Malware Analysis Report

2025-06-16 06:53

Sample ID 241104-c6z7pazrfv
Target 2024-11-04_0048ee167026646b746be0135974898b_virlock
SHA256 3c17e906d9149bcf28712a3037e7dd455f7ac0fc159c2f61a2130303c80bb6f2
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c17e906d9149bcf28712a3037e7dd455f7ac0fc159c2f61a2130303c80bb6f2

Threat Level: Known bad

The file 2024-11-04_0048ee167026646b746be0135974898b_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (84) files with added filename extension

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 02:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 02:42

Reported

2024-11-04 02:45

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\ProgramData\CgwsgMEc\BqwsIgwE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\PsMoQcoE.exe = "C:\\Users\\Admin\\ekccwEoE\\PsMoQcoE.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BqwsIgwE.exe = "C:\\ProgramData\\CgwsgMEc\\BqwsIgwE.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\PsMoQcoE.exe = "C:\\Users\\Admin\\ekccwEoE\\PsMoQcoE.exe" C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BqwsIgwE.exe = "C:\\ProgramData\\CgwsgMEc\\BqwsIgwE.exe" C:\ProgramData\CgwsgMEc\BqwsIgwE.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A
N/A N/A C:\Users\Admin\ekccwEoE\PsMoQcoE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Users\Admin\ekccwEoE\PsMoQcoE.exe
PID 1836 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Users\Admin\ekccwEoE\PsMoQcoE.exe
PID 1836 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Users\Admin\ekccwEoE\PsMoQcoE.exe
PID 1836 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Users\Admin\ekccwEoE\PsMoQcoE.exe
PID 1836 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\ProgramData\CgwsgMEc\BqwsIgwE.exe
PID 1836 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\ProgramData\CgwsgMEc\BqwsIgwE.exe
PID 1836 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\ProgramData\CgwsgMEc\BqwsIgwE.exe
PID 1836 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\ProgramData\CgwsgMEc\BqwsIgwE.exe
PID 1836 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 1312 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 1312 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 1312 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 1836 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2832 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2832 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2832 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2344 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 2664 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 2664 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 2664 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 2344 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2996 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2996 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2996 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe"

C:\Users\Admin\ekccwEoE\PsMoQcoE.exe

"C:\Users\Admin\ekccwEoE\PsMoQcoE.exe"

C:\ProgramData\CgwsgMEc\BqwsIgwE.exe

"C:\ProgramData\CgwsgMEc\BqwsIgwE.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMQwAMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwoAAAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCQUsYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xsIsMYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YyAEoswM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YAMQssks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gMMMckMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uaIsoIcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tEoMoYsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VeUUMUkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIckwgkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOAYcYwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmQkoMgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQUwEMos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KsYcUYsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qGAkAggo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FqoAMgYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZUsQkooo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\liIYMUYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PusYcAUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZkMkcUko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QqoQIQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oegAQUwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WgUccYgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEUokIgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dykosQQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZUIcIUQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BeYoYwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VsYwkUUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wEMAkYgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1152699446-225489920-160263440619160776707148176831071960719265092953125757553"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YewYgUUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OsYYggwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cowQgEAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGgIkoME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1110834162-7775919-434209221-19712775571725990863-309356112-452373675-1994183479"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmgUkkwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pqQUkkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nOEoQcsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1044627975-1336906329182525901820783766059173961053339799301073652738106232463"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QsIssUQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IGckYYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "7366060021492938547271382216-155759699-1624790695-1734328765-469359512672886867"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gkMUwYck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAoYUUwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4036379621613526456-5109707421590299967-9761364242139096034-1951334892884183828"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PiokEMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pIUQsoUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-815483612-31281271721308594521721721541548566373-5340560701225512470-1676807289"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-101603612717714526422099974939-134088752-626859888-815434516141875171964927757"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DmIgscwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1942668385246665526298106580-513548416-1609542498197825998611359168321403509076"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykQsQsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "16582666097166232181880578508-750518612-597692471947101342-46697316761881071"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IiMAAAwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qMwYwMYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ygskkcwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCUMMswY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYcQkIss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DCQAAIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYgkokAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWQcgEsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WagQQUgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wuEwwYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AcgEkAAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tMAUgMQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jwEUUkQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XQkIgksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FwgkgcEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uiwEkEQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GkEgYwYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1836-0-0x0000000000400000-0x000000000042A000-memory.dmp

\Users\Admin\ekccwEoE\PsMoQcoE.exe

MD5 b5b4ade29b33f6f62ed9db062a7eeeb6
SHA1 e6db49403e03b8b04f3d14ae14d9fddc9e6a84a8
SHA256 d6aac02d9d188e6b8e3f932069a36c92ed1222762460b67c14ea18d3750970df
SHA512 aa8d323a975174282ae69d940a82906ef6b2f22908baa697feaefbabaff003fef326688edc830cb96951267ff3b27a7adab3c89bd74ff09a1e98504c82efa3db

memory/2380-14-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\CgwsgMEc\BqwsIgwE.exe

MD5 1ecd9a2d2261066908e87a5ecc522421
SHA1 8e9aa64a0f591898a37330025d5a87ab25ca7953
SHA256 364cc6ea4da2306267a6600157c0bc68ab3f3e3590a13d5df334213ccbb92404
SHA512 cfa580ea73434297918c7499322d18f9751c1949a41e99bdad84a66b8a1c6b4649d571484bbee05940d42058dc2e510d63f22c987171fb75c894e70d7481a9b4

C:\Users\Admin\AppData\Local\Temp\WgQosoAQ.bat

MD5 e42b28899be0d1c5dc64a97b5b2479d1
SHA1 20622cafb39c13729b18fd4441004229022e9fae
SHA256 b28277c6ea487ca99e239573f1d1e72c17eefd4eddd44aacff6829f422dd1202
SHA512 21b34cefc4cd5e0f129a4c2d8dc25ee9a8821e9902f384260f199d91f1e305c1fe4e92761ff753ecdeeb499e46b04b7b375d16a5f780f9f8661b10cc0f3a92ad

memory/2484-31-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1836-30-0x00000000003A0000-0x00000000003BD000-memory.dmp

memory/1836-13-0x00000000003A0000-0x00000000003BD000-memory.dmp

memory/1836-12-0x00000000003A0000-0x00000000003BD000-memory.dmp

memory/1312-33-0x00000000005C0000-0x00000000005EA000-memory.dmp

memory/1312-32-0x00000000005C0000-0x00000000005EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hMQwAMwc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/1836-42-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\RWkYEkUE.bat

MD5 b5953b08f3c1ffdfcda146f30ff62a09
SHA1 1d922aba7c85a0a3adbd5d26a26271f0c8280df8
SHA256 f4ef077bbd90d0a6b678289e17b7dc8837751ee92eb77424aae31f803e36c5b6
SHA512 0941134baffefebaff94569b37a68f00e4e06736866991674a189108b9887eeed8cb0623213bf0b6ebe09e99414fcad6ae990c130407b49df996513bb9adf5dd

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

MD5 d342c2b5f3d16dc992db22cb737ad617
SHA1 615a98744fb22809454b706174597a4d6b6d128b
SHA256 0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486
SHA512 4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

memory/2664-55-0x00000000002A0000-0x00000000002CA000-memory.dmp

memory/2344-64-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JIwcYsog.bat

MD5 3a6570c122e1819b0d9ae1b435e3fc61
SHA1 8bb9d8509bbfed71df68a68a4097151f6b8cbbb2
SHA256 d8dcef5aefb4f8d3710d2a9af8af4279b64956b23ce5074d52c71cde9fd302c9
SHA512 026ece0969f7cc0ffa6e68677a2347a9f3c2d44552b5a94fa6649b39bffa00267498285e39bb0c4bba53087c411d48babeee72d30ab24de12161248cc457213f

memory/856-78-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1120-77-0x0000000000120000-0x000000000014A000-memory.dmp

memory/2784-87-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\poggEEsk.bat

