\Local\Temp\QQAIwkIg.bat

MD5 22b38552d2f033380b12200594fcd3fb
SHA1 2e689254e4a61c73c1f9f6a7a70291604d9bc238
SHA256 0f9e1b09c18e4007355ce5af67fe967126029b93ea4b3935f700d96a18f0cdfd
SHA512 4da7bb5ce5114c9b490e5ed2b0fcafe939085fc7d204dfb65da185cd7d76a26dd8309f4ceaee436072d0b3ef3bc379f8d25d6539b0f2d33785505cb55af0e684

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 11caa291521bfd9d74f089624e699bbe
SHA1 757b73f9bcfdd75887b6402e2bf1202ac8adb546
SHA256 0d96d7147a855564a7380084f31942e9a13123ee347b18035fd1dfed8197b13f
SHA512 66abbad6cd05693f289f1837ba71d9d65c1f4c84293384b4a8a460dfb282f4cbb68cf7d307fe9d683177e9a5db3917eece578d9845cd42f226cce2fdcfdb009b

memory/2008-1000-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2000-999-0x0000000000260000-0x0000000000280000-memory.dmp

memory/2000-998-0x0000000000260000-0x0000000000280000-memory.dmp

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 384bdc92cb922b142e19c205635267a8
SHA1 90471e34d2295bec5a71b98fcc7ec42487ed3a54
SHA256 45dfaa265a2a736bd22ba486adfb1e8488bbafccc2931a4b29fb1c5c32e55e3b
SHA512 361e7ba02d1581cf3b3e97d062183854defab382fa6dc87dd4bde2696983c4f060d629de65d7dc7ce31c26ef3baeac9218fe018779613cf81575f3ce6c889bcf

memory/1552-1022-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ygco.exe

MD5 4cb47f845c1ed62c1c5d138b318b7580
SHA1 aa10732d9ce10968ed0a15e79822ee095ea1f58a
SHA256 2ceecfe795bc132b7e6719d31e3806c31dac65c0823bafc18cd63b58d222f8b7
SHA512 eb77ccaf104d7f0647f94b46c889622e63864b22205517d0654cadfd0e2d4fd4de696400e09f5eb00288cb65deb6ffdbbe8ce882c781d5c360813ec2c113e093

C:\Users\Admin\AppData\Local\Temp\pYsk.exe

MD5 827a60a3336b979ea48481a593b4f494
SHA1 cd10f85f5a9b62470ba0f9aa419f305dd2fda597
SHA256 b960a7f165d7e58353501e2988be245a0425c6d41b122c8a10a4ee48a200f454
SHA512 82ac9867188bd968feafe1f97eefaaf71b2f55d516f50525074aa92e7781fb162ec819c0aec17a1fb349cbcf586c2992241383f3b2524b0e5e4550b2331e9d52

C:\Users\Admin\AppData\Local\Temp\TaUQYIwI.bat

MD5 893d2e4ac00493e0ba35e4f41c61eb33
SHA1 0ed8d0d3f11893978194c503cc21f38a761def6e
SHA256 20a5ef60d3bd7f5ca7c55a245e1c52f28d2e5466c57c02c814c88a09f237a14a
SHA512 063ae0344a703be0665a4cd985de944423c79756fea8d33072584b3ac1afd7c4f2647bcb5c9ed966b74bc37f84d061472562a732a2dbb5156ccae9c420a9efbe

C:\Users\Admin\AppData\Local\Temp\HoQE.exe

MD5 4fa9b9980323cb69b8308fca3a57da3a
SHA1 c372619df447342a923b9e406b703839bbb0a3d6
SHA256 a1517e9609436a255a0e31b47e527175dcaf189bc90b43875ccf0c943847395f
SHA512 9232dbc26c3a855f2e0ee83944ff181b6972c5cb6188c467290577b76d5f58875817632015d54fc6440dfbd836ee8cc7dfb43fbe1fdb4cc92432bc105bbf9546

memory/496-1072-0x0000000000120000-0x0000000000140000-memory.dmp

memory/2196-1073-0x0000000000400000-0x0000000000420000-memory.dmp

memory/496-1071-0x0000000000120000-0x0000000000140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JIoW.exe

MD5 ccd5bcb0018d46261a21452ed250b9eb
SHA1 17d4c1770df6da76da43269e0d379d034cc94571
SHA256 3054ff16c603560d750e6c8e41970fe4d93f156509ab078643d3e561a3aad5a6
SHA512 e2728b14da054057b5959af7c51939559fcdaad7d83d31c43947c99b1fc46409f0a866b9ab04fabfb865252f9b4e24094182c809ccf4b3381380291d480be84e

memory/2008-1082-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hwYK.exe

MD5 b2149629a03b9fa8c3c64e19d6306741
SHA1 9f9b59e6dc8d9cf78d024db06ae7b06b37e31d22
SHA256 58c028557cba98707f047b81ababf63529df2e84f103e0af8b3d557792604c24
SHA512 aacab37cec413c6b590f813e16ce4809a3bddb4fb1a024e40dd8049eb8089032a5a678589d2abac7ee7b6e7364f38b30c70cf42bd40943341045dfa829c73f4a

C:\Users\Admin\AppData\Local\Temp\UkEIUMcs.bat

MD5 4b4772a6109675efda3644b209f7e7f7
SHA1 9ff343434dadb50329997757692ec08d13eb27ec
SHA256 547055d34885a88be76e8aae8cb889f8e241790581f8cf7bb3f3477406dad683
SHA512 326c47d61adde85e799b668dada9418ff93add5054ce41aad4c76f25336f1897531b2490c0c9dd1d46dd80fa8904dc829bab034189c311ebc24e139009a485fa

memory/2036-1145-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2692-1144-0x0000000000120000-0x0000000000140000-memory.dmp

memory/2692-1143-0x0000000000120000-0x0000000000140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UIEy.exe

MD5 8b6893c9ee2075b52c20bb6655a4b8e7
SHA1 79d1f420a3be7cfc3e2050b64d16b99b67588cac
SHA256 f5ad477275e70ba2f8798ba754871ef72d0b3ee6448618d1a4264ea38abc7f2f
SHA512 f9e8a4b6a76a473bb278d9fd25b8eb330ca91ec8f22dc248404c09dfe75968af7edd025f121249903ad0a0c7ffd0c978584ac861c5dc289fc6ee4e62826dbdc8

memory/2196-1154-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BQgo.exe

MD5 746883a2df82203f69890e5add290072
SHA1 01e1af66271e6cb8213ced1c6ea7e0687c69b927
SHA256 ce01f5d908add4ce18a67c008710259d82365251c8cb73d79b120e3430a4269e
SHA512 e2d5c74848da691a5969d484d5a2c512e1b7c4118a2596eb1ce2831d22c47fb22df6e278db65a2151147d547412a8ad19d5528c0a880884eb075a8c86241afb2

C:\Users\Admin\AppData\Local\Temp\BggW.exe

MD5 d1e70fb0882fef61151fc0135d3f1705
SHA1 f689d06d41afdce9c1dd7816d763f578cb7d096a
SHA256 2f076092a949c7c3ad6dd86ddbf4211ebde0dceb66edb773604c8bca701a912f
SHA512 c7ca651709e2f4f299e305ffac087de24140fa8b109f8e8fb47814c03ddd38ab718f023fbfc1816b999cc1bb32a21bb59013065bce12b1b63be27f2640f7461b

C:\Users\Admin\AppData\Local\Temp\xYos.exe

MD5 59b4f270adab74bf57cd8324d4d5f42a
SHA1 1b4c406b94f4679b5488138c68129d8352480a5a
SHA256 24fcf8465f2b2badea8e7bc193b2b135781bb7e80bd4d4ee76fe3958fe64f7e2
SHA512 0a712688700ee0b09b76172ccb062587d2d57e88c1a32f8e9639e543cd260c16b3a1def0541a339f1450662b1fa829f6b0b132076aaac8aa8044980999804b82

C:\Users\Admin\AppData\Local\Temp\jCgAwQIc.bat

MD5 557c0633ad078b5f6932860af859b9f2
SHA1 057e1672dee51fd7d9cf727fd4f35425732939e6
SHA256 81d94536ddc856d7bdf62fd5357304e3f1f8dfe138a680929350eb8b56a9f508
SHA512 334d471facfef6eaa50a0d2273de0e173471bd3ad7b54be21fbdcb9fba6f8c7f242cac409ffab68e3f20e20288f236d17842d908e0dd25529bd037d248ecb5c2

C:\Users\Admin\AppData\Local\Temp\Iwcm.exe

MD5 af4edffcecea0f0d2ee8fda7547a35fb
SHA1 0160dd2c932ab4ce5014f6283615700eb5836d35
SHA256 199e6418c14fff9d7c9f44a9a265cf9c4657465b9ed386b5d24d5f49461756fe
SHA512 65d86b92bcaa436190975269112f7e5fb731b588d319fe309a2b6d830b6d07a53a8d71e75d1847236ace74da9a56e0d47b16f7267e95dfd6618cc40814f57e7b

memory/2244-1230-0x00000000000B0000-0x00000000000D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FEcW.exe

MD5 328677fdeaa2c8a908e094bb41d3d1f3
SHA1 6cd7fadc7f6a879dd30efde086cbd4c001116434
SHA256 f06e589d994ba74971e8f89c993811e05616e844d4f17353a59290ecb2ddffcc
SHA512 81ad56338a185f0e9c3921dc1a097a7f86b49588b8fff7bc2e799ba5056526d56a524347a9e66728aac777b32e85a0e0bc8787779fb3007deee2330dca78e50e

memory/2244-1238-0x00000000000B0000-0x00000000000D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IEcq.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

memory/2036-1239-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TAkY.exe

MD5 5b2c73891ac0f7ce05da3f47aa023154
SHA1 1914f13e29897c137f2e9b3da8b331ced967638e
SHA256 c0d149f39f5b9682bfd531810e6965d7faf5c172429bf0be9267c6429a8980a2
SHA512 93ceae4cec8e245d3748817af3169a594c765afa693db0ce4b66d5de3fa4d10afd4eee00509fd27b61add0c70ef025cb33141be27aa5a617265d415eca639a8b

C:\Users\Admin\AppData\Local\Temp\SMAi.exe

MD5 4c86ffd9bf879ce76c40d96a6f9f217a
SHA1 839891b9d8aa98e40ef58ce4d17b219c85f0c6ad
SHA256 b4b5b6ea47dc63a71977d2b1c649ccf5d1ccb814c26c951d8dffc0b47896dccd
SHA512 f3a18286cdd4a79ba1b693a46e406f04d75e04e11749b06a64d9d3bb199af89e50ab349252e7f662d37283ba6e34ea46997dc2a2d6f03fa42bbcb8453ebdd9c1

C:\Users\Admin\AppData\Local\Temp\cMkE.exe

MD5 32159f0e5fa9ca33e2bd1579735578c2
SHA1 f88f539c7a281d737be1ce41adba724d88367e02
SHA256 c02f6af6cf57504d041a89bad1e56cbf5c68a136cf85a53479dd90667b5c2483
SHA512 44511c91630b3a9a86edd54ef0d419602af7ec3a80410366270d0fb65ef739a07b4f1c58c41b0e89b86e0b8ccec3164606a61a6997396b1be457e2b239e7b2a4

C:\Users\Admin\AppData\Local\Temp\zMogEwEw.bat

MD5 20f945c0243a868ca48259e6f6f6e979
SHA1 08fbfc3ee7e6d802ec6182449c2046edcd8421e3
SHA256 b1b83114bfa602cc5504a8d5726aa29c3e1ebc0c56c90ef90592af700aa5f8f5
SHA512 71b6cff0a8a3e452d47955ccb2c5b76f2abdae6c3508e6687b9be95b7cec551d5386b614d0fa44a39de254dcb9c6424b0e3272c864e56a2cc95e4516a92a2ad6

C:\Users\Admin\AppData\Local\Temp\MsMs.exe

MD5 cf1aa5b4bac780aa20cfdd9bb7a86cb4
SHA1 98be26d60610093efa22dc0c133cc7c20bd14dd9
SHA256 05395e9abbcaf7430e40a681a49a39678145b681c9c56c18bc1e7fd5db6d9c38
SHA512 1efea8b52ff05e1721651f282adf76e057e39dcef2f4d6d952cf090e6325f7decbfade2538ea53a497540eafdea3f32bbf4b65d10f2db8188e8767a056f93c34

memory/1480-1302-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1480-1301-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hAUo.exe

MD5 d209676ab0cc682ce3b022ecef190a68
SHA1 9906acb52df2daed1da34ac0234e96dcb025735c
SHA256 3619944adbff4dfdfc67cf25308ace8dbc1091091b71ca177531a665aa530bbb
SHA512 57e4ee85dbbd03ef973c21f05e88a4ecd9d48bd3a62d9bbaab5db7037a4a6ca70c479e143394082805cdd248ddc8e676278aecdede26ac0a679475f2ac5d1338

C:\Users\Admin\AppData\Local\Temp\PQYC.exe

MD5 83f66ea9331db03557bea508c47cc1ef
SHA1 75227cd8e33820769ac6440cc7d48a71c24b02e9
SHA256 3de6b27c167463e681bc812d128f6f6315049eb986442a5b77089758b5056bad
SHA512 ba16acdd366ea5e5724c9d355feaf7c222b4cbe55fd1dd1ac4c50797498a844b2978e76bbd751fc92fd8d377772f4e04510893ac17c32d7dda8ccf6e1cb01fff

C:\Users\Admin\AppData\Local\Temp\gcAIAUkM.bat

MD5 9a145202f0ca644d8aae147ffe2aafb5
SHA1 288494ad98f75391fc4692e82205827f275a7a06
SHA256 41c5032ec87699409c6daafcfd9984d9da030ccdf44ee514233562adcfb9a9eb
SHA512 82769b281f6a3632945e6f352c267981131f3e2fa5e079ab274e9cb1e560d1473c27c5e87b28ef20d97e6c233efae42930c435d80532b686bd89ba9dcd474f10

C:\Users\Admin\AppData\Local\Temp\kAEQ.exe

MD5 27705606caf832a2cd298464469808bd
SHA1 b1e98c46c61350d2560f66701c97513039c5cb13
SHA256 0ad85446c3de1e47fcddb1c666858bf0a8a8d6f65ef6ceffada7701de1f590de
SHA512 5cfc17520f28bb540ca76d2718d78c44c630dedb86b885df8432c811f5ff024a23af100eb99f0499705b5d5242cc361681bb0b0d3da116d9f5e3a04e8107a025

C:\Users\Admin\AppData\Local\Temp\RYoo.exe

MD5 48b2ac5a220b5623cfd5a91eb13e7b98
SHA1 b521b8d860cb3995c2d7cddef38fd6b9a41ac02d
SHA256 5e314e01e042acbb762b45e7de8789a0c7559f56c29932d11edd125d1ecdb6b4
SHA512 099d1fcc109b6e43cadc6080d88546ee844d24735aaa2b9698a393c4258d77fe7f636fdd4b9dcd68a0fe572b1a7e0544a27c27ef1bdbcc389a41906c9316e195

C:\Users\Admin\AppData\Local\Temp\RcUK.exe

MD5 0fde0b1df8cc30a93b6a3c56a47901b5
SHA1 45d7e836a6041689ecf38681251ad0300de6187a
SHA256 829f33fa9be1b23c9f3ba1bf0ccb0d6f1575d9407670387dff80c8398b2243a4
SHA512 98682ca25a59d8a97739197b852924fdd1fe26f2eb95fd03cc25c794c542672494e91225aa17f9acf202f52fe4fe6323109060474a87699eac5fcbcfc8ba316e

C:\Users\Admin\AppData\Local\Temp\JYUYwwQA.bat

MD5 074f2e275b3a855a5e413bf2a1cdfcca
SHA1 c1764e622ae085de506ecaeca853581929d481f7
SHA256 a28a00dedcb4ad086379c3b539a08ef5a713d58b94fa9c1b19e3cc5700549fb3
SHA512 8efd898d19bce321e98802f2f953e0805e72b280ae5d11e34f60fab2e2f9feaf9994ec6f5e5d9336cfbf0c603dbb4e465d9e6a94fd967811819b0233187865af