MD5 2bfa073912b4284316495529964eb031
SHA1 5dd255c34fd6dca8c582ed45f5705ea2cc1ede2b
SHA256 5861a07c6e67aac83e8c661d2fdfdbda41ae4a2041141c359302a729c3d8d862
SHA512 340dc891d0af0cd77ea9ef93c7ff4a34135c10a73fb16eef97270bca7b0c74542a390eba7bfc2ecc09eaed8542a92efd71f2f2e74f6998ceef623bf14660858e

memory/1140-101-0x0000000000120000-0x000000000014A000-memory.dmp

memory/1140-100-0x0000000000120000-0x000000000014A000-memory.dmp

memory/2372-102-0x0000000000400000-0x000000000042A000-memory.dmp

memory/856-111-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oEwMYEwg.bat

MD5 1b3574a89c1688cf415ba2670f64f694
SHA1 b608aaf84d13542e858f8be4841343c34fe99921
SHA256 827fcdd2a0cca8b4233289d10a4e135fad5f6dd8d2b30662a122c9f35492c18c
SHA512 cb6d5c6559a02ad7bb93b3ea602deab18e0be08c7b5e3b3b1b3d2162463014df434a163e4c8a7d6d6cff4dd431e2abefe81176dc3edc34ecd43cc2f27c17957f

memory/792-124-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2372-133-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gCskMEkM.bat

MD5 1fcc8d821ba5790551035cf70c8dbec5
SHA1 e48a09f04262be2725c35be40aa223888b774215
SHA256 795ccae1e57ba2b98232f585e00d5db2a08b68c3504ca96dd449d3899e3d8fd2
SHA512 f578b7781cb4c720c4acc08a0d6acccc609f79e6cc0e0786a89813c7a290fdc141962c4ade365b750a35090b21872e417f4adbb4127aa8cb181e0cf8290f2a6f

memory/1604-146-0x0000000000400000-0x000000000042A000-memory.dmp

memory/792-155-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QYwUYIAQ.bat

MD5 33336696090fedef9942cf7f1a2c178d
SHA1 29d028cc52bba721efa39cd4f171aa9a6679193e
SHA256 419985f5da87986e3a3a41ddf5b1af6a96b6ee7e4c1771251629a3f8bdc9f4e4
SHA512 689820129a70e986afb3cec1d1d5ee3bd6bd8e6a53eaf2e8f564a791fed27d56b916eddd6d5f11e90c4da05e320804a03dbcbfdcf0e1e331677d4908c0724777

memory/2772-168-0x0000000000160000-0x000000000018A000-memory.dmp

memory/1604-177-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SgkUgAUQ.bat

MD5 f365b876f5299a7b80d34591cabaa313
SHA1 97edadc2bce5d96ce20ebd84cea29db80d44bb5b
SHA256 bcabdf9d45925bd03c419bdc11029fbea5c57ae2f5ebaf236509836dfa2e1c7f
SHA512 52bb1d019fa7bf4ad15e430d2e7cf773153567f655859ee22999cf885de96d256f1e702071dcfd5907c5a1a1bb466caf81b862fbce0cdcb7cafde31545626b60

memory/548-190-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3028-199-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dqgMkQsE.bat

MD5 8811cd2d46489197da46f575e589c008
SHA1 573504f8f8cd84af2ececdb90b412e2cf3915538
SHA256 a7e26f29a5987ed5a5a951647e6868066b894943d0288f2083647574f84c0fa0
SHA512 2b75638249275619c880959189d457d831be601c96f4463463fa190c9429bd5c9e575afff0118409cb85427b395945de3049a5824a7ba07f60156e9473667ded

memory/808-212-0x00000000001D0000-0x00000000001FA000-memory.dmp

memory/808-213-0x00000000001D0000-0x00000000001FA000-memory.dmp

memory/2120-222-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jqYAgowQ.bat

MD5 063eec28510861ef308fdbae49615d06
SHA1 61a6efc6b6cf7275f45e8eace48555632db1e000
SHA256 17853cea8312442b9b853be911dbdc216035589c1579826746b8c4d389adca7b
SHA512 742b6e8a51bb2cb66ed6bb50d25a2222318ddb0499eb525073318e9ff987e9fba432d081ec17a65fa3fd68874a754daff8fb44c6f7f657b2f28470289bef62d8

memory/2544-236-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1120-235-0x0000000000160000-0x000000000018A000-memory.dmp

memory/2340-245-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dQMcIMMc.bat

MD5 5770226ae210104827351f49c37e12a8
SHA1 e8f9bb45789bbabc6901164a9f1a9d7bc9d4a6f1
SHA256 de89c7e3e27f28253ccaa181f2e0c1539022b6e960fa67c46e9be7a312f38d30
SHA512 3731fdad58631752f3a94906121595c8fe15c8abf55ef772805699546707b6f1e6b1139cb033e3359c91d797dc457ebd4f24eb4519c50fd58f38c7305dc2130d

memory/1292-259-0x0000000000170000-0x000000000019A000-memory.dmp

memory/1292-258-0x0000000000170000-0x000000000019A000-memory.dmp

memory/2544-268-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tEQsYQcU.bat

MD5 f59ef76f9bae1916b14ce71401a2f563
SHA1 3c70aa699da69a1e089ae64c4689e4a25275ebfa
SHA256 7419ca2a1a72f260b0decf2bd2731c168ca6a7dafc7571b3957923df3ce3a050
SHA512 a1e83db593eaf170a25cba83f588991d529371cfb449fcf94d8164036973e1e07ea4c9d63f41fa4789f7347c70bda6e011c6cf833b642ebc2df03d861254985c

memory/840-281-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1960-282-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2600-291-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wAAgIEUI.bat

MD5 3fe768a28eaa7e9de778d2009339d289
SHA1 6d6189b1d6044b2943299a67ee4424daf56df72d
SHA256 a1958e69d6faad0ab9369e93544681ef11fe75f51c268736359044e4249abe95
SHA512 c924aa8c77520f446f770ae0083aca7b8eb453e22ab108b0adbb636fe9518e7b213e402b031eeeb2b5119e0cfb0c4bfc1ad1a560e9c1326a9f25fa7ff4717c0e

memory/1960-312-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iCIYsUUo.bat

MD5 4c47dbe3af2d407fe88470a657742baf
SHA1 5226c6b799de98f565e0dcb3617223057a7e010b
SHA256 ac56f5e815d5e32d1c6a7b47be3a356be8d1da3614d4c42295ff22c27f0f43df
SHA512 c3e93cb0e5a341d25f1958f993583d536d9ed7e4a9b20747fd481fdf4715c45fcb487dd79adb73c9db05be21281c829f16e438cbb20c84dcb8147f2df0772fa0

memory/288-325-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2620-334-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WgckkIwc.bat

MD5 5d100fe60521620927c3eebef62f3f3c
SHA1 bd0a897ce9a0b14dde5764f4169715ca3a7b75cb
SHA256 605190eea6fbafb4a5813ff6c0dfed8f8a7a6f038b46bc636bca787e60e6e4d2
SHA512 49d849f0bf01cd2c8962404f19dbbd0a9efcab86b3c9f7bad030029cac5bf5c5e41fadb2627008ed3aaa143865b91e1682e6ae171259e6110b87d097fdf666fe

memory/1804-349-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2076-348-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2076-347-0x0000000000400000-0x000000000042A000-memory.dmp

memory/288-358-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QkgkgkQM.bat

MD5 100c1730207d26ad4939f68bfba0fc61
SHA1 fdeb274421c8f2644b3a66f6417674b7f784fb22
SHA256 4c3d7d23f30d32ad1c0338c7721bfae5e4d412f4610612c1223bdd38583eb0c6
SHA512 77563b100a3a0d569b4799f5260787ab8a032b4c9a26653ea889f6298620cbca11a89ddbcbbd3922f964f0db3163b8df81c512ac7da82ac88c78a6b0534fe316

memory/1956-371-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1956-372-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1804-381-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pwAwcQoc.bat

MD5 9775b50bd438092100130dd52bc38f0f
SHA1 2a41d83ee6e04fb436c9eeb152d7d504d4e9030e
SHA256 b1c5868a1e1974b21e91ce5c2bfb16a9308e32b7f6741f8262b5606e572e635f
SHA512 2259a24376f5015d3a71f68510e5ef7f8f1abef8454c80852e0f361c6868904335634ed15c86fecd474f747a88b11fc9f09164dce85c2d9726f72fc9194ba893

memory/1508-402-0x0000000000400000-0x000000000042A000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

C:\Users\Admin\AppData\Local\Temp\RSMkwsAw.bat

MD5 c7a3e0dea504ca6bb8bd003b1dcf772b
SHA1 618de61188ccaa5aed7286ca3190a2531bc5e9b6
SHA256 d2e5b48dbb3d52c88ab574e638ec6f584f55c9a346a1c81f45c07e4bd63b6648
SHA512 5bd41f321043d5f4cb167c352fcf4eefdc5e1868a6026e65948a34fe568d7ae9df5111c72f6fc1950da01d4e4a6092624931cfe98f9409220af43ac20017a3b4

memory/2072-432-0x0000000000400000-0x000000000042A000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

memory/2408-431-0x0000000000400000-0x000000000042A000-memory.dmp

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\XkcIwUYU.bat

MD5 b1246f1696583a65aa403380f08e4a22
SHA1 87d37229331e93d15dfa2c203d0c63c60e4c7832
SHA256 597505c694313c6b1b097c02c1e54d9948bad931fd2ba735b50d120a1340e5af
SHA512 919808c2415f1473d8d115aef7a1f1e762624bdc418e1777a58c42012d2bdb1caebcc0118f483cd4d716683db5bc324760d8e6b16a72d4a1539feccdd693c51f

memory/1156-442-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CIsM.exe

MD5 b1a9788e78b31eeab8d39b6ab3c2bc17
SHA1 03759495a4143b1393a56d3ef3b499e6d41081f4
SHA256 03d43205b882bf9326ab0f94061b2fcd17774d63af63aa469d93ada9c3916d95
SHA512 1d2d6c10d8730dcef5772e142ded1d01509d0b787fd711f5d0c2a829d20371c04fbad0eb3625ce2b240965c4453d2a428a44d12f6cfc9619affa3c6158c84cc9

memory/2944-457-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2880-456-0x0000000000270000-0x000000000029A000-memory.dmp

memory/2880-455-0x0000000000270000-0x000000000029A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WYkK.exe

MD5 743a9758c792b11bd5e495040b32df78
SHA1 904d04a3a2aa9cf9d1d8e0fa4c26c399a51bfb55
SHA256 92a99d42ac6c218adc074cc0cb218d90ae06778ed7420fca8b53fdc2257a19c4
SHA512 f0bc9e74c9cae8f2f7f7ab21fec02328d7c51a6fce6a5798275f2f211b5da3a99d051f624c19b5448945f86826f6455bd6e958926dfd64d6e0b4fa9f4c24003c

memory/2072-466-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cUcQ.exe

MD5 59459312dc812bf6e09d7c29f3b231ae
SHA1 eb85a635946a7c164571172d1c1f7d13494d3112
SHA256 13e73a2c3e478ee76722b5f401de759d8cc49e7da5f23900122d59ac98d00f6b
SHA512 b8c7a48cc3a3a468fd188b14f7ba92c31aecdd6ea1d3caba9a2678442c2e0c13871adde395ab383abc7661b4207905e885d89eb0fca1fd313808763db1b53d1c

C:\Users\Admin\AppData\Local\Temp\eIIe.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\assO.exe

MD5 aa2ce16fa5ca0d172a48bb8274ad51a6
SHA1 18a2366ad48d105308659032e7779ce36a157630
SHA256 618996a94bc2991c487ccfb00ed4a98f1dfce33ca4cf7f5b0291c141c771d177
SHA512 2cfdf8e3790cc0add3b7d5dca84812b038200c5890e5a77cf2b48f177d599e8b6238c241e5ccbadd954ffab680ce71c42b508779f7dea515de28e4596c299363

C:\Users\Admin\AppData\Local\Temp\RYsooUws.bat

MD5 eec9482504e229454f3264b82115ea8e
SHA1 78b3297cb89497c0276bacc21fde58168e4e7a8a
SHA256 8b7204df2f3fd47d8d1263cddff179c4d6110037124992757e41a99b219a2d4a
SHA512 04783cc4d833cca479d8770edcb1b7bdc6e6cd39faa6e6c5f425a59dcca2f298029d73f9e4aa9b8aba580a955044a4dda9026f73b38c0217336b33bb0d6bd2a1

C:\Users\Admin\AppData\Local\Temp\YEgu.exe

MD5 2eff96db2d18138676a5626e0df36a19
SHA1 d7cc72d50c16a3e3c68bcd553247a87410543210
SHA256 6ec7d67db2b6cf91db52ae0118559d1af1625e75fec4951a93b6fe2865b3ec99
SHA512 7cc93db89bbb66159120906700710209af34d7a4e667b72679b7801ce21ebb2cf3002f74b518b509c010106512856bc37ff5709aebe308bee4880f2352c0dc9b

memory/1012-528-0x0000000000170000-0x000000000019A000-memory.dmp

memory/984-530-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1012-529-0x0000000000170000-0x000000000019A000-memory.dmp

memory/2944-552-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YIsm.exe

MD5 5be2a7b19c0b3fcf84cd798c45e70bf1
SHA1 0be28ecac4864a24211b46e27d797a1b37f6e0da
SHA256 92f9e557925ea042f6035dec6327bf6ce6811dab9c0528806f932408af1c94bb
SHA512 81d5c44d63b3423bd7cfa6cc2be0e88bf45da904abe5fe5364ce3551e0042b592e77adb489b6058d69909c211e29c300202e98ae59825be2fad7d0660b84ab9b

C:\Users\Admin\AppData\Local\Temp\wYoG.exe

MD5 7554f1f5e5e6d08bd939060680d8c1f2
SHA1 b5df3ca1ebe1460c0494b8080c42fd1d27f26d58
SHA256 99cac0c64ae44ce8671d47a92a8849a9009c1bd5f28f3f24a90196aafd19fd26
SHA512 4bda5ef7b37b9f2257c71436437a9a0af7908bae93dfdb07b290f63109f83b6fbea21e8268978eb19cc7f485575afcde8cbdabd6e75743f2ebccd0c0c952ca42

C:\Users\Admin\AppData\Local\Temp\kEMA.exe

MD5 99469053da5b831636dbef445c404965
SHA1 14b96c27087e358eed78fc2ef8afe7e07448f4d9
SHA256 8692d0ee179f7624d3bba7fd0e58754ca41b3a1a9fa33999acfc025112194dfd
SHA512 81a957cf536ff7aac99479ff3b4d0a59eda4da5b4ae940966b8001a5074ed99d47299f1d64ae90a09ed1317afe8f4ed3082fba646c2df4b613c719e99841a1a1

C:\Users\Admin\AppData\Local\Temp\kEck.exe

MD5 2ec11c9e86e63564ef5c8deab65019d9
SHA1 887f84c9bf44cb7dea7a7da4f7836ecf44f12bf7
SHA256 71ba49018b6c708fc0a5d540196c6163c9fdaa1d29df4d99892c198499b19d19
SHA512 ae220d56c8014915a156a41d4ee4d36d3e8bd5d93485eb10bbdc5ee7cb094cf20794650b74e05ac47df71676d53ce9083e92b634f314fd40703489f0b55828cb

C:\Users\Admin\AppData\Local\Temp\hIgkckwY.bat

MD5 d6f9251b5045d394b155a3bea2253e6a
SHA1 5b193292a61c25f7e83de1135a50e882aa73b232
SHA256 e0dcd79bfdb1296c33f239dbc0860cf875636b8e5a5df20394e156d0fecfcaee
SHA512 aa54dedac261c1eb4bbf952ccf6a152912873a66364be69693be30c8bcf30b77fb819ea8ce3eea2d9f9a313cac2173c5321fc4f636c682f14043b52e3d1c621a