C:\Users\Admin\AppData\Local\Temp\Ckgy.exe

MD5 b3a6004b33fb38e138d2a6c40a8ed7e5
SHA1 82c252f9cff98eb0c0c2dc1a0664949413658b1c
SHA256 1d2e6f8c2447d8ba7ce063cc31db5661b64e3160e70f0a797f007df3a0274e10
SHA512 166efd8aec85736c2080ef67f4fc90067756ca3a3d8ae3c2222fe4c0e475859880f975cfcb97356253ea85f3a0e0337e649f83a7def1ebc8d67b0aa1a3d41152

C:\Users\Admin\AppData\Local\Temp\nsgw.exe

MD5 43adc401a5743e3fb3516ebc2e5acc56
SHA1 424547b2a48a81d8371681cf5874addff8b95407
SHA256 3ec0b35cc88d53c1884a5156013d3edc29fa24a83693b2e2953922e440643ed8
SHA512 86b4bd9daee71ee89f01b7a39c1ae530da3713b29706a7757a625c58b1ecf90227d872930d7ce104b47b0b56bd09a3597b7d7070691ecb568fdf934b38ff6b3d

C:\Users\Admin\AppData\Local\Temp\cIMG.exe

MD5 104a80fd0fb0d1d0a2c94a54d0f194d2
SHA1 1c0d198159dcf933a2b03e63a486620b6853075e
SHA256 6afaa45dd7be3eec7db24efb84ddc135b252f96835ff590b214a99660bcb50de
SHA512 6839a9e6e34b0b1152595f83890ae316d8260ce8208ba5dd8cfc5cd0c4e0ba4266f7495ce0e6532b0c7e788a77e42204c457c232c50ef5b4e0b347a9b4231567

C:\Users\Admin\AppData\Local\Temp\vEIW.exe

MD5 1ef1dbfc860b73484e3d46622fbaae07
SHA1 b51793fe782acf3bb7f29de9c8ff44e4520d9bdf
SHA256 e0d5afcc8633fa1374b53293f3094e5a218d4918c6e654cc218c5908b5fca1c7
SHA512 a32df3e8786f51b69a4606ddc227208fc6f2f31df152d1b6848f83d827ddd07dfcc75323ea8e92802c7f176d49b302aa15af0173dd7f78b12a5f8ddfa3917553

C:\Users\Admin\AppData\Local\Temp\FoUk.exe

MD5 1a2cd116f9e713e9b3ae93630ab44657
SHA1 dd172cbf5e51cdff3296fe58a2cd033cae25fa19
SHA256 8fc1e1b46dc957c038f630625567624a3a7533db6878257ac58a311df9d6f2a3
SHA512 769154407632fbbfafff221cfa3e898eaf814969c868314277ac61c28cc3ff52cca625ec28d79687a01d926154cb0b5e8b1677aba9cd8e9d35521dd1853b74b0

C:\Users\Admin\AppData\Local\Temp\XqMUIEss.bat

MD5 b0bfc52301b1bd6b15ee692764afc237
SHA1 6b1a94b89cc64439126a0ee083e51294da290202
SHA256 da20b170697dfd009bb9d4b60ef4636f201ce8bec5c9d4ce381e49ca22f9679e
SHA512 64692d20e269a6623f29b3c6211c75d7c1e2fee7ad16e7b20a5e487e80dc1a88d71168b73f0c228fee606a7fefad29f803d8f5c1a941f7e15fb5078277f5ed00

C:\Users\Admin\AppData\Local\Temp\hAMY.exe

MD5 514eef531f7b0972b318be10fd4049cb
SHA1 7a1feff331f6ea803c22c1eb6a3452865c66c351
SHA256 ee9f1bf308cfc2c61dda6529c4775062c24fa614d6ab0bf8b43edda452075af3
SHA512 8ba03b682c6233dd0fbac745ee21e3945f81cf96c2cfa78c8d7823642a7a80495ef08843613478ccecb33001484bb6c9a0eb86674bbff5212276f0da5b7b0e49

C:\Users\Admin\AppData\Local\Temp\ycQg.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\NEUG.exe

MD5 5ee03e5d960020b8463025571c1b9869
SHA1 d1da3a72663d9ede5ba135b9ea4c1b845f9148ac
SHA256 0be56cc5ae4148ec91935ac9619e97609118d87f41d0d9c2e478daab9e8e7cb4
SHA512 b2772be262128277f39e510de9668c1de73524407518b8093a560498f278a39c428290c4d025e269ddfc265408054a11b9b33252e97c475cfe64eb9816fd8ca5

C:\Users\Admin\AppData\Local\Temp\YUoI.exe

MD5 bf2ce056a24d1052d9fdc78a09d7987d
SHA1 33725f79a421e3769e08fcc19d27d36c5d0dcf12
SHA256 2622930db0d26d5916d1a08307d5f6ab2f52a3a58e6c64befcc72d5637404bb2
SHA512 c6d768ff6293e69d4ed89f536a30894f1798b6f80bc8e8eceb9a472366ea016201aca3a376ab809f71f9381b71d034b4be83730e1888b4033991bd981630c4b8

C:\Users\Admin\AppData\Local\Temp\QEoK.exe

MD5 8974da46ce641304ccb515f46cc8f849
SHA1 0c1a108c52a72774a71e0056f704057467486835
SHA256 7f49b56eb323ed53468261725f0652d7e2c83db104acf31583067a787a0cdd10
SHA512 ebd5145b9123219eb36fed4cead81f5cd3d14f722d5f9a5efaead9839c2956f1692ffe33eb436dd5128437ecfeb73489aa1d9c89fad6446b4aac1b92afd7d6de

C:\Users\Admin\AppData\Local\Temp\DssQ.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\Pictures\RenameSelect.gif.exe

MD5 6138c78b19fb869c4edd81cac303359b
SHA1 b6a9db616f1e8840b0dfa345e2e6bbd34985016a
SHA256 a8dcb4bc4663ef145aa4450fd8afbcdcf27e41e185b6796d41b9084004d59dfd
SHA512 e4a715a317a3a865ffaaa665316cb575ddb981419292a7440c24d2b9bed241bbd2a77485f35c662155cd6d4f56e0bb59cf2a6a45f1547dec1819283e9dc34b1b

C:\Users\Admin\AppData\Local\Temp\qEoI.exe

MD5 a9bb3a393e5ec08cf61630787ab4c334
SHA1 044d95349b9eaf215537e0443000e644cab4e0d0
SHA256 5d939971ebc2436380765f7b6a371f18ca3cbf5ed8c0e744e5dc8e1f928df988
SHA512 fca3aceff18b4001f591d57cf99b9f266dab1315a4e109736e79e54c8d37821357fd6e0a96f2dda73c9fd3bc9b3f64d9a5095cbfa65fa412d7e962a9b1f4ce6a

C:\Users\Admin\AppData\Local\Temp\kYkW.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\zyQUQcEI.bat

MD5 f291de2b1d4ac3c21f28f5b8e871af8b
SHA1 f9933d8450c2e9aedb7926afa96ee5256036a327
SHA256 ff80207096f54c940fb1b019ff2b957a8ebc9640eaa2073f2d7e239094f72ff9
SHA512 4574259107f5d39c37d8075b0f56537fdd0054c9ca3ac26937b9ede42073510117e30a6d6261c51f3dc47ebf58555d0b3213a0ba60cd43af8c8daadc5180dcca

C:\Users\Admin\AppData\Local\Temp\SQEc.exe

MD5 55de5caa756ab788fd3f0121e5459e84
SHA1 413ed81c9b784099d3b722782d683c60b14f8330
SHA256 d5e35d70f2b4558d1bfc3e00d96afd5aa7395790b959326f3399aee5620b4294
SHA512 544fce0c53de72270c35ca847fbaf422873816864b89834cfc881edb1cf19282b87e003eeb741da008d3a33f5cd64ccb66f85ea498381d9d498ddd9d590ebabe

C:\Users\Admin\AppData\Local\Temp\bwIe.exe

MD5 f543943e8ae4433fa007eb4b80d9b466
SHA1 dde4e5c9edc051d648f50c67a0cae3d5d1b8c186
SHA256 12c8f59be66f4ef332a212a22ebff5fa090f66b7b04186606065c8131763b825
SHA512 0441334be57ffbd166d9970d16cabc8a21c1c88c9d36d211e7c908d6d883b76cab85ad73c08df4db6888cd576b650e29b9773938eb6938aa1a59591c178a23bc

C:\Users\Admin\AppData\Local\Temp\FAkc.exe

MD5 16be6dba980159f0a2d08dfbd7c639b7
SHA1 995e722aafdbcb03701d40638369c569cabb4d7e
SHA256 5a311c9410ea34ed896318eeef4db5674622eab5038c2f4525f896cee9868853
SHA512 23d36bec62d82cd1dd41f81a3655c7c52b98fbdc7520b04d6cd03056472458b69370babf5e3ff3d183626a31b9e970363c7250bced707fa31e62643d2a9cb471

C:\Users\Admin\AppData\Local\Temp\wOgMgQoc.bat

MD5 b5fc7526fcd7e41dffb4b1aaa41cf68d
SHA1 e65a61b59ff6b6c5763f9e1d0405ecf730ff26b7
SHA256 0d3554ba104f55e890aa4a63c349fc9b5c1d410718a4bbf14fdac292d908975f
SHA512 0319c8e2468e3c290655c54ef0995ddfec5568f348f54a9d17f432c0ccde307037948ebbcdbec43f5b4c0df7f09c2ba63aa4acfc4a2ecbe11914489ed1822d5a

C:\Users\Admin\AppData\Local\Temp\bEki.exe

MD5 8930cacbc1d774f921658967bf23f389
SHA1 c266d621e8877e1ed34e2ce384a25ebf8d4ab942
SHA256 9b0823dbc545c3066f24cb972b5bb76dee878b4b14682987243c650c50e5b0c0
SHA512 bfbd20593c93b03819e0350e846743dd9af435f9fce5e7ec3b0e7447c4386ef076622a425da022e3f64badddaa7183005d0983a0a7331f1318cfeaaebee74ecd

C:\Users\Admin\AppData\Local\Temp\HYsq.exe

MD5 df1da2d4f4fc1811fc1ba005ab79f804
SHA1 95c5969bc8ea2b21e00d0a543069e43377ddc285
SHA256 c02eb2c3069a78b32818210683d2cb6014783f041f905d9dfe820fe42d90f848
SHA512 d7a225f74711b4bde64bedbcdf8dc32e9f62282a277f513a6a68b5a8a1445e439736f00c85496abf3acf1863b2b74c2b51c182c72ab85157686a5737f114c4cb

C:\Users\Admin\AppData\Local\Temp\looo.exe

MD5 4f4e54c9ee6c3f9ae2b7d997d45c07e9
SHA1 858d12c74484a6dfa61579d8b36972638e8a219e
SHA256 bc3d0bbc48c4db37e531060c20b4f4cf93ebf077852118acb1bdde25ef0b8112
SHA512 125ff693cf6903d2288dc755c3066eb38788c2865e9be05f239acad43da4ef0c4d0023cc4fd0c1937e8d3a20b634c517b9c388ee9d75001399bb17227f7e8946

C:\Users\Admin\AppData\Local\Temp\yOAgwwMM.bat

MD5 011cec48903630e1752c409be7a12b65
SHA1 3d549cf00b10b780638388affbc7d179942ad1d4
SHA256 c83b0d4a0f302ff3f2bd0bc83dc82fab9255d0826c108bae4d74fa7b5d6a46e3
SHA512 72daddb22e09b11c67a9116b8f68e870dfd175cb9b0d2c8f195432c72d71e8cb1b217ba7d03fbe42c92264668ee1ed39d3eda428b8b8540a512cfae02ff50c59

C:\Users\Admin\AppData\Local\Temp\VoQe.exe

MD5 c4da48bd58dd498657125cf6f0bbce1e
SHA1 89121380ad161586b775433e6ec9d29bcd3aeca3
SHA256 24fdbc8dfab137031f89506ef114f99cd58089ae5d98aabf3aca8e9ccf9ecc63
SHA512 1cf2648ca9060a577a7ce72860907f3bf995e79b0a145415a7167023148f21ebc1e108a3f1eabc9398693b84cadae27161482c4d1cadc21b6d5313aeb6f5e10b

C:\Users\Admin\AppData\Local\Temp\jEIE.exe

MD5 5c133db2ddffa3aad1ff57d28b1571f7
SHA1 abda1edf25ebf24ebdfe2de8feff10d1bd6e47e5
SHA256 8c8f1395541817c8a69b5eef6389aeaf1c0191c416490e3e4d9e8b738e922816
SHA512 6eb08a17d828b9ba28645727ecdbb93640b20f0664c4553730fb8fbae7b958caa5bb1919c80903b04dfbba1299da319266643e24e7f1a0362b49bac521804e30

C:\Users\Admin\AppData\Local\Temp\tkAowUgk.bat

MD5 906910b1b80bf2c20692bacb08fb4a0d
SHA1 571ab0d0c3ec30b6f1768f93fb89688575aefed7
SHA256 d2b444e2f4758ef8b8215c7803c61bd0c5cb916df81d4e5bc7ba8001b3319cf5
SHA512 11d4166c3e0a9b2a63457bc02bedf7484edac467d584308071390753ba10467110f3e3b6818f14f48839f028793ccde6699e8ee4e0344aa3993c0dffbc64fef2

C:\Users\Admin\AppData\Local\Temp\sEwQ.exe

MD5 41c9d3bfad3ec361f3c2d601150e4177
SHA1 f57e77a3d831a0c1ddb887a824bd2f9b3e4c1d9c
SHA256 b6757aa17883248401eb08fb9666306689fd73590bc4b391b380910e8a2424b7
SHA512 9a40ddd1ed6232144762114d7ec9851851e403f6b0d84aa208fe21b30b680a9d7c6e46f327a701585cae937d2e5e05406a03a4631e0414d83af4e26da5f5c430

C:\Users\Admin\AppData\Local\Temp\qwkE.exe

MD5 cbe918d8a0c10c08140e5fe713f0fa71
SHA1 63398047a233f242489063ade1edde3d35410246
SHA256 677b5512c76dbfa11237b96e6da5a7b96de5d7f9c0aa1c2e056678b434b9f7d1
SHA512 7a4ff5956adb644b9d762e7efdd6e4606be7a915e515fa3f6e39e111dfe3c1f0c635ba0c1c8bf3640fb7b2d7e2eda1e5da6f7b4119425123efac4da6c539d5ef

C:\Users\Admin\AppData\Local\Temp\gsEg.exe

MD5 d12767e506df5817526d777068b94bd3
SHA1 433ca79b73f53e02e02f66378520a97708688021
SHA256 a18cbe4cc072e6f1ad871777ba440a6d35c3c150a4f85ec3ad993871fbecbdb2
SHA512 fb6ae03238810c565378fbc075a470036ff17dc699d759d871b622e93196eff72cb1376c19161443affc39eed85060e778459266c868768a2e5d2288e67ee649

C:\Users\Admin\AppData\Local\Temp\ZqQQMMAE.bat

MD5 0ff1657833f910438e9ae59c08aba1bf
SHA1 16f494cbc26ae110d67af3a040ce85161089f91c
SHA256 ae454fedb9731bd2f4af40bce012072a7e8083c4bb5674de7e71bb3e71c5670d
SHA512 fb9375694a776651bdda6575d20a0fd30fe62289e78300311892778d8ad94576d5a2c1537284ddaffe587ba6d9289bb75fd12a0c9cfdf2c679189424dfdbd562