C:\Users\Admin\AppData\Local\Temp\EgYK.exe

MD5 fa22380ccc69c9b33a418b70c2718c73
SHA1 9c2fd05adbe0051981105c1d2403a9dd6cb9f993
SHA256 28b64619b703fb4817b8daa205d731890d8afcccda55e9d5cb0162ab8aeca920
SHA512 34a2d4ce537d4e70cb2baca7a9581d5e27a2a73ed0a889455cdb1a6dfa5e1fe683a600fa688fd5ad1b3e6cf0c5768c4c1da184a1560d39b87618ee5fc7bef0b2

memory/308-627-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1556-626-0x0000000000400000-0x000000000042A000-memory.dmp

memory/984-649-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OMAg.exe

MD5 38060d6c1444c47d39a291903c0a0e7b
SHA1 aea36df8b02450cc240db6d88b678b05b0a5ddf8
SHA256 02c8b9d437a4ec03d030dadf0ac58ff690696c3e1119f49e8d6aebfe9505dc4e
SHA512 91eff4b7145fda5ee19576c49561c850d117f87bf526ae4ba18ff0600add37f3d77a99bc8470677748f5577b5282c0795bf430134cc020b01fd3f9544ffb090f

C:\Users\Admin\AppData\Local\Temp\coIk.exe

MD5 370a9ede5593b175c7c65688b9cd2c86
SHA1 26498d1967afffdad0321c2240da1dbe9ef398c0
SHA256 91e7a483844ced00dc95535cd47dac2c1a65a434803563e8ec20063394b81163
SHA512 c27ae7d5b93372199d63c6bc3cedd9534649ecafbc9c455d3c00996d7d9c5a3156043d14bce48baa11dc5c80fa2770061c650d9a8f3b712b1cbcd5120cca30ac

C:\Users\Admin\AppData\Local\Temp\qYEo.exe

MD5 5b8cdf7be3f2c8a0b3fd6f537283d280
SHA1 ba84e6266b9788f04861f6c34742941362f054e4
SHA256 0629b04a5af88bb34a9ab5d6b5356ed9011ab2b1febd0ea8ebf43cc608831ee6
SHA512 ad066ee5080f9c84650be3102341ee0b85c5a4d534dc35f5e1c3d64790b255beff92a53fd331a882031055e1ad0403b9a94ac6821e8193d7e5759f4afbd3910c

C:\Users\Admin\AppData\Local\Temp\QYsosgEU.bat

MD5 4fd909e183dff32b8d1cb3dcf2100ada
SHA1 ebda17f304dbb4961700ce1ec26b4a9d31ac1356
SHA256 f7d6a451ea51f279a2e76e83c30e3810cae5cc76c5c272855e1df48b2b3a6356
SHA512 d6b2f8ea0f4e47827bcdfab8923e24d6c0c8b4462a4893a660ca1b06a0a0d79762b828345a264c5f8cd9fd64173ebdaea5aabc0696148577ad08c9da7d8ea9fe

C:\Users\Admin\AppData\Local\Temp\GUQA.exe

MD5 83624d4ba220b9f773a4d31767798570
SHA1 893a31ef153da2217787de18db4d0abe97136331
SHA256 534f8adccdc1b57b9291a9b045ebfb242154311fb21400c44244154b7a00a5e9
SHA512 9e4d256ccf642145974c815b43876d57afc393bb9ae017830794497ad8b7c13cc062c02500093587726b6d03b1118e067d0b78ad894bd58af8a717c1fa99ce07

memory/2784-700-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2580-699-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2580-698-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sEUq.exe

MD5 9830185ecc3de4e3bd126c47d372853d
SHA1 a91cc82dd9a95d7477c64399e76dd45e1e3fe628
SHA256 387387f063c01120f156eeda8eec75c0a51c55688afeabfeedfe7f7feee85586
SHA512 c70bd1ec7b2679632f7fd9a9bcf2b178b157c9e4398e9380ca97909080a361581a6f4e7b779c27b4abd991464c0467f47e531363005aa2a2665cbd4ffe7161dd

C:\Users\Admin\AppData\Local\Temp\EwcK.exe

MD5 6b1514d235d4ef2c26723eda234494f6
SHA1 3fb5bf2a4bfac029b9b2cb1de8131967d5bcf09f
SHA256 a5eb64750a11db577c1fb2a0c47020ea559aac9c850bca068a4504323a8cedd4
SHA512 46f60cf5d4cbce20c3a2bf6ce605e848d8eb4836ac30d3eb512320a7752d129f4e686f2fedc513d7f6518b9a084360b0d4209fa8ca1c9e17d3e509ddb4583a93

memory/308-722-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QEUA.exe

MD5 c77a7ede0ca73b6e6494f9663656f87c
SHA1 74e5e23f1e23068776286c9a4e68c50204c587e6
SHA256 800f34ad23374eea9142809accd44c28fb569aa76019328fd5ac7e12e159ac0c
SHA512 0cc951c91ddade2369fad999bd86f743fdf8e4fb356f1683b0abc998b3cf11ec594d669e45b2fab2cc95def92f7937dce3945fa6488598de38646897bdfbafa5

C:\Users\Admin\AppData\Local\Temp\eMUo.exe

MD5 260d1f3f39c0e345f47856a79ef2f2bf
SHA1 509cbefc2032d99e2e4880909fc09b2e52c7b8c3
SHA256 f011a3384fcae43ab082c89a36eda3b519d12edf8b970592a5bb39b7196b95bc
SHA512 e5a17724b746f505735165b1caed6e71bed225384d36762d7a3355e264534f439d9ad916251577357252d2b984e33fa2386aeae9327d19346643646d690b9a8b

C:\Users\Admin\AppData\Local\Temp\cUMW.exe

MD5 14369ada4b59552c9b5427cff5bfad61
SHA1 171cb02a78466be1a4f46cf986d26195ca0717b0
SHA256 8eb3f209be9eff37a4e5cc85b58b34ccf3eb27ff99da5ebcd9a6e7aec403b5fd
SHA512 28043abc646a8d591d06ff91c2f49b3264fe7f5d5f60b210811648fcbab358254ff2560579ad284fa21107337b3d371229f8ce1aa9fc9161b52cf8cc7954b918

C:\Users\Admin\AppData\Local\Temp\aSEgccko.bat

MD5 ab4aca6e55ac26312a148324fa87c63a
SHA1 f562ded6309e77758a80901e7b0db009eed061b3
SHA256 c75122e959bccc838d2b9dc80b51c6b6806707266495093053d64be76e719797
SHA512 399931228b22bcb33f3e42019dc4ba60debe7054b93ea55cd0f05ddcbf6bbc98b8a30ff4832f119bc61b3eb5cc1d9cb3bb5efd34897d660b84bc1378ca16faed

memory/964-784-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2784-807-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1772-799-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UYww.exe

MD5 9bb1068745b3d8bd1f243866f3a01c99
SHA1 67ebae2bf1815a9c37d38960cd3df0ddfbf145de
SHA256 137a8d2ac9c970bdb2f0655ae9e67fa9fa5991cff21b979a81f53408f8d4dc54
SHA512 e95436b95e8027ad17efe8999b65d1c16c00ed5a553fdd61b80d6cf8043a11e0f0d0c0eee0eca0424dce16c6fee36c5fe770f07d0609e483e39f266e946f93b2

C:\Users\Admin\AppData\Local\Temp\kEUk.exe

MD5 718914c7f2baaa401c2f041a08a71190
SHA1 9c9f8437b990c7af348cb74487473763de210570
SHA256 e1c5867c64c9125d582074cf0b68a7e4d1f1b1c30c39b7646f2bc141e3541639
SHA512 ff7799f2169edbbafc6da2428fda989d0075bd79d26797cf71805b775c8a35d17f96b779d09be2240f0b75ad486dc2df889613d7aeb527efa356f8f9c72b029c

C:\Users\Admin\AppData\Local\Temp\CUUk.exe

MD5 1d71e743e047f075b3979a10ff0251f1
SHA1 ce932ecd3af192f3d0b98fe84b16f07b14f3adba
SHA256 beb03d54c5f14063f392804e6cd1983ac13cda4a1ba2f30ee3c9f008b36de951
SHA512 a0e8be80324997e7ea74be4768b9d4e209682cdda227aae689cd29740856b87447d7c3581129d92d4a6c9c189ef0f814215e6a9cf258fb4053bba134ad0a803f

C:\Users\Admin\AppData\Local\Temp\oQIQ.exe

MD5 e0d0526b3411ab5474c0d9814827c12e
SHA1 0a83fa0fac895e477930b5dc0ad98a09ee1eaa5b
SHA256 3204384fea1af354f48b8f011a6b63eed6eee2f626f7cc93faa1fe6dd7f037a9
SHA512 0b5bd948ef4bbdb610379a51127b8fb432b9731d3f6f90a9b36e6f259a2c2d70f819f2742c2a3575adc53cbaf48795d5c8774eaaa92006c606d24e1f8a0bd452

C:\Users\Admin\AppData\Local\Temp\magMQsMQ.bat

MD5 0bfbff14b78570cca94010814b1b0791
SHA1 bcd7720c60d98f1c169fde2bae6512d8c9a2f065
SHA256 a5dde3f122b5e1995e2772cd20b9450db34be731b0ae95933572748efd3419ec
SHA512 01ba76767c5b0d764a8ad1479fc39c3ad9d7b99af54eae09ce87226b1967c84603f7916c6db19e69790fe14d5347091463c0129679fbbd7e39cd1c0aac54d3bb

C:\Users\Admin\AppData\Local\Temp\OYQu.exe

MD5 f81fb1d893a7f31b45f8b1240678fae4
SHA1 657436d90c7997e4cc33d32da66e408b9ce5cb1e
SHA256 b6837dd233a3490bd6902053a7f1ff47cc611bac5767960273c94e9ffb821d08
SHA512 54426b52af89f1effe053a1bc574aed9a4374c88314a2d1fcd3a419981ac55e746fef3a82e95dcf097e31ced4ca6d25d9f8434a6220389d9c3c6e8e790fa68f0

memory/892-869-0x0000000000120000-0x000000000014A000-memory.dmp

memory/892-870-0x0000000000120000-0x000000000014A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WcIe.exe

MD5 efd602e1a457974f2586f261e7e377b3
SHA1 4324d878f3a112c097b68e70579942ef70896abf
SHA256 a5bbe6034bee3c979d750e1fede8bb42ff185cfd6ea57ffa853c6d20108cdf67
SHA512 6d718c4f77d50bea1ffe8b2e9347d25ed2e5bf3c95cda7fe53ff6d4e036ea0818bc2cf1363518e7175d8b9cec5207af76da308dbb7e6c9be03c886e2243c936c

memory/1772-892-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EYwE.exe

MD5 03b0253e0b3ede7ac2c4101b961e6650
SHA1 94edc5e9fb2f709b302ccb0dda4249a9536a48d7
SHA256 8383f990335d9cc63e8233ead13d4575a6b37d438654db9f68c8b34a92fc6502
SHA512 7fdfd1a544a3c433c8ffc6616b2fa5605b24bd613d868f8da37d7e40ec7dc1113ff7c25250ebd7ebca8013c71e1f874c5e45321da8e15aca33ef7cf924f819aa

C:\Users\Admin\AppData\Local\Temp\cYIu.exe

MD5 fb7acba9bdcd5a028f3e5bb8e8117b92
SHA1 fe42947159543a44045bf984b5707ef78e0f4adc
SHA256 e21de16f43988644701f33b30e83c607ddb3ae16e4b6477ab4e5909d942cb4fb
SHA512 12cf8c78855312fb5e12ec763ef0bcb74d7cb785ce1ed96d3aa74763090625a51d8bba970dc319a7501f196e3b9c52b31637213f646142a6ab7bcd085305a746

C:\Users\Admin\AppData\Local\Temp\gYUu.exe

MD5 12f31238f826bc192abd3e0dfa017daf
SHA1 6baa1df202d312116aef74a9f6e04301f0e04d1a
SHA256 94b776486fd5d210b06ef2757d026a09e4957c1ccb663e429d5d7bac0509587d
SHA512 5658bd57992049f3124c1e7b8628cb119008c37e90bb6a71306b7bb2d724a50b946ca252c6a8e5f9d3f4c9c06e1ebf3612f3d0732ed6689b23dfc200053831da

C:\Users\Admin\AppData\Local\Temp\QMIS.exe

MD5 f99da19eac64d02c44516663b298a052
SHA1 166d126035d2aebf4b562ebb61804cbf7ac243f6
SHA256 3c2c27b08eb2447d0f0a570d5cc1fb07f86b1235bd6e595ee59d6a0d836e83a1
SHA512 39e6e528fd3fdd45329ce059de782d87e20538f009def66345423020cbda44423f22178a3efeec6fb9c21c012e27629adef6df9e58c154bf1b91faa1449f4084

C:\Users\Admin\AppData\Local\Temp\eCwcMcUQ.bat

MD5 07c741eab00b3116a92d34c789f8dd90
SHA1 9f3cf3848d4854bd3d31f72b1f74ae850fdda780
SHA256 b835a73dfb4c0be6f2c71782f88d42bf4af64d1c1ed78baeba8a6c4c73ffd09d
SHA512 3952fff49e1a08b7babf80947947f3f72df15d8b732ac09445d551342e616f974b320d99ac33faf1f7ea0757ab4277324c49400e2fe5c23c19231f7820485605

C:\Users\Admin\AppData\Local\Temp\AwwE.exe

MD5 a95a1e431d793b94db23e70acfa1049a
SHA1 2bed980c4371d395aed5317f08af2b633d27f6f4
SHA256 4459b1cea7709a81e94781843283263aaed1ed143e88a2ad893c0397ca021411
SHA512 99bdb09c08f46c060fc0ecc13e6cb06485cb0a7275c23002f9a9e91c8fba30630648cf973fec3f256c69fcb67894d2b933b4057fac05f268214af1a29cf08887

memory/904-968-0x00000000004E0000-0x000000000050A000-memory.dmp

memory/904-967-0x00000000004E0000-0x000000000050A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wcQg.exe

MD5 bc756c152884056c713d6ea488e23322
SHA1 90ba340c7d8d4eba42ddd5ca8b62a96ed1050e41
SHA256 a544cfc33b71467c6c1ca322fe547134b5e10932150a981fb74d54f8d2cdcf48
SHA512 e3db2abec68c79c9c07122bcb551ca25fcbe5edc194c750f3aba720033f090743ab49a305382149ac121cbf6fd4a5207592d0b1f835c02b9fa59a6182d8820de

memory/2176-990-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iEck.exe

MD5 eee99482d880d11b804ebb3f62760f4c
SHA1 c512ce2e839de51b924e9f0be6b0220ea4427623
SHA256 56d4a101157a621a8c14c24492f1b7bb06bb1b70544eeaaf847695ac25255762
SHA512 5f8ab7f3a15742b55a58269b6e5d13a35b50b1a346e8fb1852ab3f7a350612964959c1f0ff66ded681903ff44b9861b889c98616cd816a78d76d188b44909559

C:\Users\Admin\AppData\Local\Temp\AkUA.exe

MD5 45bf38b1ef4ff1a9aa74bc30c1b37fe5
SHA1 48fcf5d3cdda64f37cb73b58b7f6a35fdfefec0e
SHA256 760905d6083dedbf9b638d1946f1aa15f606497e9eaea0f08600d90c2573cf76
SHA512 5742c50945b146fba61b781c99fe4a75e889b2255d51e89ee7fbda4a8e1de1057891ae355e08ac52244cbe3536998134a7006fc65e316b5e6c2975ad6839d8be

C:\Users\Admin\AppData\Local\Temp\KkMw.exe

MD5 7450801fd5a3b2f53ee13ee2332c181e
SHA1 422bc86a51ab7cb7b51c7a935853364099ae4072
SHA256 b9bbe3926934ce6b9f2408d53c1ee04452a68e589a0c88c7bcca5c681e8b9307
SHA512 870f848b1ebd44a84ae65f9f87c288b97342765a925bd8273fa029c3c479e8e2c0877c675a560427be7cadeff3f81f7a9fc9daafb83a74e842698fd1a893e217

C:\Users\Admin\AppData\Local\Temp\AMkM.exe

MD5 8bbcafe9a2cf9f64ef5a70ca7c2bc055
SHA1 f57a46a796ba8c346a5892d8c78806813ab5f70b
SHA256 09b4f0441a86b0469c3641bfc7c13ee52144b5e3d0aca5b911ec139ab518f841
SHA512 b341ae44f31511c536a29b9137634b8695165effdae2e2c4c8561927f6ff27e2fe65ec550f0b5880cbc2cbc33d734dbef2f5355dc757b969474eec716f0999f5