C:\Users\Admin\AppData\Local\Temp\BQIi.exe

MD5 559664251deb153acd1c93be463165f2
SHA1 edffc5ac949e9b8c34c456a479446dd6f1e29041
SHA256 da18c5a533c4ace82ceb609112bc43ad64c7819b653badc2b60055822bc13e46
SHA512 2ac2d03e2e2a330cc1299f8850629b41ccf3307d488892d89c7d7392726f8d451612ecb07c6689350930ab53eac063a254ae7bd6167949a716e2e80bd17d30e8

C:\Users\Admin\AppData\Local\Temp\GAwc.exe

MD5 7b666cf7386d9fcf817c2fb1ae5be89a
SHA1 e74e61754f35aefad4e7c53253f9246e6c037b2f
SHA256 e6476813160f2570cb93919f5ff41d34398f60bb4e9d5827e74f04a5837377b4
SHA512 c92056b3fd706e659d8652c38941a3c43f0f1ad82332e9c3e0be9eb6a44d12b7dd192f77a03fe3a59ffb4e0f4419c84640b382efd252d10d347ecf78e96d77b9

C:\Users\Admin\AppData\Local\Temp\OEsc.exe

MD5 834f6f91b6e86eb7d91ca0d3a98c2a40
SHA1 aedcb2056bfa1809c6028f4dd25be1fbd402e00c
SHA256 c79cae4d901a63a7a2358917e61bb4f34684d896e8aac075f3761431f5c1d059
SHA512 9c887169f9e80be47c50944aaecd67cb690636963d331d2a50bbeaf617a818153aff73fe7bf62862ebe0a1f17d487bb6370bac4893e5ef2a12d4d48d97c1e4ff

C:\Users\Admin\AppData\Local\Temp\AwkQ.exe

MD5 c81a4820de0e4639f2dfd4ce9f80cb6e
SHA1 cc4e57c8a0fcf86398458e88c30f5e85f8cee63f
SHA256 1f3d95a3bede62e55b702a779b38bf905995e583adf4a50697386890d980b0be
SHA512 14d5813084fc4985730732fdfb1990b2847557d5e33aa41d3544e7926e104f6864f3007dcd5040ba4896ecea64cd2dd768c3b63d33d7002e0b0e6e0eb35acd08

C:\Users\Admin\AppData\Local\Temp\wuoEcMUg.bat

MD5 27024344c0d22b7e36510e5a33bef226
SHA1 607674c0d480ca57100202bcd33cec1bfbc3d9b9
SHA256 f4ac21a4754948a40df41acf5160927c59c727cf8042e470cd51d7ba8735bfbc
SHA512 d5b6976a767e981f7a54d736cc0c4452749b3fca6a5060a092e349782649d4154572b66d6771af91be8875d6cf116f8c24f6e384185f16eaaf35206fd3acff1d

C:\Users\Admin\AppData\Local\Temp\CUsy.exe

MD5 8b155eb03e9a92a01d378ee2fc9a50b9
SHA1 cd7ed84944f70265f6f0ebdbae26b85b7de9b469
SHA256 0675668ed4eaff635ff7847469f793d53682c5afb5ff338bc240ecae97d44e51
SHA512 f198bb79be08c144536560cb54c12cf619bdf6896cff0c8af6acd02c8179fe60f142c788db2361008f2bc5fe8380ed6d643784a5a9de5e21043b48f15e73afd9

C:\Users\Admin\AppData\Local\Temp\qEcS.exe

MD5 eb6ec15c1f5b31abab9f361a871af018
SHA1 9bbbd8e4197094178c01e59318240d33c4dcea91
SHA256 f1e2cda271ee80ad297ece65d2cff68dca5bfce5766effa373aa68c3ebe6876f
SHA512 f6e119d3506e65f3a683c0e7357894ae7e6151c697e368f44d06611b81212434ab82bef35c6eaa6678dd55e5fad7f21df17a6552d399d5deea43e1cc28e21033

C:\Users\Admin\AppData\Local\Temp\KgsE.exe

MD5 734a651b6437e9062dad4889f921c976
SHA1 c67401c70f1f8d7c447fe3452db7f932515dfa28
SHA256 f47891d39ec93fc9d7c11370674dc4388caa39306a7e2994d3a7e40ff19af3be
SHA512 2bed2e3f3077d5a612801397de9c4a3ac4bd10403707b209ee175ce4aaa16a8dd91c248b73c5473108235a5dbf51e0c102e718bbefefab2fd9ca92f7a163117a

C:\Users\Admin\AppData\Local\Temp\UUgYkEMY.bat

MD5 64091e5f933d9ef7255357aa01cd3d38
SHA1 53491f3eb1b8b31c2dba1604ac7529dff79671f7
SHA256 e8db3e800b47b49ce1054520cbf588978305dd273b34e2562e87895b6207d2de
SHA512 f00ccaaa0235e651f586f1ae3eed19d0ec5682ec65fd08ec6434da6105d3b5cddde5e1c284f03854e4e07eee4f0614125994f1c5063e5d5204935ad2a5676ac3

C:\Users\Admin\AppData\Local\Temp\wkQE.exe

MD5 2a37ab35cf22a93254673ca37ac374d4
SHA1 5fc4efdf156d6d88696f376b24d844ca35390123
SHA256 52b88bcc551a5b2ebf68df15500f11daf4ca592dbe4e216e40ccca9817155053
SHA512 bb7c23ed1838619759111480f4141824a8ed494034b4fb76d0a6d131ccacfce8c083080aac3d6a06679867e9cf2511d86ebaebcb42669a722dcd11843de20917

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 a417740e7aa08ff845521266c75ca88c
SHA1 5199b442493b24977cbe4c5bfaffd839d060b401
SHA256 1f2baf733157112419acbdc4ccc3eb0a819d0ae8b8fd437d91c7f1098da7b66c
SHA512 5a5a2d709301556f5e2647d3844c2f7da324276ef9b9a29c804678639e5b66bc5b26b2e62e52dc1318022e4005919b4ad2a1728c30b6e29214ee4b45045c8482

C:\Users\Admin\AppData\Local\Temp\BYoG.exe

MD5 472938789b2276d1d97e7f1d6a65a79a
SHA1 cdc16c282bb58558d31cc7b86747ac067695fa7f
SHA256 6a471933acf6e08474aaaa1cc6652b7eed0a8c69ed7f4bc5444d979455efc695
SHA512 b837743ebeee1d115f3be9d70daf00eaacba6fa5cc492275e54c59d9f74a264c9250937213e033415853e4709b2e7bbecd0d72cf0018def255f1df2e02bf813e

C:\Users\Admin\AppData\Local\Temp\zcswsQsM.bat

MD5 129296df25d709b812a60619fa2fa37e
SHA1 e0043d12872b4c0cec681c5911a16ee0ee71aa47
SHA256 e1b3719723def585bd974fec6b07d83f1bb3b7eac1c117bceae184628887f24a
SHA512 88551bfedef7153d6a6a84eaf743b9b623274d4cdf33263c31b98494c8debc83fc6497f45c854d33c2eb634f9cc4a1b1d3b7bf29267ea211c3830597cb344c22

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 9ec28588e8680a528e6ca343ef2fc828
SHA1 b2979f9ff03a3565487d53a91a050b76ac011255
SHA256 a48fcdf992f670bf98d37a1f04fff907240086009b34a902d0890f0ca84379f3
SHA512 41a01ac35a81af1b6a531ac71a6cab390305ae00a54aa9be947d867f56dc18119225740eb5d166ca8fc55c447f74e82518304ed5581ada78ed4554037de446ae

C:\Users\Admin\AppData\Local\Temp\oQsS.exe

MD5 7ff8c63ad53babcc8758f175b2cb3ce8
SHA1 ed8d32e142e954000e8724cfd458b9ae1c36d313
SHA256 7451e21a0c428addd2486c2595027881ecdf3c676bd23614cb4df9cccbf0f006
SHA512 7c2ad14a12b84a3c90e48610fd866cfcb00bde7a1575e27d40ce4be524a2a7bd16f5e60bad2a7ac43ce334fffad776b7adf95c30757a28386450d23bc52c3c74

C:\Users\Admin\AppData\Local\Temp\sukAYsYo.bat

MD5 9ebc600d365d85441efcd2a7b868809c
SHA1 8fa302ca5fed84440e78be93835b208c30f3e7aa
SHA256 5539f4e1cec295c3f705ee456a1beb833f8cddb9e8c9a960e70ac3c3bf03f8e2
SHA512 cc528fa8f71119c2f9baabd8783ca6f99ea59d2f14fc371794896768e29654666603326cfcd9619261097a5612b08dbcb05bc72376bc889f0f1b1942492798a2

C:\Users\Admin\AppData\Local\Temp\GQQM.exe

MD5 b5ce535123245e9c826d57610a5ddfca
SHA1 4e1af3c5600599ee64c203fa950b4b5bf2fec84c
SHA256 5de735656baf6081785d558f974fbf215e8d05f20db8836ce556c578a9556d47
SHA512 cf1029c6fccd2ae71559ba613c0406758cab81add09adae6f3206ed76edd1cea5f131e2ed11941a61ed9086c7d0374501a7b57922eb1dd47b2116a9e962b90f4

C:\Users\Admin\AppData\Local\Temp\oYsW.exe

MD5 2a298e76a70dc36983bf94c3f267c9b7
SHA1 2efa2536e80ae466248349eb170dc8c82b7d190a
SHA256 e38f6d01bb5ebfb3adcd3995b46f0e36e53d0f1d8fa927d38ed3889ab2d18fa1
SHA512 7797392fd1181fc7c64062fc23c69a1bcd4b652f012b762e24df065fd0c7ea33caf1ffde504a2d2f39d39b07c39a53b1277f5f76c273172d9535aca28615b5b5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 5336955467f078854f8c04cfedb757d6
SHA1 ba7b6fee8a47ba58011e000540b4913fecd96b60
SHA256 396a4e9686a0b861798f5b689411332280cd6b1d4687ed17d743b83245c58064
SHA512 226f9a7eedf3f46b96a6ad9b1befb29837c03524988ac14c6b067aebe809cd2a4545be4a5adc0d99ca40bf36458cd780243e4ab771ebabab90f686a077245815

C:\Users\Admin\AppData\Local\Temp\msEUEYgU.bat

MD5 fa0b3fb5b78b342110ca0076a2fa7088
SHA1 3e5d05064c0ed35606d122014573ae3e7041ade9
SHA256 39e88c174372442281073cb1e16c151250185f951363dcfb5e6b819b7bf3a1f8
SHA512 21506c60c5f601c5653a78c6794653f2857916e05ce824273724f774103b7cb5b6cc0d00040a78d75bb18cd5cf3030b0824e856b1a36cf483f4aa9a8cb4ad9ef

C:\Users\Admin\AppData\Local\Temp\WcAQ.exe

MD5 0b3dde884a09428b7fecc307a4abff19
SHA1 10a094d86ceb22c6e8a33b09cb5f61fdc4503f76
SHA256 d0095d8d4d0867f8a76903ef86a2dd4a73f21bd51af9edac0c3d8b7ed3d8faee
SHA512 4fa33520319b92f1085da0f04c9050a7ded33e86b7f695e90a999f6e7d2a017d8db4f8fdac9290e732c87ecf8ed5f9eaf98ba2a7f1e8c29a401d3f8f26596170

C:\Users\Admin\AppData\Local\Temp\pIQO.exe

MD5 9fe05208a859cbbe0e75eef770e1f244
SHA1 d433107e497255dc87fbcf3432c0088d4f28b8a3
SHA256 d9023f388cb456a9bc96b344ffe4ba954c7406477ea959ea7fed9563937dd6d5
SHA512 3a4ec88b412da175c8d45981448f2130b96f54fcb8a468b5f27ae08bb24dd4757634c71448bde007a855f1db2bf641d993baf7e3876a7a6412ae195f9933e97b

C:\Users\Admin\AppData\Local\Temp\DMgK.exe

MD5 5d119f9931b55a865121d81f06d60ab5
SHA1 09431eb98269f03d55bfa2b480c86fba4e94bd2e
SHA256 57ed6697866c2d836beefed98528fb6266ec5b638c729ccc10e31977719647fb
SHA512 1365a916b596dd8155dd38aff7a32d47468a64dd7f54d7cd38d933d36dd5e0a77b59feb14b0e1c663d883a2bad527d404ccee6e161f5cc7b158856425e3abc35

C:\Users\Admin\AppData\Local\Temp\zMQMcMIQ.bat

MD5 75169cbe05bbbe328deb5a6bda2bead7
SHA1 b3e5c8a6cadeab7d005e3c4ff103296a448ee039
SHA256 228e5aac98f144a83a22cbacb344025e4d83ff7060959552649e64af82f5f86f
SHA512 bc4c4d6ac94004d8e33f390b18e50ef262ad9d7059e5fd65ad3d9583514a0d0c265d06b2fb9ee196aa2bdddf85955ef523c74e02a2fe2d54bd4ad39138340f5f

C:\Users\Admin\AppData\Local\Temp\EYsg.exe

MD5 8ea4356a72bb6c364815df20fbfdcaff
SHA1 53d490d79504dc4685e9bb81dbeace8c3c5bdb52
SHA256 6c5b676fc647b9233bae817428fecf75b03352b238cbaaae07a04c7090ceacc8
SHA512 7d008a292da0ac606ef43cdcaaa97aaddf005575d83375a6104938d1f33e95609e34f6bbe28bb100854f9d7fbd24d3651586bc89a3500a481219153355f52dc7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 ce2d82d3832ed23b4e199c955f770cc0
SHA1 cff03eef08f6717537a41a92e46968279eb60c83
SHA256 3cffeef5221c0e5142f9cd20c9e97d2afd6babf748d914e8026a672775e851f8
SHA512 ed414b516757af4bd136899db0d725ef08b02b0b51c9c92349993fd0b1ead927c240a4a2189353c645e5b7c61b3c0ac8659247357b57e90a733c86d8eee7aaca

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 677bc379a5592f28817be777768def20
SHA1 e21454c791738b9c8967ed8c1f6badd6816fb834
SHA256 450722732ada1f265078e46ab410281d2f75cf3fedac10b42cac76d3217dd64b
SHA512 b4e8ae98d6143e3272a66f710b0be16fbb4aa95229556306a463e2bb27fe0712bf0e171325999436a3394a3dd31c5cfc97381f2d23517f2f20a78942260cb1e2

C:\Users\Admin\AppData\Local\Temp\rYkYYsMA.bat

MD5 3dc538d0107baaaae8d2d26816d83111
SHA1 db19183d21f693db6a58177a3e83bbe1188defc9
SHA256 d6d8d7f7c7c4450487b1b88a43250d7b33c4005ec2ce101db4324b824f9c6369
SHA512 6ad6f10213e975f7b04222dac544c4879f0e5a5ad53cf6cda735e740c04b9183898bd02b71361fce1eca40075aca589b1001cc9f27d7521308c7fc3c67d58c39

C:\Users\Admin\AppData\Local\Temp\Tccg.exe

MD5 06141c6ddbfea64b6ae791c7698be65b
SHA1 8fe3a3cc9dce5a63ea3abf5b537e59be16ae5b5e
SHA256 280a9a60ee88ee6dd80f3ff561ebd38b2f960f9a53dd908527c4e79e68c82fa4
SHA512 465a10cec2977a813c702d3b6c495b1ae3338d917a17a95dc998d87ec9704345ed70e5056bb97005ac01680b3bc40778bc8810e2676013741db1b317b2973809

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 77b6c256d2d05f2ee19ddec4113e81b7
SHA1 2dd2f3a4ff75273bef8c60ad9e62ba58d5acc81e
SHA256 c5c9476fc5da76204389ae102036ae206c0784c107fdf01916c8e16ba2aca5a4
SHA512 09952259b0ab3d5269202886f262830513badaa252c8ed740928971adf67d79b4dac904c28027910051cf79fec54422f2957a1954d5302f9373a1dbde89f2887