C:\Users\Admin\AppData\Local\Temp\vQAAosko.bat

MD5 45b538e820317059b01e538199672ff1
SHA1 226ad7b5abd091ae4a8644e4a6ecd1391dc7faad
SHA256 63392ccbe5aa925088ca833c2ce397f959273f93b8b76045f002888afff03ac1
SHA512 422a406e77db3e48ec7e4e0cdb32421f52b1d11937a10f48bc87ef027ee5a21c9c4e304aba0729227848f8e7d9cf12d9d0650d4a5bc5798f9be33659f6d92a52

C:\Users\Admin\AppData\Local\Temp\IQcw.exe

MD5 2c591e30ce227e42561bec0c1cfdf0b1
SHA1 a00755e858cc3a78afa6f61b9849275a1fb0c811
SHA256 b96c488582aa3a6c0425669987d264e20b232d1313e6c4c0d61bf533c45df8ab
SHA512 33cca1abcf7939943754dfc4d4cfd2bb58c726098e92858c8f4245a011d0fc0b24b19be71a4e0fe8a4ed171a674a7a12f75133aa71cf3dda1d431228c20879d1

memory/1840-1065-0x0000000000160000-0x000000000018A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KQoS.exe

MD5 21f7b01f85ae8b37dfd81568c7aef39e
SHA1 4bf7a82c90079176f3463a537aa8b179671ba57c
SHA256 cf8ec529c6040918981648f51dcabae6d7cafbd3147f6245d902880041c9f2a1
SHA512 cc04583764cdbda96d4bd365e5fc4c07fadc4939e6890b1153182eb8a4058129e8eb0f124bcdf4d109023f36d64050a34a6082ff3f95f422aebe6f3f7c67f161

memory/304-1087-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SgYS.exe

MD5 7810bd2d31f9bb3f9a49daaa9cccb3fa
SHA1 42c2cb3bd4b286808d0a0d6e1f3bfda144ac7c4d
SHA256 01b805ca8a7324fd673a76dd38cb7ae57b2ae14388525650ce2dbe61d7938580
SHA512 73af50d0aaa832af0575e6bb9788039eb63b43365d546c565399826aaeddcfc359c78b43767ee2d03193d14a986045bf2aa02df8c8a2fffc5f3e5d5c20772135

C:\Users\Admin\AppData\Local\Temp\GUMO.exe

MD5 80d90bcf42877d1023da7d2a81a79524
SHA1 23f0d127987654fd99226bba6d19c3cf44d7dfdc
SHA256 c2a6033f557f5d0074be6a6bcb23832994af170f517f16024ea6a8844c90ec6f
SHA512 66838ecf63c7a090b8865e75dccb8c67fa65226b74daf63ec63c06fbbd7b48735c61006138fe8cadef076b3304d843cb0cc078a1f154b459c76b63d83247ea13

C:\Users\Admin\AppData\Local\Temp\WccE.exe

MD5 0c56fa50020567d62bcfa3b709db20ca
SHA1 e7e26f85b0d17224e924a275476bbe95b724613f
SHA256 387b8096041978babdfc9c33324bc9553503657b9580e921fdb5a770312ff0bb
SHA512 c637f2178b4962b9c893cdddc9c29b57fc167f1b8c2a1aebe722f72095f6fd5719d880cbe0f2dc82e7086fcc376d8e838fa594c49a914a29188d5bb1939c872f

C:\Users\Admin\AppData\Local\Temp\EAMy.exe

MD5 2b45e1b2524cee5ed321727b5505bff6
SHA1 bb813644069dc4990971bf6925849b1a7079e8ba
SHA256 41ebc3a316b673f842db5bee8616ec9cffd5d387519a25163ae143abbc6ba7a1
SHA512 4adf5ad06cd133246cc9a6de3b9f6e263569162c8015551275f6a264db602aa488d937260b90e676c76100722d4269292bf3a111ea7a7c830b7dd4cda066846a

C:\Users\Admin\AppData\Local\Temp\lCsQYMYM.bat

MD5 c6b69dd517ea7e680c07fa988909f483
SHA1 53df01a1c35e07493de4aa6c13a5b15e0fc6292b
SHA256 a3c4d722db2d5570f69e283ece7c559ad348024f528f8d315f85f77f0a5cb5ae
SHA512 47a3c1f6dee50471202d1dbacc0e5ac2d8584272e4b6cae15da0f9fc118e1fed417cbe36735d50b56fe5f86c2fa8ef8354c9e5106845740a1966c0dc0e2c505a

memory/2252-1150-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2960-1152-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2252-1149-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3068-1173-0x0000000000400000-0x000000000042A000-memory.dmp

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 e4b04b143d43277f256fc03d9b287e98
SHA1 253cc135fac0519b51c7b2f20ab36af09115eee9
SHA256 ee1830997dc117689df7d4e601122f08bb7ab2744155c943e43a5f8331f3b9f0
SHA512 969d894516773a243463341af533e3d277e4256937b1e16252fa1c88a67756e401d676a7628f862c1dc2f5f46a744356d71e06419194a5909e8306b201375f32

C:\Users\Admin\AppData\Local\Temp\gsca.exe

MD5 b632e33122435f1f6e02b24b5a697aaf
SHA1 bee8573b5183df29ce84d461dc5f8f28b033c8eb
SHA256 ab54b81a7f1c34a80529be3847e8b3abe826ac3d9a937cc0c901a4d9a041179d
SHA512 9987a50db9a76868930545fd4a91b0e853ed194c8e887fc8a35abab533a692773339289fc26b0c48b86633968e3496333e19c19261de93849dc26d9f01ab981f

C:\Users\Admin\AppData\Local\Temp\scsm.exe

MD5 d1dd941173d0de54970ef3b91d769f50
SHA1 35c3d12b67b85e321c671e1ac3fb4cf11f3c4a85
SHA256 a83d5616b519fc1bbea8ea2fa66e21a83a03b7b347fd7b61ca3975df5b08b60c
SHA512 7d7fe3a40dea2a9bace8b9c865086e91a4bdaf98053b9b6799df89e0ba171654fd81369e1ed7b9fb87f89c7798b22526436f344e900823ae432c384552f8f2fb

C:\Users\Admin\AppData\Local\Temp\mgIW.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 4c1ca1cfffb986578350e429d4abeae8
SHA1 669be04de958854376cf479316f0dc2aaa04fdbc
SHA256 eaf6ba0aec3c1bd7d7a92638e330575bd20a7be540a13a290ddda7b60a5cd5bb
SHA512 037ba8ac02f01e0c128546b2d676bf72c95f96530679c2390c2fa81b18a903e1a0fdcb50d17110c45e645487a6264a66dc3c05f8d9fbf155cd8031467aff0484

C:\Users\Admin\AppData\Local\Temp\taAIEcQc.bat

MD5 dcfa9431bc70d71866bea88bff2afeaa
SHA1 d154b05c65efeb6da3c8db84db18e4b691d74925
SHA256 57e716e9166e15cce342579f43ebe917b3fb2d2e17f30f7b01a189851a8c3e64
SHA512 5e23f05c03f874e4cf21dc030f8db2ee85e1125a1044c6a0b50f33c9be544dc71a4737ae9cc3d228fc63b3355e607205c5dc61122cd5e4511037ba180ab30f90

C:\Users\Admin\AppData\Local\Temp\YYUy.exe

MD5 034c99fc2d4ac0b5d99047af3e7d636f
SHA1 ce5f23be2019b33ab1ac7254ef61ddbf8defac9b
SHA256 1467b6b320548e41da6ea248e6dba95886ba61732c1ecf2feee2a809e58c14c1
SHA512 429421ce07f4d02bb6a3a13d1a95ccc4e0b6343e62f0c7dd9ebf74e1526c353c284b59bdb421ab561a7ce95a14fe3ac926ede2337f150375585ee93a3f64f977

memory/1332-1263-0x0000000000400000-0x000000000042A000-memory.dmp

memory/552-1262-0x0000000000160000-0x000000000018A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CYIs.exe