C:\Users\Admin\AppData\Local\Temp\PYQq.exe

MD5 256a04eb02afc41c4e42e20d85524dde
SHA1 afca85ff7a9c4a694288073c7e4e839c2a3b59a9
SHA256 d264f7fee137c37928d9543b6c42c37d71d701d6c30272f90a5a33ef3892a4b8
SHA512 3fbeb566950e08ee60b794d60f13e4a2d881951e0247f27e0e16f9fc12652cdf92a93af3acb506587bf49536229e13f45c18dd50f240a0976417ead889786ecc

C:\Users\Admin\AppData\Local\Temp\KUQIsYkE.bat

MD5 def2a0711a817a736183b6fcec91a3ee
SHA1 58834cc24a18fabcbe7efa6b74e41a729a8f2b45
SHA256 28dda8c7d7b97754d3c7f8eef0c44c9823910b2566d2c5a1f01c933187dc0495
SHA512 32c42d64eef168f8ead738325a6410e587ae23997375b03aab9ab4ac0fef76f203eebc572f068759980af38fed9d3494e8d050518fa51deaee4fada6bc31075e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 abe57cfef418a6c80757ba7a563d3d98
SHA1 a7ddc71b0893066707649e26789c85e727826e24
SHA256 068f03f7e3ad0dbbd1b52a90be3b2cec94529799398e7012f4e66e64978035a5
SHA512 af1a837dcc076b7098b1fd3994d9b924884c20c95a7fdd85e629272da6d1d02a46eacc16517a1a7b54ffcfdabce2932ec9b55ff9124810d8721c3f4177dc449e

C:\Users\Admin\AppData\Local\Temp\NgsC.exe

MD5 497583a89f3e7d204fa1d29821f5d58c
SHA1 3f09ac340e065ad8c11741f00d670375589aa100
SHA256 a2b2784d3f376c6a7b9d41d16bc9ec4606cc1e935b77878cf265dc696075371a
SHA512 a06d55af24a1fcb753f80ea19a380606ed4fec82cfe1b7d19b11b6a8045c5575858ab80e14cdf045fe76d4f38969a8c350a0ed70fd67229a70c3f5aab8b86fab

C:\Users\Admin\AppData\Local\Temp\mcgQ.exe

MD5 ff64e0ae87ca287dd81393ddcab3125e
SHA1 9ab35e40af47bc50003609875b001e6ae6939f29
SHA256 be19eafa702c19587a7bbec64b2cf38817e75f6127327846644ebbdae29d0897
SHA512 36648f9f11f94dff172e445cadd0973c59b6e27ce24fb13bfa62594a8c394ac76212cb98e4a3d4a0aa22041c0448e3ad079f6bb31984eaab029b637e94bf8858

C:\Users\Admin\AppData\Local\Temp\WgUa.exe

MD5 feab7ec28f64c57df18f76ff403a9155
SHA1 752080bb5442f7c116871b82bae61c1dd3f2f0ba
SHA256 d05359e5d83de95b408101427a5b993c3d30d8320c29ca08f1ee15a2b0e68e60
SHA512 be57bab647f7c95fb3351b74b95899816c5609e1438609c25be2575a0687a31567472c569a74f8fea1fb5c4aa8c2025fac6ed3d5ffee8d89bd1743c5e7949819

C:\Users\Admin\AppData\Local\Temp\rsEMoMwI.bat

MD5 72ff2e443b895a62bd0c9316d22ce6d4
SHA1 2fbf3eb319688960eaf53ccecaf112e58ee41c85
SHA256 0430fd6bf099dde24fd4bc91f27debfcf0ab38acce09da75074ac626379b518e
SHA512 a7ce5f4eb48cdd68330e2929eb9ebba2fc9e0156111aeb29ea7ac1a688536d9a22e08ad250a912720f3fc8d42068a48603685f50b9c5627da20091f5822585fc

C:\Users\Admin\AppData\Local\Temp\IwAy.exe

MD5 ce4fb513c614e9f62a572f7e626a10ed
SHA1 9772619872c645453b8ae9194081e3846e2c64b3
SHA256 298a5b5c5f4e8a47e90732ffb5b6044ec780d466d89314e03f5474c5fb293909
SHA512 c9d64a6b3d7bb03eae0a4a14f88b03816c8b1513045891e8e2158583b6f5e1ec4dd1f97b5dc4daf36ea662f67ddd2f38724f19260af0c13ee87307ee624dd85c

C:\Users\Admin\AppData\Local\Temp\HwYY.exe

MD5 256212d1c101702d944f6934fa4b5e88
SHA1 2f5ca5879854ab2b71eca0e21eeb56ab2d57647e
SHA256 a61abebc6bdb7bca98dc9fd88ae7da39638c80589af18510120ec6be0180a1bd
SHA512 9511872bab21972ec16085028b225c2f2c6d927cc3644f256f9c96ad0a4b1ffc2b3ab0b5f5e9cbf5afb0c6c7e487fb829b5b369677b64c6feabe3f9a64e754c7

C:\Users\Admin\AppData\Local\Temp\mgEq.exe

MD5 c91ba865c5524d39372a78b04aac3fa4
SHA1 9441e30fc9b8c0f60d6de8e8cbde801247c02be9
SHA256 279b45e2fbe5afd466bada1fc7edf834c57ce43906cd91ae98ff9763edfe61a7
SHA512 0bb1a4fcb7058c2d9d1920b8a3f230f9a3f82ca9acbce65740fd92804315d29b54422d63d8f2001835fed9ba6ffa73550f838d1612c068930a5dba2b384bf56e

C:\Users\Admin\AppData\Local\Temp\SSgoEUcI.bat

MD5 7194f4001fa26c34029ce3e3d86532b5
SHA1 d4e1981c96068a9b9e5f831478291f4f0784c71d
SHA256 f05a8934348903942e3393025eb9a3ee5e8ccea2c8f58575731482311059a1e1
SHA512 a81ad8cfe46a0061d9809b29ec54c9518b5aeae5103f08f7d7ac0ee1f4d7f2a30fa7c8e4f49c6b69d917a7040c3521bbefa877262c0b064fe48c8b20f6c505e6

C:\Users\Admin\AppData\Local\Temp\jKgAkwIk.bat

MD5 fa18280255309c8b77e919ec2f951f2b
SHA1 a86e8649da4f60a00872d465a6f32e92ae3d07c7
SHA256 cd1ab41e85e92d4b3c766a81988e938f3b078a5121f7f69904ec99feca03efbf
SHA512 a06fcff10b841d96e8e963bae268e4247b23c455b077919bcee3300ad2e289c6a2e19711c949b29d05b526c9299552d6dfb91ddc8f017aab505d231a50231fb0

C:\Users\Admin\AppData\Local\Temp\DoQc.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\VIYq.exe

MD5 976f8f31c5bc3b3214bfcecf42908e15
SHA1 bbdf0bb41793642973c893d42addbec4d597809e
SHA256 f9a9c44e036e0e8791dbae129522c521a2ae8539a08799dbe8b8f1f4912c40ba
SHA512 0d247f877c04f7961c767709aba4ae5d54a064c4ae41d8423acb3f837be255c3caac0ff0ea7b5871c017ae82ab0e9e1fba112c8110899741212d5f1e346bcb7e

C:\Users\Admin\AppData\Local\Temp\qAMI.exe

MD5 beabcae923b2a3e7dd5821ec687f1253
SHA1 301607a23d578b8f59f434daa610148270873054
SHA256 680bf058f5bfd787be6e7103fcb4656e344d27f9194f0540513e6ecedde20d06
SHA512 cff4e0d521942f0efcb5b9aeb173359356d03357456268e9ba5788183f0d23db5c6049d2831a39abf81c14239426bf60ab2800b5f795521da9b20ce1074d7407

C:\Users\Admin\AppData\Local\Temp\QiskIMoo.bat

MD5 a6f6c0ea8b3a4f5560d4097c6664bea6
SHA1 7846cdd61ba79b401e821cc40758fb06af489ce0
SHA256 049760814019a01b7c046e32d99c90ad18ae76174ba00c12c99c0bb86f86ff24
SHA512 c6fca9538d3908a11f9fea66598fb2d84e9a2d989aae9af8892a601d17f741dc4c3e31cd3e6174723132c7ca8e47e75680438951108f772e717d095e1aa541c5

C:\Users\Admin\AppData\Local\Temp\YYwq.exe

MD5 ae5b34b6d83ac824458ec5e139d2db2d
SHA1 d108efe7fa413e53bf3ae1f4cb557a95485a7419
SHA256 1f33dc3e05d82ee6e23539597db7fd8f2dac76185cacf0b0be4f16a5b7299ad3
SHA512 729902bc47239fb3a85c8c938c759ae327696b2abcf404c5642ea94dbf02b05d57e272de991e6c13fba654ff318da9d8154c1614a3ee01dbcacb15d011ef77c4

C:\Users\Admin\AppData\Local\Temp\Jgss.exe

MD5 75e45381b8cdddc6c37609591530baa7
SHA1 f93cf52b618b97226d17581de9eb352eab2ff650
SHA256 da7bf1e3c901a2aa09c116c60aa9da4d178d214c3047b08d158d3b55198186c5
SHA512 9539210e044394e04e23df25b2438efbedbc68ea4ab4f4703b55e92f9a8f00e5111730497755e65b5327bff82d1edb543682f7e8218a5208ee1fcd946db22624

C:\Users\Admin\AppData\Local\Temp\eIck.exe

MD5 e61f0b8cdff50816ed565599de97c85e
SHA1 bfc5101e98c7568b43ad15b35dba11f2a65c2e8a
SHA256 7848a1b1a5dba9664abbb30a77ff0c9e888e4d2ec6edbf09466fed65d8d077bf
SHA512 842bd0922e77a88192dc33b2b73d50d2eca46dfbb66f97260a4bab07ff8e5cff13a9f9506f3fe15bc5ad4426c318b5b3583e418fa17659d1363c44494d597e9c

C:\Users\Admin\AppData\Local\Temp\MYow.exe

MD5 9b045ad6a4577e8a70d36943db498b1c
SHA1 96533fdb087909a9833337479c077c1101db5da8
SHA256 1d0b73a532b4ac332ef1d3ad6bdb9fb86e06d89dc380b13fd4e5be29005381e1
SHA512 a5fa8edf38c8913c89468d493651ac95d3696588464abddae882dfa95af1f9be0001431d278d8e90b7deb19dd7d71c7944d038f7a8fce4ebee22e69f1ab23873

C:\Users\Admin\AppData\Local\Temp\sQUy.exe

MD5 adab404eddc68b3dfc77dbf735852d18
SHA1 534c48ff9e2402774ce1e4c1a694b6f23ac359b3
SHA256 cba671a6c952281ea5e9c789aad0ede866f65bff85aa65fda34c1c958a80ef3e
SHA512 ec4f415ee3f4f77b05c1a753216ac477d93e777362e8a1b3025a33e348feb173555260a4e0db3f088dd587f2abb8b913eb5718569ebc3edfb062d68fdb1ddaee

C:\Users\Admin\AppData\Local\Temp\LYIi.exe

MD5 e2d8d1ba75e366a1ec2ded73b62987de
SHA1 a29ec7d2e7568897284d73eafda2a495c41ae605
SHA256 753e1d22c2be89f3007d5e0dad659e2ba5e93fda07d0e8b048cd9dbdca994ef7
SHA512 2d2fd3241db7e5849bfb9a75d461fda268f8fe7bc384fe532355e5779e57987d337485f618f06c19448a4dbf7b0522762b57d0ab2d9b4b2fd7f11b64be2ef39a

C:\Users\Admin\AppData\Local\Temp\Lcsi.exe

MD5 aa18300887748d2aa7a2bb8c8f3a4cf8
SHA1 44a830983823a31f4fe361060162ed543957d772
SHA256 d63d938340859e55f1b09b42e0fd595812b6169db8329def112955ae656096a5
SHA512 d107310749e474fdcada403af945ce6dbfb4198e472f6168237aa7dd73d7e3ea30594b8b177bac86fbafc307034b0dca655417401811a47837d0f014d7c44700

C:\Users\Admin\AppData\Local\Temp\qAkQ.exe

MD5 855a534e2387205d762d59d46161432a
SHA1 6a907e5f52b2b7af57e5ada17772b2101f578757
SHA256 0ded4febe7607f560dccdb7d3dc19ba058863359b94f7b9abe91d0f85d4a1905
SHA512 aed5450015fd0bbdfec72bc0484d53aae91d5597ce5a8fc9e9d0a07239ec70ee02cac98726956465886e25ce549c12b925f1c3b9bf7e452e2748255b60996bb5

C:\Users\Admin\AppData\Local\Temp\WMAc.exe

MD5 35e478ab51830d6f2644f02cf98918a6
SHA1 95cc8bb307b1752d6f2a7f0b60f4690bc1512893
SHA256 3ca996678f2c669b7a5e8ccf35a65babbdd583b3c5f438df09bc23c7fd6ddfd5
SHA512 d980b1c2ba6ff77ec46587ee42354149008bdb637ef6fa5226daa3f5c236f90b2d8bf8001d6387cbbba5eb99919e72e730410fdd0d906c92ddbdc3715fd0fb8c

C:\Users\Admin\AppData\Local\Temp\GqAoYUkc.bat

MD5 d45cb05d6ba3e4f0c266b8cd1c7bc004
SHA1 9b3906ce22e43d48ee49d77e5f048080ac2dc028
SHA256 877adf24c362e707cdb02ef9d8f9c56e2ca3b47bbf2a9205fd7a3e326bfb8155
SHA512 b63abef9cdeeceede78cac47a02fde9726dc52a54da72632adb99fa97b4bd0837c22e6b0db8932cd0bd29982ac64a9e1a5ab6bec863df88f217a1c1beea2c0de

C:\Users\Admin\AppData\Local\Temp\HAYkYEYo.bat

MD5 1d7c709f2cc3b737ce5a5c354a4bc40d
SHA1 9b24ac86f21f4403ff6a8f40c973fc736a2cb98d
SHA256 e4cd7873fa6df8e46aa187317cb858f0cdc460c2e3329b4347f35d72cea091a0
SHA512 5a192c117db1ddd7cdb9a24af12e8260098e7760e1f2bb0ba32866369450b5227213f530ee281cf4f9699b29c2352e86c4e6e09a6d0a5097c263a6fe41318f0e

C:\Users\Admin\AppData\Local\Temp\nWsYUcko.bat

MD5 469c4e9d11f04fbb25be3436f6ed6b28
SHA1 68a32a4f8b5cd0f42d47e62947630120e6cca804
SHA256 d2d6cd352e9b3c444e355cf9d6d55c9fe5dda74939bb1d96dbd057e54468eda1
SHA512 e7b58d5475fb8b2cad6cbcc6fe2c846a8194da94a1a571824292f96a520d087c2f7472be9e399cefdc1bb21dcfef4ab603f4a1d2cdaf7e9dd1478aa6cb903f88

C:\Users\Admin\AppData\Local\Temp\KUMQgwMI.bat

MD5 063904fcc24dbd3e0ff576f9a91d5cfe
SHA1 189d735feb2e9a8079f5cc1351982c2278dddac1
SHA256 5d24d6df589df4530310e3b3fb42449306e2d3c5c925898db8437fc4f494eb06
SHA512 49ef2ea9391000a862fd3b6d19f89fd8b5bac366abb2c7d2460703b8e09acf9debfe9f8c9aefacd7d6dbc55b1332a30b0ca62c35de77264bb1b87d630dfe6839

C:\Users\Admin\AppData\Local\Temp\zeQkMUIw.bat

MD5 250128426b4ea7ce4f57959abbc5a3d6
SHA1 bba790ba55f7428506748fbcecfff225d947bfa3
SHA256 06cb0e703a943dcca24567e0668c6399b01e96ee52979be14cca4fd72ab75072
SHA512 bee1936a377626a72cc4e41f720870d64bb4ad0f75eba8bd05550d57b3ad9ce42c7cb1dc391b659070d880e6a36a47c4b8e4ded831949bbaaf2231f6ddc6e495

C:\Users\Admin\AppData\Local\Temp\zqMokIEY.bat

MD5 91cb107bbb879ed60cac9e8a2d537a59
SHA1 84aa9d440fbda2b070f8726d2d31a44ac4f03990
SHA256 56d28599caed8b4ecc5a497db8545362d3200760473657b28d43ce8604ef9502
SHA512 8a7a588adbb047f6e312bf14eca5f2eebb5f6ed16ae32e995cca11f19045b3b9eca8422c3a366acbe38e120333732b2a2b6eea85c2212ae63dd685a96c9ec192

C:\Users\Admin\AppData\Local\Temp\DAksgYwQ.bat

MD5 5739efefd7e4d1d2f830dbc40cf7072e
SHA1 dc3120fbbf7b487048204df8ee2b6ae72835fdad
SHA256 e3085bd6dfbcebf576ceb05b52da531191d7d887d1b324bca0550e810b85ce25
SHA512 8abf9d1149dd400eee3a60f5b13f98431ba70d43b43d1076736038cb089623ddab084c516a984175390b17e69aca0d093603ccfe58afbbf5d4dc1968ad37e189

C:\Users\Admin\AppData\Local\Temp\VUscYUgs.bat

MD5 2203b8958681d54f7d96764b8406959a
SHA1 82611dc2beb5d7c8d446c896bc9e46089186dd24
SHA256 359d20d4c38aabe2dafd29c98aacb6fd588ad2420a09a6573ca55bd6ab2cc053
SHA512 5ff23b3593a10ac6da9f5a659160367e6778418b0995f043c9dfe708f27c0a50c813b1e4b5cadf2b501d52ae97dc37932f5b7f044c55912a5a1f113e2cb4dfbb

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 04:33

Reported

2024-10-26 04:35

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (78) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\uYUEQgAc\PAsIAQAo.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAsIAQAo.exe = "C:\\Users\\Admin\\uYUEQgAc\\PAsIAQAo.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YaEkQMMc.exe = "C:\\ProgramData\\wAMUwYYE\\YaEkQMMc.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YaEkQMMc.exe = "C:\\ProgramData\\wAMUwYYE\\YaEkQMMc.exe" C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAsIAQAo.exe = "C:\\Users\\Admin\\uYUEQgAc\\PAsIAQAo.exe" C:\Users\Admin\uYUEQgAc\PAsIAQAo.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A
N/A N/A C:\ProgramData\wAMUwYYE\YaEkQMMc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4784 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Users\Admin\uYUEQgAc\PAsIAQAo.exe
PID 4784 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Users\Admin\uYUEQgAc\PAsIAQAo.exe
PID 4784 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Users\Admin\uYUEQgAc\PAsIAQAo.exe
PID 4784 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\ProgramData\wAMUwYYE\YaEkQMMc.exe
PID 4784 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\ProgramData\wAMUwYYE\YaEkQMMc.exe
PID 4784 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\ProgramData\wAMUwYYE\YaEkQMMc.exe
PID 4784 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4784 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4784 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4784 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4784 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4784 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4784 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4784 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4784 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4784 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 764 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 764 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 216 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 216 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 216 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2688 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2376 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2376 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2688 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3212 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3212 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3212 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2368 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 3944 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 3944 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
PID 2368 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe"

C:\Users\Admin\uYUEQgAc\PAsIAQAo.exe

"C:\Users\Admin\uYUEQgAc\PAsIAQAo.exe"

C:\ProgramData\wAMUwYYE\YaEkQMMc.exe

"C:\ProgramData\wAMUwYYE\YaEkQMMc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaQQQgAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iekgYEgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWkYcsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYQUUogA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCckIIoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwEwMwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIQkMggI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAEAAwgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQIUMgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUsIYgYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYQMEEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgcAcYko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daMYkcsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foUgcMkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reswUgEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EasUAQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMMEQogA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqoAgwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIMogIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwYAkMEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zaQUwMck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUMgUkYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUgYMfxI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Omkckcws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icYgowYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWwMAkUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmsIIQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmMoosAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKIUEAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCQUIUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYQwMYkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UeAQoEMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoEsEUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYMQEEIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEQgEIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwIIgEok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYcosgAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUIskkIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKUEQgEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOkEUIUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqgEoMYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqckcwQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWMEYcAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWoYEMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWgckAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AiEQkEgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaAcIokU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYMgEoME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEwYgAAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKosYIkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMAsAkYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMYYEUwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImwAkQMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOMgYQUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWAcQMAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsogwwwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEEQEEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeIsEkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sisoUYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIIwUcgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIQUEogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOkYQQYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nocwMgIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOwccQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsIAwQIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qioMIUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CikMsUAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkEgIsQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcUEwkYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqIgoMgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQEIkMMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQIcAcko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okQocssE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqsksAEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCgwsgAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMYsMwIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEYEgEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcYwkUgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UScIMgcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwEQUEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yisoMcgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moYccYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noEIwAUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAckQUIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\peQEEocg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkgAAIEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mywQckko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yowgQscI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEUcMEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaYYIcIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgcwIoEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgoMEUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYwIcQoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIQwUIgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGIsUYIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmscskYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoEwEwQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv w/dw4gP4ek+KVnSmyEBulQ.0.2

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4784-0-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\uYUEQgAc\PAsIAQAo.exe

MD5 d1e27390b430575333fa65bb0ec7aadf
SHA1 0cd4cde212b6e14b6fca8fc3733f70de6e3a8aeb
SHA256 a71862643c9b45bef0c04b7601ed209d15dd6a7c4540bac358537af83d342e9e
SHA512 f788b04eed0be9051d26f13dcdfbc82c0f154d25c8d69bd1505fe9eb60ae1ef9b9d7bae60230d2f77c48c648aa309bc0c3033525e98e4c70999d9ba48738d673

memory/4480-5-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\wAMUwYYE\YaEkQMMc.exe

MD5 8ecd6603c0a68e63bde10bc2e45a9293
SHA1 f8259d32194b7fff92d24c630df6258cdfd0e5df
SHA256 8c4efa6c179f987de3ece6caf905fa097a2e43e69e2e97013e05c6e2c7c9d606
SHA512 853ce89d1340a1fdde2d313f2c913f1045719483c26022fe5cd77472a79fb4c98a21e24c83d035223e6ac9452cd2fcafe78899764ca650c617f8bcb9749f8c13

memory/4248-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4784-19-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UaQQQgAE.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock

MD5 d7ee4543371744836d520e0ce24a9ee6
SHA1 a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0
SHA256 98817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9
SHA512 e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808

memory/2688-30-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2368-41-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1324-52-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4956-63-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2464-64-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2464-75-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1256-83-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4904-87-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1256-98-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4860-109-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1656-120-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4352-131-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4596-139-0x0000000000400000-0x0000000000420000-memory.dmp

memory/764-143-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4596-154-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4924-165-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4920-176-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1812-187-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3604-198-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3428-206-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1248-217-0x0000000000400000-0x0000000000420000-memory.dmp

memory/888-228-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4540-239-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2596-249-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4920-257-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2004-265-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3500-273-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1816-281-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3552-282-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3552-290-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4812-298-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1512-306-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4520-314-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2292-322-0x0000000000400000-0x0000000000420000-memory.dmp

memory/380-330-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1536-338-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4996-346-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2692-354-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3896-356-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3896-363-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2216-364-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2216-372-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1684-380-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4012-388-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3944-396-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4216-404-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2868-412-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2024-420-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3532-425-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1948-429-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3532-437-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3368-445-0x0000000000400000-0x0000000000420000-memory.dmp

memory/812-453-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2148-454-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2148-462-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3372-470-0x0000000000400000-0x0000000000420000-memory.dmp

memory/824-472-0x0000000000400000-0x0000000000420000-memory.dmp

memory/824-479-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4208-487-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5032-495-0x0000000000400000-0x0000000000420000-memory.dmp

memory/648-503-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\esQc.exe

MD5 90d989f8a7aa93520a5b7f8bb9fe5e12
SHA1 59a9b993517475f8371898112ed7928f6ebddb6f
SHA256 7a5e1762b1b94a6caf065628070d0a5c1f6573358a361c89657e194357ab5101
SHA512 55a4338a4a4cf10111b1e5cb0d2a5232353ab48cade80d389f24de0e6fc514eaf64438d5afcf3e27b65033a9169b1189b017d10248aa1295c63941c01f5edce7

memory/3784-519-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IUQq.exe

MD5 8ae785067280b9407f12556b7bacd723
SHA1 41d30ec27b12ed5100f7ce0ea9deb7a541218eeb
SHA256 0f6296859353fb2f44e93d8c9658bb91df376dd4317153e31dabc95a50fd502a
SHA512 569de2bb3a9e2ab7b223cdcb65d5e76ea5970c1528b0d2c42c1c821f96b0f633aa8a38b98ff8f20226f2f5c227011532f08a27ae65b1aa8164d1e1cbf0610d4c

memory/3784-541-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QYsU.exe

MD5 bc0f227155eb34ece7532c749afd1dec
SHA1 ed9701d30d2db6ae52173581aaf489625d4b5048
SHA256 7c1d74c6750e36ecc38737a280ab381a7324274c98ed73ae379d861dd21e3eb9
SHA512 a3deec5a726224974df63fd774d2db813d8b7fd6250d61fc8103eff50306de56b2f9b1143f1a28a778e959d526eea7bb2edf5dede6987ec190cf6a0c263a8fbc

C:\Users\Admin\AppData\Local\Temp\YMIm.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\AkMa.exe

MD5 48cc9f1797dce14cc683da1b39c22670
SHA1 6beae30cbcbc215047e7db12c212f42f63c63cf3
SHA256 5ad09501e7a56918e3e583a71370f9d6826caf9ffce6a9c42efa66f15bce72fa
SHA512 acca8c838d42fb8f21930629a8f4375198584d5d5ffc8d7d6f114c81df302c231d71f7e7ea3be26b1b80ca6e6c68e2aa6b608eaa452d49421d3534ce1c0c3b69

C:\Users\Admin\AppData\Local\Temp\eYMq.exe

MD5 64cf8ad6e41312b737633d54cd47d33a
SHA1 53d63e983a99d12c7e76fdc43c649cae4bd4c3cf
SHA256 822dfbaa539ac1451adf528712d522acdb4adc91219e7a784103954ed9e4a3cf
SHA512 89a6ce872bf33d8e87c6f3e6f14e5b0c2d8aa04b846131f0e9f96fe26a17d60818a6fbf70918c549b24fd227910348e6ff2aea2a2bb873f27a2d94c8ff684d20

C:\Users\Admin\AppData\Local\Temp\mQcw.exe

MD5 fbbfa5e488b4c34f786184bdbdff4815
SHA1 9bbcaca718a8fea8db2866bbeb1731583211a631
SHA256 44018e54eba7678fc3eb5911afca80ce70b290a0ab491acf1673814eba50e26e
SHA512 3f838998247fa30a6a47440a054f5df1ab1daa8959f2503b7666c766fc817d4cd7e324af8f6992c591f4ee559503d1c4a00b9d0eb90e8d5eaeefb5dc017d2801

memory/2944-602-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5040-606-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SAgQ.exe

MD5 bc9f4b69317feecf1c776db85c678efa
SHA1 f665de83b67c1f1970e095082b6e3dca9b05dbbe
SHA256 c52b739aec3761ac89cf886897ed98382335f8b1bbfb992a2337ca0107a5df58
SHA512 d6c61580434e55d1f8c6cfa3d05d9ae1510df4dbf39f376fb64c885e80b156b8371aa9198df6a38b786c6da9a5af9706807086d77cd612ffc46aa7571b437dc3

C:\Users\Admin\AppData\Local\Temp\sIQw.exe

MD5 070c2cb7957140c2d87b7fcd1978d216
SHA1 f233df3354ed48620b2bcc376228bb6b63db97b1
SHA256 5ae8a66c1f7af52825f14f6c45750125b0c5194219514f0036df2d71f3478ed9
SHA512 0abbaac92b8aaafa725888fe2444d57affc0f606aa543bada99b81cf82aa10357c40dccd23c765df683dbf9e1072c4c80524da32fa2365614b5f4254b16a6e1a

C:\Users\Admin\AppData\Local\Temp\wkMm.exe

MD5 e06c42eac1f50b3c5a739ac8c9af9b8d
SHA1 302eb7410588a1fc90ff617cf6363bd629e6a65c
SHA256 a565de83dc0f7cdd8d5869ff25e1f51b0065d81c87b433305ee9fc2779c16a99
SHA512 f06fd4b69722518407e3a15e54695021782b9a4069fafde0c88ca475b41cdddc70fa925352b30ccfbafb2def02c5375e41c108b9e73db5a6272879fa109209cc

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

MD5 d95f86a33753003c46bcaaa99dd21c24
SHA1 4eea02876cfe0a0e0a4114aab25512a92bce78fd
SHA256 f220265ce8da4059cef78e6e469931ab5cfe23c8f5eba40491937371f4d735c0
SHA512 59ad1f3c6dba5a9b9b5db8502508d3a3d2c507c3d29a01eab11fc5ec5264f782e67bef4666b899e4e5395fc068faad4dbaba5b2a93f2c2ae74d5067700d49d67

C:\Users\Admin\AppData\Local\Temp\UwAo.exe

MD5 4905d16eb0b16b944e8680efb6287513
SHA1 1e9ef1169c6e2842be3d561431efe463e92ac640
SHA256 a1f20623872e1b15670dc7d7ed036b9f4b839f0ad00993ff9d44cb5c3577fcfe
SHA512 c037b907b7798b2eaa0a6ae1d52b8de08254cc9f85e8d30dfe249128583a8a5ccc94a406a46f61a821f1406850f5e6630ef102b05b42043ad43128d039c16284

memory/2944-684-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ykok.exe

MD5 1028d0f5a2e23076896f84654a323c15
SHA1 4312a79c70dfbf282322f16880073a5232b99339
SHA256 fc2629cc1659560d1cf1a659c476fccd60965b0abdbce0d9d55fdc1ea0a5aa00
SHA512 5bd79b9d27b3c09c78c919c3f2d0edd19d990b0f6f3fba1bce8d62fe5fb4763e4914f304e176264fd0da3b3c6f7043a5fa3d5b78e878725d9eb797107154f599

C:\Users\Admin\AppData\Local\Temp\oAEk.exe

MD5 d8d986666ba8d3cd79e85688293538af
SHA1 5158d8cdc505f3d7113d83e5196b2bb47f8c2f78
SHA256 761f59fbbb4c5c6d08ff6cb10987321252d230256e2f760875d1f3adcc129f60
SHA512 1e046b778fb95c7732a779c5ced9abf8ce74f626f21787e074efa3554955ca73b7ad02b136fdd8fae68afe96b18e625395470b5ecf0aa9265496d4cd25f1d4fb

memory/3996-731-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ecoe.exe

MD5 ad088501c406a4329ce32c918130d37b
SHA1 ef6240b696ce57285b980f0caa3dd4749cf1e3b0
SHA256 0a34616377d40ea3109b128da480bebd3b447fc56e774b10b4b5d59b6d52b821
SHA512 7a8a854cbb3ecdb11ef1ec72a5f00b3a16f4aea96d1d53b3cca22dbf84ee2fbcca4a8abeaabeee849d5e864f4c512ac579b7f0a5cce196448aea9a0fa27dbb32

C:\Users\Admin\AppData\Local\Temp\OkYI.exe

MD5 b690627427bf6d6d4258d706a5752c59
SHA1 568258360f411aa659cb258314f037510df70997
SHA256 e94b89ae597b3e25f050428cdfd15689e57a9d11f845dd921c55ce8352a39a93
SHA512 467f287d1d4864cdfe7ed5677128fcafa94ceef8a7d3d241bc296213398ab635664a16fea8cc18b03b97855b4a1ec57852c7f586a8b0a2d301ab83c9f5497376

memory/2828-749-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kUUQ.exe

MD5 0ac6518627fce95b541c25d468765950
SHA1 ecab6cb7a87829924f9f5e60b3b3c506e47b0836
SHA256 785b88edf8c6edc5e3922e5082b3d7ac4f9143946027599e39101fd60de01697
SHA512 c7aeb3a843584c06e6b30501e6b9def321a0684c1485a56ab29404f9b8af9a390d11d1ba084f2ca16959eb9bea2317d2eab09bf0c306a96492142365057d1bbd