MD5 81377e305118c6df7d8170fe82e34dfb
SHA1 72555c9c384c3d05c8404e75b1378d8747449b81
SHA256 6141a9802013b0dfaa861c18e5ef5880560bf22a80bc97ce359d90f3d7bb9b20
SHA512 b1061490319472e50e3f560eedf9f9b7c1ea2f022b2adaa123b96387604dc0768c806debea231abfaf1c2ac107ff19a775465bccfac2181e14e71dcad1ff191c

memory/552-1261-0x0000000000160000-0x000000000018A000-memory.dmp

memory/2960-1271-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WAkG.exe

MD5 ea67f394563efcc15e647db69aec89b1
SHA1 d1f9a2a870f07de0b139344e3e946eb3796e1239
SHA256 26645e84c72088a59f272fa87a5c0c31f760843a7a15b041c964ed94a78973bb
SHA512 d15e8b76ed8a5844605c557555696b2fd3b29a6b71827a3c14b482137d47808940b1729aeb9c54a303bbd5d79c87dc3452f02ed9ffb4b5f9e22aaa5c50eafe83

C:\Users\Admin\AppData\Local\Temp\OIIq.exe

MD5 74762927a52deef1f8afac6e09814e2c
SHA1 6bdeb1550b58fcd84a6e385c267c56c60524b5ee
SHA256 492a13fb5e3c4663733da84746a05de7bf199918186553adde8cfb5050c8808f
SHA512 8e8378a81695dff04f79e84d5d8a3383ea96bfc32ee5807b2701256fcd221a143da59568913824a62da99ed157ab32e2663c28a6ad217dc9a13be1e6f836b1f0

C:\Users\Admin\AppData\Local\Temp\sAUk.exe

MD5 b3c21d83bb987bb9cf5f550dc9af44b4
SHA1 620731e77ac12d205d5f6a21e410c281136cdcf8
SHA256 268eb448427aac798cf60dc162fedd45730d35a30d4ca223558a5e37a48e624c
SHA512 6cd42c042420ce21af7b1f9a11830e7a4d255c2de3e1c4cdc63171d8ac7d1f823cdce73cf1ceae662d0f93847b67550f533491217f7b493d5c0579ea4d6a706a

C:\Users\Admin\AppData\Local\Temp\DEAYwEQQ.bat

MD5 48c8c64209d09dbdd738c9f1a53e8348
SHA1 e04ccffa1f45cddb6e4ca6e5199f4794d6dfd7bb
SHA256 9cafef996d234fab0d90b8c7e9a9c70e9a5b843d1c0de7c95c601831df011ddd
SHA512 a1807ff420c9791217eadb4043e1caf245d2e7bd012c1b344683ff2aa6a89d9f35989067d52d22a778664b24af4c2e509bb78ce653701340b639525ac17c49bf

C:\Users\Admin\AppData\Local\Temp\iMIE.exe

MD5 a0d471048d9332d1b53ad4fd33f682cf
SHA1 ebdcc99b95bdd79ea7789b53369849af0d4c7227
SHA256 8ffc29ec10d02a517bc30899c2ee13d9ee161e3cfd177a2b54e19b13a8730d79
SHA512 a5020e800015c0d7372205cce4c56b19d5ab71c88bd7ad076871a860eae4f246cf4dbf40658973e416a281103b444621f65c2e130e3d73d768255af16c57e4a3

memory/2272-1334-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1912-1333-0x0000000000830000-0x000000000085A000-memory.dmp

memory/1332-1343-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eQkA.exe

MD5 a543eea384dd2af893bee4b0e30d01f9
SHA1 db371069e8ad4a64d4cd9ab9f9b7a65393969333
SHA256 b3b1352984644b5f89b4dd44811c6bd5c24eb1d582c7869571867ca30c3b3d45
SHA512 5bc116a947b9455a42a9da3018092482e8e77a10a951efb81b8d7ac420809e386a883a1d9aaa1e782fdb9d61fcf96270ce16eb50ec348e24b4525d65cea91da8

C:\Users\Admin\AppData\Local\Temp\kcMs.exe

MD5 3066ccedc56008c66dbff822f808cf60
SHA1 6469b5733f086a3f57a5866450df261a751da356
SHA256 59af814fe5d7d57df550cf33feed72e24019d679d8f3304ed574dcca091e65ab
SHA512 92bc2354630f4c278c0a2510a05bd843f74d01b75fe6b4b74498cb30c8dcba60ab21bf55398f4ea169fa56ef91fd578225af9140232979245f2928241c7f39f8

C:\Users\Admin\AppData\Local\Temp\WgcS.exe

MD5 d7fffb55f88879f6e26d181b555a25a6
SHA1 069a3df354e4b2b6f759d5c225d624c82e523a82
SHA256 09efe75bec16599d485ea3f4dcde38b3643d2ddeacd634d11f3ba7e82bd37b02
SHA512 61a714c3736834e71cf89bdd82d2ba9aa13d5a2ebee77ee7bf3924f01626c6839af448efc1c0d0de5973eaca742aff93570af9821e95d6eb1e651ccc313d58e6

C:\Users\Admin\AppData\Local\Temp\kIMs.exe

MD5 632c3be20b18048d6461ff5a94cdec21
SHA1 55426b98e4cc01e54d6ac59172ea9833668ad525
SHA256 58f95d60bb1a3400133250a3749106c5e70e291b6c059baaafddfea3c917bd4e
SHA512 1e7add7a5d8085f330684b54aba37550b32f07cbc4811be50cca2c00709a63660f8780786120f46ce1ce2dcaeef68b2d9cfd88db6ac01b18f1ddb69a2360a351

C:\Users\Admin\AppData\Local\Temp\BIYwAEYA.bat

MD5 df4a9f940a4a61cfa6b03938bc27e2f5
SHA1 be5300546facc544e26821594314831f4b175879
SHA256 28673da048593d21e1b265b10da6d2b9b42f0ee7da2f4b712fbf249b34adb37d
SHA512 eeeea6661c3adf968e05bca405cd517ab2452f37270e3519b6c55cbee1895246881348fc55fec46421944815b7157f27da655e726e8df849f2774d16311ccd2b

memory/2484-1407-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2972-1406-0x00000000002E0000-0x000000000030A000-memory.dmp

memory/2380-1405-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2272-1421-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eUQU.exe

MD5 e0001a3f475c48dd80ca393ab0b855cb
SHA1 be6d01d8613bf71c7b522efbe7dba2908b8b3c90
SHA256 e06fb02b3858a4331a3f60cfe4c7400a4e1d64a21a5d490ac76cd0ba3b881ea7
SHA512 0fa85c13b394182b6d115e12d898f1b8d7d27b0527d6e6aaf3b243a3031a35a966e82cf52aeb5fe7963b85887bbf2dd0a1271c4b8f40166088545a7aa0dbc6bc

C:\Users\Admin\AppData\Local\Temp\CUsw.exe

MD5 7c95eaaefed42a1065c0bf8c0db48a4c
SHA1 caaae1b7a6a54216499be02150ea3ca372caff91
SHA256 dba0fcfc9e00b6b14718b9272ea2ef9adb08ff3e83542117b3900abda6be6e76
SHA512 b50af274f56a2d121c667e39316cebe95a2e0408d43890ceb94eb4b690c483f6e204ca4f9ca7d5313a45e6c66019d770f2d707759466d87ecf33eb1fc446a4f1

C:\Users\Admin\AppData\Local\Temp\QoAM.exe

MD5 e8c39473c567ef2916553fcc20e71f32
SHA1 53127f28a0502362c5b86f81e27b32145bf9f75a
SHA256 06d2946ddf7d96e3ccee5751ce52c39f4ed5e157c264bd1875dcc5c1c64e8acb
SHA512 e43066ab390634a4c1fa2ce5c8ce0f0581add85526197a6dd1d2975d6d01a9704ce62f81e91f0fc4185d09247419c74a406503ac65f40135f7597dc40c032591

C:\Users\Admin\AppData\Local\Temp\CIYo.exe

MD5 f2b7d2d45c03788f6c714c3c657dd5d4
SHA1 0d7b4a74fd2d4139943ec49a3a5df341e6e0e6bb
SHA256 29f22df4ae05f2d0002c4d1a0cb73d4dc65556873fff1a44c2207a1ca6504c74
SHA512 6fac2500af81a0c0ce99f0f617361c161fe006104ddb469db3fa42d4092671ef9a4a1181b8b09d14248d2c296f49b09047d0aea47c20993d71b8f87dff70f5a5