C:\Users\Admin\AppData\Local\Temp\iggu.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\MosC.exe

MD5 6ab681939b7db5875b2e4e8e94e99e76
SHA1 e7a22aac9914d83c73b9fd3acc138d1cb3b2a196
SHA256 29a37f25de5a512764c06e6224c25bc677317622939fc2b89d737f0c5023f586
SHA512 3c6b3ab4dd920a3479f952a473e8b737e47ddba41f751ed1775fb5da13e3644436ee24e0a63072e51228dac4ff22fb41dc0829eddf3fe02959647c5f8bb44d30

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 c3350eb5361bb6032316951b03a04d4d
SHA1 c829533721df5f86deef711e477905812336bc59
SHA256 54b64969226f1db16f48f7bca11b2302704f4b8472a6cc9df66b6eef7469974e
SHA512 9f59b557ec3b3fb364626ba96c3dac5c74a55893737131d566f727b03d45a8bf9065df669a4c07cf8e863ab2ad4fa1566ab8e40ade830efa778c9645d7cd1b29

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 39c89ae327d6826437b4e95d2ac8a044
SHA1 f9a8ae807e6861ef200342f0748694852442b6ff
SHA256 1e46be1b754a42bccae276f7b5b30e9b1710b66e279193b9804b02f7f3a32ce0
SHA512 dec9924b932b7e58c7c4ad35ea7d45a4dd13afbe17380b66b296da64799e5d72006d9d6c36a8b70f63fc8b91c012399897fc8a27ad0cecd5c80f42aac7700c90

memory/2828-827-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Issc.exe

MD5 8146604fca4042c1a3b8e79422cd26b4
SHA1 fc7ea8c8fd6b20c00e674f6f0e3c8faa648ed977
SHA256 467c1248a611828f1a4d4314a54e8dd1d58ae1211714ccdc99425242cb414a48
SHA512 57a2a5e3d76b86e7de592499c68e21e6787155483e83f4d9519969506ee26e305da6c9fa3729db9ed91e4b12fd2dd144e110008ff6674b5be6c94f40c3757ee6

C:\Users\Admin\AppData\Local\Temp\MMMu.exe

MD5 2cd1ce4ec960cdd772dbe8788418dd46
SHA1 729e27d2cbd38bc4a40d82caebfa202dbb24c278
SHA256 d4554b24be44210d37242005a8be1739d7867e44f8dbeb0ecb0f5d65f6be585f
SHA512 c49564c620c4d0d21a0a3bd978d4baba00f84d63652f684e792446c5436b8fa1f45c008109f658edd23e743c0a52ef0424427c55ae79af034f9bc28bd92413bd

C:\Users\Admin\AppData\Local\Temp\MwAC.exe

MD5 c4a67141a9a112d48bcce984a6699376
SHA1 b829696245ebc202c6a12485221de8c204a403ef
SHA256 03542f8bcf18681a479d8c79a3e0de282a116aea721e6ec647860fc34cacc105
SHA512 a362449e943e4140e077878103b2b79b861711bfdee16dba31750702b4abb6d524b83389f0c962ac38709be1c780b9138f1c8c69667e5ef8e4aa2945180c42cf

C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

MD5 0cea9c2695bb25064041f429651db802
SHA1 eb26da57e48fe8a537c05c1493cae961ac4ed47d
SHA256 5cf027333477f26044209f10746d00511789408bd8232e30c71ac61b3c866755
SHA512 38094ba12c04c64a946b1391e07d4be4eadd2b106de0cf85236dc43f2eb1cc3b0e5b0e4f4d22b7bda74eca48f1e4b372bba7b5e31f9016e9deff4184897b9777

C:\Users\Admin\AppData\Local\Temp\gcAm.exe

MD5 70599b330ae3b61228d2b5b882d6aefd
SHA1 bb143f9c80f26ccf49acf94065691a82c333b35d
SHA256 ea916b5df1e8817267dca88daaf3d89a262cba06b0832f66421e7a4d033a968c
SHA512 cc5340cbbbb3b431118e90101a02404ac3b029717d399fefaf6a07e1128ca1bee6d96ab32b63689d97a5c692f8e5ae51dc35df5e102def4b5f94251e25bc5041

memory/4560-891-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MQkm.exe

MD5 f8ebedf9c88f048d9ef00f3ce262d970
SHA1 e5d0e5c802ed2a604d9dc986f6e6775bc94961dd
SHA256 68a44250e47021d547852326e9a6f8fd0955b1334675002dfddb4d82f1c968e0
SHA512 66141931a81b06357f388fbbb666e49a8aae62ddbc01713ae68fa707c7c3125fb965ab9df48c249138881fea96f447fec0a396ab8f9e46e69908f25f776063cb

C:\Users\Admin\AppData\Local\Temp\oMQK.exe

MD5 6b5d0e9fe8ead902a325f0c36d128dc0
SHA1 3e568c534a5dfec41065b29c4c5d713eaf3c6cbc
SHA256 4e37fd882456c2d65f3845ae430bd2b235eb88e11267463ea6606025c2ff5bfe
SHA512 7a8d38905ad45e1a1f49dcca5d60e006f352d98c0aee3bdebc28044dd065ef57b7f0a2aaf9cfce2dbc0da013bcc9f4b571b8871e0f57adcb1e441c578cac26ab

C:\Users\Admin\AppData\Local\Temp\Awou.exe

MD5 f735fc460c1509e1a7fa7bfe535410af
SHA1 aba24a72ccfb557ec40cf374ef5c8ba6e3ddac90
SHA256 ac2d908dd49673c6b420502c0d8bb17aaaa40b1320495ebd8e4b062a8e86cb16
SHA512 ff1cbc865c2c260a5e66b71f314d34d022f04a8017c902fb7538ee3cacf07920e99cf24dca99065d23d661477c6f769579db0f332eba012fa6b27da26b48a68a

C:\Users\Admin\AppData\Local\Temp\EwQi.exe

MD5 763245723d55a67526c8cb5cd4c5cd30
SHA1 9856497e22b4f6502ed66a14324a6abc13f1046f
SHA256 e6da53eb511ca802f5eddbf78768a15bedd113f24e7ef1503222e1f07f573080
SHA512 0a6ac82ff9358e62a265fc2772e07f035f6a11a47a20cfb3c72cba4184986f2be86ee9f09d5b4e569f8a286f4528d66416083c1af180ecea5a39f920471eab7d

memory/2124-954-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Sgok.exe

MD5 217dcdbdcaa62baa166ad5930f205b14
SHA1 8d80753032e2336853e88e89720daa277eb31e50
SHA256 1cdf8962725f7ff53c6b4aff3387966a5c9b6aa8b9406408e76b3bdbfa62e574
SHA512 d0429b88c5c1e1b3239dfe9a259af5d4495f33ec2cbf8120561771fcbc872d1439ceaf413b9e378b7313c7f5b8f933bbae8b7c338a7f09a8e869ac782b779e62

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 c1701b3dadf52b2f5f42155a011f98b0
SHA1 2923e7b284819b8b03aa2b82593920cf5eebe1f7
SHA256 e0f3100bedfb1c1213d68f6ce9fb1d8a1228089564b4a11ee0ed49aac785ce6b
SHA512 d421f8880a7aca53ac3c4dbcc76176afc2b89cd899189204e1cb96e98c5b1f142eb2f1aea42374bd56db2ba977b061f0608aa5992aa6c35871e747f5f1506827

C:\Users\Admin\AppData\Local\Temp\uMsU.exe

MD5 cc934e10edf1cd6cbeddda5b93ae7120
SHA1 5c058e7a2742e3e3fb07774b5b74612d1dd3c23b
SHA256 4c8a1fbddd641a1d50fd23f412c42fe1b3ec84102fceb37cbb7462cdd849e12b
SHA512 b65014584ce8a299ee8effcc0c7cd80f3dacd3f200fd2fcdb59724b9e8ba6aa50596f4757b29e2d90ae5dc977a48f959fc89ab2b4ff4eae868bc661d3a058f6c

C:\Users\Admin\AppData\Local\Temp\cgAQ.exe

MD5 7fd07925093602555f4e7ad5404da0f5
SHA1 81a7f0b799fa9d33ed2f738cf84b7a8ef5707844
SHA256 ceeac71654ec052c03d5ca12644946ed9342f1301f7a12697287b29a2c853633
SHA512 3564726d432649bda7eb5bf90c974a6071d588a87ec5cda03d65fea5100be9ab7bf1d1f8ee862ae41193c1709eda7566d16f17a8ccc0105d94aba6168f9d752b

memory/4360-1018-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MMQM.exe

MD5 0d5391b8921ccc57b996c0d2ef6019ac
SHA1 5e0275df1766ac61c3affe512274abcb93204642
SHA256 773166d8a9987f274d8d3728a71b9c96ff327a9d93b812522f63d277e8f10ffa
SHA512 2ac5550b17ab1abeeb83978b73f2ef3eb86d8d736131785de31dea98d5761c2b12d06104c9aa9498715ad85153103834b7a824edda71fcad88bd2705f5801a65

C:\Users\Admin\AppData\Local\Temp\ukoe.exe

MD5 e00b5b360c51eb9a62f6f7db695bae84
SHA1 a5291439fa9f9f93f98a8b7559fe6d8e4d45516e
SHA256 4a2e8629047fd962b0f9d444fd433f8b78eba1df02810c9d06763ff3a1d48cf2
SHA512 fe7f4ea96fff0af4b1f1f950412d4b345697db3a88909fdf3691a282c9692fc6e2dbf8a6556b4fbe566425c668ff7262b005ae48bd7a89f47e2ac3e3ffddf1ba

C:\Users\Admin\AppData\Local\Temp\cMIO.exe

MD5 4b97211d52b03edf36fdedbff39760e1
SHA1 3f0a8a5f840c26c4d658b3760381231848854c50
SHA256 51910007ce18456f883e9ba6f08384fe4acb14477d384f3f04430dc5ebd0b320
SHA512 83651ed1333675f03d7a5a4285e1dac0d99353fbfa962b64fbba8f3b1f1b72cb8b95e2f7b40c868409883a8f5f7cd7172314ce78f184c0646a8f1cb4adc65fa1

C:\Users\Admin\AppData\Local\Temp\mkwc.exe

MD5 7a9ca971aed86e1d8b91d62206414772
SHA1 8b426cce925ae8d2a699bdfdcd906c3a37e98aba
SHA256 08b3a1bcb0df3df0b2a1889ce59a2a34733e887fd380a1331a864c3c22ebbb26
SHA512 8bd9e31e48bf4cc328e505d45bceacf9ff5ff4f84a10c784e7e2cc6dd76490928059719530317d3e92cd7b19b2ce6046b505c008ded0dca33bea977dcf6d5628

C:\Users\Admin\AppData\Local\Temp\ocIy.exe

MD5 a07e973c294fdb93fea818418259d160
SHA1 265ada5e26c36b3fddbb22804c79d899cd62fb2b
SHA256 afd589347f73de8930be7362d0390595cc4ae5a0a8305bac7bcf3fad666eab65
SHA512 4318296a47f884000039ddd10f6e2a200555fdba9bb0000fe473e91176d792b02950bed0abd3ae3b7fa73a5c73ec783179ffe84732304ef9730f5dbe3ee43aa4

memory/5004-1096-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ywwq.exe

MD5 17efea73eca4b931999d946503b8bc44
SHA1 5b03836545f9aeb05ba52d2b05f54bb627dd91f8
SHA256 2d41d8bc2a0d5c05fde0be902c109bfbc8123170c1bfba3b683e2513effe326f
SHA512 42abc92194c22abdc125796a365030f3a13a928a0cae41fdc69d2db4f896ec6fb14e0f81fb2157fea1964721a03f4fe63e707f18dc2897a9295ac1d474432210

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 aeafe17c27d15f529a56ea47636011c8
SHA1 633e6ca593444c9f5505e5807973ad9b644c058b
SHA256 6b3b03ec548d774e12295e415fe73fe3b14bf304a85355ff0680dbce298a84e5
SHA512 99a8eeba398f3ad98d361a26fa6c9ea64e4a2d726f53ed1264b19ef929409cc2dfe9059048452dcb44d7fa2713ee8a4f8e61e4770a408f9547cd07888f962b3a

C:\Users\Admin\AppData\Local\Temp\SIAq.exe

MD5 97c433e9676a807f1bd223bf05c53183
SHA1 2bfe40e196ca12f62ba579112f16cc04de691f7e
SHA256 6bbf01db4608eef5c0e2194cde94e6546b6b71b30fb60b7fee72dd4ffe414f87
SHA512 74e07b1f1f7e402541d71e65ef92747a85b2fc0a6e415d5d1f304eb216def728fd0b3bd54ec02b5b9d0ad6f8ae475ecbdc825daa3d87c45b953301550d018f22

C:\Users\Admin\AppData\Local\Temp\gwEM.exe

MD5 e366e43331af4e65e4a618b6007f2980
SHA1 90b4686be08fff10c8ada32ca8845e5e592ad6ff
SHA256 a7478a37856238ff3200611e40f27a95d7e183888db37b8c506b61a4b33f105d
SHA512 d1b38c6ffe3f89717f4db46de35aec3371d9f5bab270f9d843872711a7402a49bb2c38e64b3502727e4c90e8b56431c6359e5c5434634d11cfbf6bdf1129316a

memory/4624-1159-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4144-1161-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OEMO.exe

MD5 e63eb89b4712f27eb8652555b7b11832
SHA1 094dd72e2de6e9ae79689be98051d5f3eb5711f9
SHA256 ffcbab3923483df3b4971a3d2d5e3c1aae4bd2ccd9985201988910912571224e
SHA512 bfd6f00bf529723150a343c0d4a5bf50af2f65b686e2531b5b698cfabd5dc8dae9d4f32e3ee42b94a85e6e9aeb879098234fb53edbe20b6f47da03897a875b5b

C:\Users\Admin\AppData\Local\Temp\OQUK.exe

MD5 7d94fea91519226556422035b7a92b3f
SHA1 4a4f4efa961f4950e16c3c2488d5e3c7e089d878
SHA256 f6af2e7647b844be36aa7477bb9b09d711a80584e05644af76a6d93fc4ccb433
SHA512 686b7278e517f9f92a691034541d551f9bd9164ff73898c4685b340089cb87fb03ef44177c40717ecc10e6d3b9b4ed2632dbd1017ada62ae0e9c5e7d15fcb66e

C:\Users\Admin\AppData\Local\Temp\isoI.exe

MD5 ca56b235b0dc4f17173bc8ea4bc4bce7
SHA1 128c6d73a19262b9507c35cd0abd42acc2b537c5
SHA256 8743b415bd0866619ad2f0aab1ff786157b9e3df8fe3a9d324d73065a42ef220
SHA512 6ca96495aae388937bca27247bd9b75c3038087da1fb3732491104fba7b25a0578dfde9a7042e628827f5748b22629f35a5ff1febe79ad35cacc871610f021e7

C:\Users\Admin\AppData\Local\Temp\WkQA.exe

MD5 65fddfd54d13d6f4155e757a6c2e9300
SHA1 6d8b56945ad78c27aeee5943684e98ae6ea23afc
SHA256 1b75a202a55d65928e4cbea2d98231a8ae753f6f142e000f323d477854752f4c
SHA512 1195b14f5f9af473d4a44e514e52290c2201cf6e4c2e40e2c3494d5ffcf25131854c68043911e075f577ff0bd7635bbb94328b842de6cfabd7c5b4fe82446ee6

memory/1812-1221-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GsEk.exe

MD5 ab608043cb422136445f696981acd1ce
SHA1 bda70d72cc45c00e0689332f6046eb453249c1a8
SHA256 e1163b6dce928b8ed89be5be446f5f7d72344f7da5eefef3e31f91b280ba3632
SHA512 190e5485070bca1527bcf4cede2f398ec1ec96ecc5f3c84b43cefa24acf1ff475884e87d1148434159861a73691a88f266beeeb29ce550d54cba98846a259e75

memory/4144-1239-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AgQU.exe

MD5 f8d2c936bd813862bc2cde675920eabb
SHA1 f99be2c682fed0e733ff6287accf6737666f5c1d
SHA256 0d540021a05bc832020fe41f2ec5a11dee40f5e3941b1954ce8306e57006f177
SHA512 2ffe661a328123c1d4c8ec0a5e0e20a732029b044d781612d245387e31bb136ec1ce52a6044b728a36d1a905e880461ed656e73ab08ca5693e12d9c4a23cfb55

C:\Users\Admin\AppData\Local\Temp\uUkU.exe

MD5 157b4b0829aa231b99bdc774266cdf8f
SHA1 f369574fd94891274ab77cb5a0fbddfae7a1e98a
SHA256 285d0d613bd596fa5ebf4a0cd5ff52c7f01017d48664072e1597afcadd1ec995
SHA512 d75eb637507773b02603ea45aa5fa2a96cf034beba246da9ff80d193cfde95bfd6abdbfbb10813cf7a81919a3baa2823555359a560664641b8b0f233be7514d2

C:\Users\Admin\AppData\Local\Temp\cwgK.exe

MD5 72bb593b06aa390b64e378989cc5dab5
SHA1 4296a6ea34315bec38b715a8934b9c3307974386
SHA256 de2c9204dda116045a6bc41b8a67be288600deb36229d99cbc9f975e1fb4889a
SHA512 8a0e6d3507e6be0f1c21ba8a14c3450eeab029d563027cb7c07425c8670c50df3a74731d5db5c4c36263947b5891d0185426e608e7878a746ec3d890a7b531d4

memory/1812-1289-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EMYs.exe

MD5 c422280496dc0de82076218c2fdaa7f2
SHA1 d904c2bcceabeb0e21d88ce34e2f2841d58b0657
SHA256 9f84f99b5016ef043684522bc5673c30fd77deab87a237f08d653a0925a7bbe9
SHA512 2ee6e034e2214d10b8636df6b60273ddfcbe75c0ca3d639d8ecce4b291437d7e43a49da1d47c2dd2f9fcd9e1266e4ed9b88e2dbc7ec7580bfebf434eddf58442

C:\Users\Admin\AppData\Local\Temp\SgQA.exe

MD5 2691e7160e485f46a73ce65562ac9629
SHA1 56ab3532aa52378f7c612b4730e9d0e77c472e37
SHA256 70d65e8a6a1afb01b02a2f8aa67faa82d7591fa193ea35db88453783b1c3c057
SHA512 52c7dfbd260edcc8aeb6a7020c17d2f5a1d4a70e5156981e05b0e509300fb818211350db03a3ff93a6866394323d98fc0a547417ea40642a07bc47bd6b45817e

C:\Users\Admin\AppData\Local\Temp\qsUs.exe

MD5 2a55ca2172dcb1a705cd2e0ba23ef4fa
SHA1 6c5c6d31e16f03d4e446628d05353a6bc532c105
SHA256 3a2a03cb6c2fb68830befb948d3d32163055b075dc403f4a705075187abd350b
SHA512 9a8e791f8cdbee44e7d38f7c82fa927e551688c8fc22796b7c2da49fecb90e7cbf8bafa7c564bb69a7e936b57b9f9403189062d9112ec286868c9627c3341bd2

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe

MD5 a19d79db54946d2d595819a51fa00452
SHA1 c56f1a741dbb266b7ea3082d31ed59c302179308
SHA256 b33bf9840b687c022d8b7f60c3ee8dc797bbfd4138dbee7131b148a5f533a2a0
SHA512 f22bc3d50145d441f34d939dc5917114ae9303d30a7e5b72457900bf411815e6e6da79b0f6dc8b90c6a60348ab80f4ee6f6a8bda37060e3e50b3a606e30bb986

C:\Users\Admin\AppData\Local\Temp\EQUc.exe

MD5 d2be8d81694a8e6ac84545af33d3e39d
SHA1 f631726a8d09d0cd02131b56a7a20d5de3a870b6
SHA256 f69148eb159c8aed6845b768b27e7b898dd4c997e7d688fb445099f2eed3e631
SHA512 fdf8410a4795b5cb9ddd39da35fcb514c87b0c8ac386c16faf3315aa256c6991508f44b115fede5339c18a4bbe6d79b97d4fbc09a987502d745d9c727e3d282f

memory/416-1364-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UQUa.exe

MD5 19c4ece47258e3755afa5db5734cd9ad
SHA1 04effee8f01f766010fe3d61a4807769c93c448f
SHA256 08196874a76672509b7facc02e59354ad8c4968d2fa4c59dd9c8af08b52c9131
SHA512 7b391c20fcf65010be3ebe6a837f94678449e3867619ee28001cc546efdfe0300bb7091d22704755dcb79b8fe7809552441b2c045cee281f5a6f41a7a3061ccd

memory/1964-1382-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kQwy.exe

MD5 f4199440963786837ca6c6afc0750d89
SHA1 249b4e0ed7098dd935e57bd9ad2a37a1c6cb937d
SHA256 07e41d5556399ac8eb654ca4f76c16060e156ca5f72b70dabb4126ab34cb80cf
SHA512 43f423dbe0653517fe55f146f6d60dda8d8ae7e0827d191b7aabdf5beca8b193ac4c6127a7a853488f67453fbcc94502d8e261c1c4c17ee3f9a6644bec7dbf88

C:\Users\Admin\AppData\Local\Temp\wcsG.exe

MD5 a77b6583954c44aa6065c2d78831c30b
SHA1 508c274a360eb74ecc441331e0bf24951f3a27f3
SHA256 89a2c5b30723484ec421de141671015a272a0660ced65b6ba2216e0336e7f052
SHA512 06d9727f49fad5956e9815e06487b2e7f09ac22aa441daf26286f96aad6b447fb8cf4cfd65193c8ca394f3cb36c73606cafee19f22b54df670b5e1eb1bcaef03

C:\Users\Admin\AppData\Local\Temp\OkkQ.exe

MD5 59eef4ea46eeddf1b57bd78c4c2732ba
SHA1 e984c7cd7ef1e9a8ce6b8892798694f8b1656adf
SHA256 63858a3873a1d0500d4e9dbcfd39342ca1e2e709bdbf62c14a90931a53ef290d
SHA512 219d605ba4ab0e2cb0b46d29d1b920a56656c1b24563a81d0b876fe15da6c87f7e0bd51478eadfa9dc28d2c0396bffa059cbd4b8d6b1e0abd80e9436f5fdb40d

memory/416-1432-0x0000000000400000-0x0000000000420000-memory.dmp

memory/384-1434-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qcgG.exe

MD5 a0f53cd58eb2d4b11e87c61f6081e1ae
SHA1 981beb736a6f2138f25d418a3259896928283097
SHA256 066e89c0e6e938360cbfd8e9f53289185de56b95eebffb5f65d252e37a912c13
SHA512 36f681afede24c8d7b379313abee3c7f3cf1aeb6c194b26bd72b9f1ce07b5ceef790895582ab9d3853124c7dac3a311fc528bbfe0131c47110e0efc6272eeef5

C:\Users\Admin\AppData\Local\Temp\aYwC.exe

MD5 c24ff3e303b9f4f4aa0cb37a14fbc090
SHA1 498e3775313697bdd574b87368dd41c2e1e63ab3
SHA256 1e9405515ecabf70a1eb4c3e95a0bb2e7c9ba318b5f14c20738d07de444238a0
SHA512 23c086370fc75898eab776258698ae913172bdddcbfa459f8f47e33c96dde04adbf58c916935e1bc9d66d5d73fe8749405431b153b3d9340de3610305c3757b5

C:\Users\Admin\AppData\Local\Temp\EIYg.exe

MD5 6143282206ed1568887d086d094d86bb
SHA1 2e70e93ec0bb7ee8b676d56b150c75aaa647d597
SHA256 a37d5342a5339a7b6da38af9f5dadc57ae66ade97e5fa34e43871791e6ee5de6
SHA512 aa9825ad479af3378d50cf7f78d9995d7d00457b2f608cec648fe81897de7704ef050beab33275b8874f5a1d885cb1953c6cfb2b12c197c8543eeba85bf4ed62

C:\Users\Admin\AppData\Local\Temp\cgQu.exe

MD5 79447e9bac784e38bb10c277fbf0f2e9
SHA1 bef557812b1269784fa8667af7079dd1b0f9c7b8
SHA256 50f149d497f9c93680dfd72a5b4f01e03eb61b83c004c4aad5a8d8909c29ee1c
SHA512 e6300f39b386e99788e24ec4ad54d843c75614ec0915fb05535eab28008b6b1c6b3679fc3a2e5099d21b9acd1310248ba19af4ad594c047aa64fba3fe3fb4c48

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe

MD5 2ff68a85bcdb07f57bfb372d0d41cff7
SHA1 06f4e78d99eba79eed4a1e3ad754c5ffb227ab4b
SHA256 0ad85dc8c93ca64713e022f13337cd0383d2327ac77663ca86c6e55eda4d18ca
SHA512 af38af0fa7f79d0cb07b39b96fe688035daeaa1552017c6bb9e0b8cb706bd2eeae6bb47f1b592e918599a7f4434f9a923a03fa86834459113926a7b6cdb268eb

memory/384-1524-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qoIq.exe

MD5 a4b320e13deabe0aa8f1b7bd2476d1a6
SHA1 948f8e42f32195ea107fc9fe1c6f8e0a20820672
SHA256 0270abac47a9dd25b11d4d4e3a291e9fe3a93c0bd1730b76ec11e3b42e548915
SHA512 bf5f9fa31eba695313937d82a5a7cb749037273e6e75f628b70919588a1e8aac4c1656a3ddcc19b840694d0e21e2e417afaeb12b997bbebd75a648d4d5f3e626

C:\Users\Admin\AppData\Local\Temp\IYEe.exe

MD5 3bca1e009d8621582945b1f95ae3ae0d
SHA1 af2cd0b24007ed5a1a75802be4e29cabfdbaa5a1
SHA256 79c6e0bee0275d47eff22860e1d7005030df515b22ca60acddd2106d681df58b
SHA512 abcd72c38eedb0820db5eac8d66a95e4b1b0fa8597701ca889d2c5a33b2e899191d8a28be4a07419a39b959fbe7092b098d73b7b12258d583a849c5abecc3232

C:\Users\Admin\AppData\Local\Temp\coYM.exe

MD5 629ff5041827f3674198113ff99b9883
SHA1 2797c04523178bb4de394b8037bbed39a3102229
SHA256 5ab6a8a4ad952b3738e2916521fdbc5e8e1797fe06319cde8245f1dde54f62d9
SHA512 30ce3f48c83a0c7f46fa9bfa171a7fdbf1fb56e3fd3f6cbcd3594e574f51f02902aaf6c5f73d7dcef83796bcb704640f8ad8f907890734a742e7363763d433b4

C:\Users\Admin\AppData\Local\Temp\asYY.exe

MD5 47283ab1ae398ab82d716d1a04e07c44
SHA1 8af9ebec71e9f6a72f65b6255dbc0231f2003e25
SHA256 cd227038ed8dd7014e0b4c55cce52adaf7a0c931ccf9572424869f031ae8ef67
SHA512 2aff17dbc97ff7bcef707707e365b77220fd835b62eb903e7ef9866f593122f627df962421cd465d1b365692558352ec38d25517b051d6b276a6d038a33d28e5

C:\Users\Admin\AppData\Local\Temp\qIMY.exe

MD5 dcfd042c7370f0e656f4a57547a70eb5
SHA1 d680a6fb0cb9ac818f91df4dec07bc7e0b7de514
SHA256 e112039bef9a3b4adb26030492296349da74e60f29d6e265f12b409857659adc
SHA512 fe76d764aedc1ddc8b21fd24a2cbed60d78fb79714fa6b2682befb2fcd898d9849446aff06bb643524e7c8ebfddf320a0574e60b40aea0feff89721b1f4b6454

memory/3432-1588-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kUkQ.exe

MD5 0c5a57fc8e32cfba4e682a7ed9ccf0a4
SHA1 ba6279a394952a03d17ae8fd89bf021fcb382b9b
SHA256 206a063c3468dfaa211a469bf98632afb996664a985156e209e828d2075d3c4e
SHA512 6719e63da268028bdaf1cd490626def4280122fdb058ba0ba300970cca9608f593e2a876763c67dbc87c5ed36b7a2725a15fe90fc4d21ccd5ae2e933ec3612d1

C:\Users\Admin\AppData\Local\Temp\Esse.exe

MD5 69580a7054d61d5e319baa53b0eaee27
SHA1 b911a1ab348fb6a3ccba9c75b19e108c751a21f4
SHA256 b5a71ea06d1dd1c709bfc1e5e402821a6136788e5e1561159067e47c18d983c0
SHA512 9f653f97bc4467a2a9825093171628e88a737d8c6a245fb12346232b6e1e2992f3419ca87be320b4b25508c288256ed036dab3362623633203293f2d5596a4a5

C:\Users\Admin\AppData\Local\Temp\CwIg.exe

MD5 fd43d4b10ce83f0908d66dda8abc4e2c
SHA1 960f4e1b0a4112d2111c025ff020b3d6fcae35fe
SHA256 fc5006b94a4a3a9c6db14810dd98bb67bc44e47dea6ddf257a3ad2197dc470b3
SHA512 d53f251d2efff10d77cde7a6e28307ae03db0770c0633e507b1e5317e26f24be9db3bb7cdd9abbe4d35d3f7e11fc4df22d6bad164199d9e8afe0f471c5a9349a

C:\Users\Admin\AppData\Local\Temp\oIIw.exe

MD5 4cebec8688aba70163ff533e0f50c905
SHA1 6eff3d30005544729d6416ac1b99fce55fd7bc41
SHA256 4a764f840bec65c5d0725c664a7f45190a28377c0b389a7cdb927a1017424f3c
SHA512 f161d52ae01554d6b79eb394ff16f699c5d0760d55eccec4a6145a2ae9a6447c7962a251fe331e5003afa5cb6328da6707f8afcca3e8eb9496900f2cf596a804

memory/5012-1652-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2504-1653-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Qkcs.exe

MD5 04ef494a65542e8e20406030778ca916
SHA1 2551c318e2c366c9caed3d4000164eb36a3c010a
SHA256 660aada9c559be4db9e883b3e158c7b36ff7124719a81f0e4b755792483e87e8
SHA512 e4ad12ae68086f9e2e6d9fe70fa4c50890c1787c664fcde5956cda9012edffa5b43f805dde9f2a31f14ab3c2a8fa8f0115472b083e37be09c22c2a2b06a48573

C:\Users\Admin\AppData\Local\Temp\yMQa.exe

MD5 5388495c1517d73d7ea27148c994bc85
SHA1 7cc7827f9a377335e1f40d987abbc85d37fe6cf2
SHA256 ab2259ee0da54a6f5186f35b752cdbbd34082d5ea173f80e682c986fa9681a67
SHA512 03af2974d44445b8d17a678b8994e808dbf0693a3c4f386914b0071093307025c5be9826161cf0075502d96dae570f368021aaa64eb9b92c4aa7e6bf19bfc481

C:\Users\Admin\AppData\Local\Temp\icIe.exe

MD5 18fe9186288b3cffd82101b15abfa334
SHA1 43c844892999aa4e558d6a73cfdfc3990d9bd07a
SHA256 b7406cd7c39b14c643e9e19a8b4215701c295a2efe8e60b97efe50bfb58235fb
SHA512 e02dc70a2551fdaad633ad4cba4c8bbcb731510b9ff0e104f15fe577e2bc23d8faab07cf831054a391b868be6b7bfa49e635fa462f7dfc1f0b5f532154256ac8

C:\Users\Admin\AppData\Local\Temp\gEIw.exe

MD5 cad3938fd3bc06ef03df87a4add9725a
SHA1 55d1d38c4f74994ea11c8950a11f3ada93029c21
SHA256 afcd8b40ab56f314938b7c1f736ec0fcedb40adff0c58be32fec1a3c35169d01
SHA512 0b396b00afec2c56b8d879e59b200d3939ccb926f70289e7f01119e16d498aae0dd2c8bc820941c801e26ea0f7cfc7b71b63efb070088be4c72799ab97cb87fc

memory/3432-1714-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2504-1718-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mosk.exe

MD5 efdb3e7e6db59b42a25c56c6f23bf058
SHA1 a5a581404a80ce333387679c092d0fa6e64b53b6
SHA256 2c56f3f96a70f3de2e1d1a7019fce1f342e2dcff3c5407f39b2f64ce23a37095
SHA512 2a7b2597b0f3989708a660c1c928e0de56cfa1322cec3840ebe1986a9589b96852334da3bd2111f55cb2239224446894d68104fd1dc9ae0c0783485bf6453e17

C:\Users\Admin\AppData\Local\Temp\ecQs.exe

MD5 c06d3ef9640ab2187747100e70387e58
SHA1 a4f3f5f753c5db71b0d2493ba38c6a3b1fc4f6c5
SHA256 09a39e8b385a5a95e978aa460a55a410cf8bdff583ee16d3b21c1af648641d52
SHA512 0fc353ffff933c620e25d853f181438bc44e7f377dc46c13d7993939079a456280242abd6a27a541f5ab3157c607c748038907fae36be15d880ce191c872883e

C:\Users\Admin\AppData\Local\Temp\QksU.exe

MD5 275e05cae49e7bc92d094de954c9dfc2
SHA1 da747835ddb152ed5059a8840cf4917cf3e30005
SHA256 13f7f9fbded50dec7f329a8470f1c86a93248ab3677a00f8a4d1976026888b91
SHA512 00f882abc66cbe7bec7f79db876ddb73660b3387d5bf3e559c5065a744c0e5fbe5695caeb939bde7636131248f2045afc81f4434bb0f53841aeed1e927363bc6

C:\Users\Admin\AppData\Local\Temp\SkQS.exe

MD5 b1db2493b5dd4dee6d5d250e3fcaa930
SHA1 8a40ba00def4df9df0fcf238a244cd69bc62264a
SHA256 792c76c68782319c96c70dc42bf7c2b7809a9d2e5faffb0418d26e1e916ec4cb
SHA512 19d18129b82c5c4e9a7643c0063bd150410da7faa217f059a72a7734503c8c2fb14d9ab72f55549e6ff1f7e6fb74ccbd76f2efde8caf0099b8d49fb980bd7829

memory/3432-1782-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gwcg.exe

MD5 9dab30f4f49655d31d25e68863209fe7
SHA1 7fc99247cddfeaf14bced22a11d29236067a1dc2
SHA256 3d1998474e23fe17b92d542dae537b95ca1f4898c6936a150daa9661067d5961
SHA512 6a25462ad877b0846f4a90461327e3f7e028a9c9c391cd5d3ff1ecc0a90d2d097c950a1b55900c4149d8a2df3c1727cedb7726940e699de99abba23eb2a40b46

C:\Users\Admin\AppData\Local\Temp\ucEo.exe

MD5 439a09b8d51cf3d6198e700a4fef41ee
SHA1 6e57e72c26b28b1fc079fa72233aabfdef201728
SHA256 98a28d02df2a6e0e02131584b939ffc30736db1e40d17023c5f2169b79f14e14
SHA512 0582bd344b011cdeba29815f8ee86ed03df064b50ef7b7a346fadc0045431473cc5a7047e352d5b10da74b95304c770f65fcc601f060287de882e9eba0350213

C:\Users\Admin\AppData\Local\Temp\OsYK.exe

MD5 ff774e095180b9178bcb372a8246645e
SHA1 535aac5d4bd1cbc12f596d149ca98265428e5a7e
SHA256 1d52df8969fe28a02ed8406d49b2e98a39131895249ee1baf6009f7188da7854
SHA512 b3ede651a59b036dd181710575975a9fe46fd52a4df1dfcbe8a4bfb6bd8647eae59cda5eaccd9fc0d5676dd597bf9650e7c20864f023d044e24e8643f2e03fb7

C:\Users\Admin\AppData\Local\Temp\sgMK.exe

MD5 3b7b9072cd3997adc4802b9474f2379c
SHA1 57556c20850849d1d2a830330559449dab78c98e
SHA256 5529affee1781c6d66c076c6fd1ef711e593decf4b875dcdaac221c7d947372d
SHA512 85d1ecc39bf89f50e108e885020f9916641ed60d74cf468f90f0add009b8541b35dd973ec78ab0e78fc629fd71dfdffdba0cc74c68c1795dd510dac78344db31

C:\Users\Admin\AppData\Local\Temp\cgoA.exe

MD5 25dd3577d04ab34fe10eda1a581971de
SHA1 d1bf8cc668282aeff4ffdce9eee56551829e8322
SHA256 0b4823d7740cf6485c69660bbad7c5e0e1722162a137cee99239995c616c624e
SHA512 f074c9163973407e8d32bf3f54af296f4267b64b522efbf3e4bae3e51119069c408fef5da21c4fda59f38645e26ad17a56dc858f7ca5f3623266d02266e419bc

memory/4208-1860-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eQEu.exe

MD5 fb014d707a0250b3b0c0afe70013b7e3
SHA1 2f173e912e0bec6f24b976be7d1f81e38758681c
SHA256 c793e672f1e52cc765a9255a22316d9077ea5efc04fc5e8aca46de1f37c61540
SHA512 5f1db45dd1378ef743b7ac6c965376583d3bdbea2df394d7134c65d14ac21051d8b3f0d090a495453642461afd92e425b9f8f6ce3a75a47e569b9e8175b361ee

C:\Users\Admin\AppData\Local\Temp\aIQI.exe

MD5 629bbb476b904d00820684eb71b33871
SHA1 a14cb4886c5590ebe665ed17df104e111f6fc829
SHA256 1b0274eb2449868239cb531db7d2f3fcb92c3670dfc5f5dee48330906d233960
SHA512 74478a3327b189c7a89dec8b71bfb1b5e0b71b7dcf00865378fb53cb8cd75beefbd050960e3f165df24276b34a9e7dbd1995e034e982784e2a9eaaebe328c212

C:\Users\Admin\AppData\Local\Temp\WUIA.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\mkUC.exe

MD5 5e9ba0f4a2f6ef378cefd77ff17b76a9
SHA1 cdc4b07bedc4d41fc4bc9e77ec1ef7c76bbc7257
SHA256 35d7dcdd0274e1349aa02e97da149548cf9d00900b1de08f422420bbfffc7597
SHA512 d5b8dc804d927eae03ccc471c333ade4a23e9dcaab0e51041b4d9e0315b4b81e243be9d9fb099bd0aee0e1fb3437a6e6fb1753468f72e0cc736058cd60da6652

memory/1816-1910-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gogw.exe

MD5 e6222a067300310430e6428d2e804ed1
SHA1 d6764c5bd93ab747b09eee3281f13bec8379a700
SHA256 cd0a8fcd70000603262e376d649a47021283003ea24645003a1df408a9fd5e2c
SHA512 062b475dddeb8aa934244be2d7905a94a977614c52516200ef3d10ef6697eab71c1f7945c3746809c660d3be4ee59b64c22549c30785f65dd672be37269c5a1d

C:\Users\Admin\AppData\Local\Temp\GwwG.exe

MD5 dfb90b09259e87cb69eb0cbf4e44f7ae
SHA1 602b21b349e332b5ebb9f09fcf12a299f5095868
SHA256 d348ca08b395c4b9f890ca8da11fea8cea18a616df2dee6f1f865f0a1224183b
SHA512 bd96ab0a34aa9027ef72e7f69c1d7e970df9a8bc233ec70d3e886780ccb9c4165d91f9bcad7019149b2c5add4e762f028e05f9f0e9b8c1fe43a0c72982a8ed22

C:\Users\Admin\AppData\Local\Temp\UUsi.exe

MD5 a558b82413883a8ff40b652271111c5a
SHA1 3a1afa273e56ab850d01a94cefd899748176934f
SHA256 168c675fdb31d9c7019b979ae3c2c613f97ef33cab85ba87cd7b9c08fb532ed9
SHA512 88eb7e3b754b86f3f95667f89977f911c6bb66c3280ae88e5f0b284433b44f16e6497efd1c0a76e422c24f9abfc8651fae478d7a06412a112a897605b5424114

memory/2756-1959-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QQcS.exe

MD5 83e958ac52b3d906247e27c7070cd9c4
SHA1 b416097020714584b65b7f26d7d85e47356b63f8
SHA256 c07e6dbe427c0fadd8bae13a3e6827ffa3e35525fd3b0b6c69ca255d777f715f
SHA512 e8a21d2bb439cea35197609b08e41dd329f12bb6f95f2ec6234280addebfc46302a17664197301f40cad6019f68a93d3bf0700550261c360e4669d33aad7a92b

C:\Users\Admin\AppData\Local\Temp\EkYk.exe

MD5 cf1c6e4a6fd9425ae8d32b86935de4f4
SHA1 2330ecb29fe2b3eed97f26f52e4ab4c29a61dea0
SHA256 c8c64aa9cd898bc47d7a6a6e25a46e89946fb521d0eee056483927bf52250ba7
SHA512 49e7f59e66556d31e306f3a8f04fe2a52e067b85c243253d6a952ebde7342faf56653b005bc938a52902868e3154d9618c207834159f76a17aad038c81dde9fd

C:\Users\Admin\AppData\Local\Temp\mEEe.exe

MD5 212a3fcd99b12e3957892d06950e8d77
SHA1 b548bc55abbc96e3c53231e0cb68502c1d227d21
SHA256 e1a84064eed5f0922c3189685a7f0215aa1229ba0e81ae7d5cc75abca52bf9b3
SHA512 27eb27974e198163e268e3b6cd906e1124023671edce26345acf29683eb6ff94fd4ad83034e2fca2406b9491f5fb6fde350899eeec68b78fd0f499db2e9533fc

C:\Users\Admin\AppData\Local\Temp\IMos.exe

MD5 8eb411eae20b19c8c92a515e10183b74
SHA1 eaac1d2a90e64a30c804465dfb44c2dcef37bfc1
SHA256 9847e1be4dcc653c7e412049d863c82f9010ba7be06ef19e26f1226b6c7bc858
SHA512 7aad05b11263cdbd5ea5b432d8561e6907d946fe00c51400fabd89e3c980747dbe29ec45b40ac71c3fe33cc8d901e7d93f580117fcc88fc8182f93634ef4d344

C:\Users\Admin\AppData\Local\Temp\uEAG.exe

MD5 a09a3e56506d0744edc3fedbea6b1467
SHA1 a1788ebaeb7f2d46d615fbadaf754d216ae4adb1
SHA256 12d1ba4dd1a0708be505b38438fe5347da7507a9037bfccf5239a0abc9ec852d
SHA512 14a2bf8b7f1a7d3159baa9474ad4d6263f20b3053b67f9a900532a14100d5eeae0b21c837cfcec3c74677b676c86c24c3a835f68d5d4960ae578dc3ff34ad943

C:\Users\Admin\AppData\Local\Temp\uYEk.exe

MD5 d7f3c60ffa8cf478f5cb8fa79b04eba8
SHA1 1e6e7c0d8210feed4f2fabbd89b06c4bfeba6f9a
SHA256 66d5a1d8830a69838b4e0d1b0fd418107b1176836fd1341a2c170a73379fdde7
SHA512 bd40fb98084e2c8be5ca67c8648def7d1ce40f9293408ba933d220b69b5f4dc59cfef382c481819bea74054df512c926d365a8e997094a2c366aec4dc55c549d

C:\Users\Admin\AppData\Local\Temp\SIUI.exe

MD5 16b42e24c3ae0d104430b924ed68162f
SHA1 5332906aa83caa6b1a3f0c8e65ade65e7dfaab97
SHA256 2d012d2faa0b7f6d781798228a8fe1afc1dc979aa7846ecc4075841242e4d102
SHA512 f1450b4a8b4456cceff9f8a2069bca2650cb2b358583514e3e895f50c4ec4f916726971429cfa02b81ff5f40566b120118b214c986bbca094b2ce5bc15d588be

C:\Users\Admin\AppData\Local\Temp\usIk.exe

MD5 f55fa5217b3de9834ac0d0abf0502170
SHA1 8ac1f14e1d93ddccc9e76f287287da04052d0725
SHA256 b3b7ee775b3fbce68ffb7e678a00a5c721424f6affbbaac98720e46295731715
SHA512 e21571e4280f12e37648d3fc2b96e138222ee395b7d4309d6970614e209db2efcaa55fea0001cbdc6783648907dbda62d002c7ac8f838105fcf59404d94f6c98

C:\Users\Admin\AppData\Local\Temp\MMcC.exe

MD5 fe282aad69e9ecf65f56af91e29c70a3
SHA1 e30cc70737d87ee27783045052e40a09089f6174
SHA256 f544c0fc445a6a65bf9f8828ad424d1ea531e95629224dbcf5c968089d78fe15
SHA512 dab6013360f8010441bd43621d95e6a20b4047d0506c72ae3946fba70bb8952a3d565cda47768384e1452cb961dff0bfdbd29fffac6ece683fe4f3d5ab82f726

C:\Users\Admin\AppData\Local\Temp\WUQo.exe

MD5 6b1ef3b65996fdac882302228f0a4058
SHA1 bfe82392d63f12a9813b1e3ee1cd27fbdc9241d2
SHA256 7d490e06daee3cd93d52bd0c0c9b0be1a03667640f31635ad218f12cf505e6a5
SHA512 8e1c1e8b8d741d6c6e228fdb82bc353faed45ac79606c7708f193c0a3ad5f87dd58aa7411bbdf95c0788a2f7afb03ad8edaee40f9358784e009bd00b1ee19107

C:\Users\Admin\AppData\Local\Temp\gwYE.exe

MD5 1395fa803346318a2f84ac42338ac134
SHA1 0220adcefd7c163c1b34fe5164c942f88b518874
SHA256 c6000beb2c3eb33be75a89300fdd6d356d1a06e66f2542b931c8588e7c644ecf
SHA512 19d4c77a5e9baeee9cf5a9c2d6d8be4bcab2b5fba255c9387a49e047556bf24714b1bc1feb242a687b0cd532ea9c9fc2ba9feb10bf93055b9902e56e3eb6ef4c

C:\Users\Admin\AppData\Local\Temp\eAok.exe

MD5 7870340642c327fedd67c501f26d6b2b
SHA1 49696c71a21edd1897e1c29cd46defaa42abb033
SHA256 92ea4f84a7f31b7dbbb7d209f92f260a060cce4303b2763c157957a459f62eee
SHA512 49d4d1d40c9762f1c3072048cbe5444ee32d5da0c1110ed50b61d1d23f5cab9fdd2fe39e21b46bfc0dc80726e64b841f27fdafa97078b6a5f89be3b3f2fff7f7

C:\Users\Admin\AppData\Local\Temp\Wcwi.exe

MD5 775bd0c66508d05acd8b7d34bb2f3054
SHA1 be17450d716512c2c29c41759612a6e881796db8
SHA256 d628102da0b5578a6cdc57d1c689d44c3d15ef1b777da8a04517035bd016ab84
SHA512 5e09d13dd0328092ff813db321fdc5b6c5dc1fafd7fdd18cdcb8bd3925e05de6490b19bb8c9142505028725ba15ba2a5f96b8dcdf80314a0b3d64ca4db179800