C:\Users\Admin\AppData\Local\Temp\EQYq.exe

MD5 5fe0e685712c52f1c4f0dbacec4d16f1
SHA1 ab69e4cbe0dfd55db8855133e331d3c94cf06620
SHA256 73f3321726cf726cbde4bf4efa9126bf8e1ada3573e3e755673bab6af6b2f272
SHA512 0cfde15e49c0815216f6d02e49fa0864ff20ef20fd0610eba6f9bc8f3e34b375b3c958f08c9dbe4a6d661a3bbe89ebb8c851319c5849d1f062f2a5b4c7af1eda

memory/920-1491-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ooAQckYA.bat

MD5 a17d5a8a05206f380972a1f807d5e62e
SHA1 9fde53dcc1523671d6ab26499410cbbed05ae66a
SHA256 859130cb85e74a72b6b683672d85f4bb3407d4d57e71cda149b94048338cb926
SHA512 309cf3b7449a8da756eba4c5155cd3d339683163bb344acf40ce4bcb52386fd8cc26a4f1189b30b8c4fb695ac9b12c061c184c72c06bb6768ec5507b00a612f6

C:\Users\Admin\AppData\Local\Temp\QEkw.exe

MD5 55efffbb70e5ef9edc1382131f59335e
SHA1 2169df15b3f6a672929418ef3f6249f7c65c1499
SHA256 15c60d2aec80c938e1027395d36f0a23ea4d798e054658d8211db2523d252854
SHA512 fe5e29888763d80b9adec308a09a1996c1f067b9a7a88c257555ebcc2486ce4468ebe74a9e172004f24f0aeb9654a29f875dae7418546a6f63211d89c8287c3b

memory/3000-1514-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wAcM.exe

MD5 ec8e18aacc62c3b379bfa5e87b60544e
SHA1 aa258488a816e7e21c74c54f85d72f858503a402
SHA256 0caafb4b1aa93d8f2565e67eeeda7d563d2bf86970da7e2a1cd43d3ab9938ef5
SHA512 77235f9add10beea13052baf66f102e1a5e2cb02bf5f60f6055298eaed30a2239c34b69979b7c7a501edddaf5b09566680a4f59649121434307723ad8c212f34

C:\Users\Admin\AppData\Local\Temp\SAAA.exe

MD5 7a906be55868c9ec60573977486bb1c8
SHA1 3d54ae137ed7b6b8a8c05d91bb6e9cef9dacbc06
SHA256 f96c74236da7c499ad91294534acd5c0a1ee603085e64d8bec598165ccedf777
SHA512 226d781684d5ad52278058e47fe2665659b72dcf83f913b37cb32580087355a7cbb0e79611e8d741300979985fc0633d86d42afd23c040cc2e115d8149060e4a

C:\Users\Admin\AppData\Local\Temp\QeoQkEMg.bat

MD5 cc609df87c0c5b510afbd79827fdbfef
SHA1 001329c5e9456c30935727b6b083af6afdbe6890
SHA256 092a2a10616d71c471a91aa81e00659ee1f732afd162967fd5ff087e4d94f999
SHA512 9a130437bc7d526fb343d13242c1560dd63924b4bf50b5d3f092c419666e4880a536658f7e6ecd284a52c8ddf8b294fb5d4c3cfa24ef7bf3592ec6b74c967b6a

C:\Users\Admin\AppData\Local\Temp\WksY.exe

MD5 52d9c5f77a458a8fbd7c0b306cfabed7
SHA1 c5e546a6b94e662d46e83eb8905609be02936d12
SHA256 f32da222156dca0b53937d8b5922c3ac6d7674cd15411abb121741f044076abd
SHA512 81b243126889216c8450800beb094464a1b6f554c36e20a095c81121e148e786a1c896b5719c60fb6918941afcf22cd470b1e26404dde745ed1d9db03401262b

memory/2664-1571-0x0000000000260000-0x000000000028A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aYYo.exe

MD5 1c55f4de7945ec33fe4571b3fec9f146
SHA1 4f8abfb5c72f10da08d06b3b5a77f54914a28076
SHA256 135066be9dceffeeef0e22388a1b420d03b89f385dbc221acc0055b62cd47de2
SHA512 c0aaa1358f5b1620d741aaa1a337985de73b3afa89c35addb38b2053bf0eff600b3e0dabe4479f4ac3bea7cdfb790ef0cb7d1cefae15f40362bc7cb829afbb12

C:\Users\Admin\AppData\Local\Temp\IYgA.exe

MD5 db50cadc0832e0924b4606f82cbad464
SHA1 06a2ca53d3f3d09bb4b39f3708568d28b5498a8d
SHA256 0d48f9ec55eda0387db7c275784aba2def34d43beb93099acc2938cc464dbd2c
SHA512 44dd300299971696e8d5bb8c98abb066fe82545d47bc7a7e931043b59a783210ab00a47e240a8e01c38840ce841289d70a25c537d00d9efbbc30892587898750

C:\Users\Admin\AppData\Local\Temp\icsg.exe

MD5 3148e7c46462a32b892ac7e5c341d10e
SHA1 0c08697ab6540f5949c9b0b8f211a6b4e3bb9c65
SHA256 b1bf2c41af53d1ff97bf91369ff396fa3c712888c7219bb2409fd6c29f7dc5c9
SHA512 705458acfa5cbab55f984c9b1092fa0b92da8b4858c566e4e219abcc93625e6c0b97f6d791e0d760e2088e41c1c0e895bceedfdba1c141bf8fe28c15f1690e05

C:\Users\Admin\AppData\Local\Temp\sksIAkUQ.bat

MD5 a56ac5bb5ce0cf6ebf18bbb6d36856a7
SHA1 cf06372775950035ed86d5c4d35687dd72e52a42
SHA256 78fda4ba659099e3822b449979698786035d23b2dbacec46fe70b73978d19f91
SHA512 3fd2412d5c178035cde6c57da838c5e2dbd237de421b382ecf64fea97b1621522482d57688f59ea91d52b4ca9de97d2cb9ed567ae7efc025f62d81adeb1f6b79

C:\Users\Admin\AppData\Local\Temp\eYoy.exe

MD5 52a21e26a1203f5215f24b4921cb2d59
SHA1 35f78b508cffb09f8506741b22de0eb3ade4a294
SHA256 42aeda37409dad14bff361da33f06e9bfcbb0a52732933300d63e55b890851c4
SHA512 bbc5f5b446d754d084adb427cc6bfd832a1c1220f6844b92f640ac6ab3603aaa6f3d8418633741210db826dcb844696d2afa5dec53aa1af3c11be730d8b3ff8d

C:\Users\Admin\AppData\Local\Temp\wsYG.exe

MD5 e4182459496630dbfa158880f8881c5d
SHA1 8b9e9211ccc1e032675ebdfa8d4abf10b9cecdc3
SHA256 02c5820f80d36e7e1d139e0680d60be21d8b3b308952330ea4e27d68194b1469
SHA512 2d867c60080a394bf110e7e8157206c8a8e749c8684a3988bebbd615eb2a9085897bb468a4374914995c3f21af262c9265a9bef7b870dd129db29ab48ead0e72

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 db3b60ccffb5b4f3839f9e6170b7b870
SHA1 537e112eb17c90ed59c2c91e4a02e8fd403bba96
SHA256 8e77030aea27159ae3b672603a00b2487e2d06d7dbd9bbcaa4b4809318a34af1
SHA512 cddc279d8fc2fbaa63e6f669dc2de78a0f903ac8c790fa1567b0e0e10215706a50292bdd679bcfd1ae3eed90fe3c5333774d35ef2cd863d6dabb8717625c2a75

C:\Users\Admin\AppData\Local\Temp\cskc.exe

MD5 92f787b3186d4d4df83ba283a4d9dc38
SHA1 4260dca693250c4ed40b404a0902b938fe09f152
SHA256 1a4285dc74b0c0a41438a8506c0f80cc3157c372ba3f15ffcd71ab4ad12b547a
SHA512 26b1635883b9b2972c1b1f911f799e6d12f26b6e45df1849fbbfad3341ad858ef533b2e548116e1ebe14f69c30d4f405f72c38b6d67345f60a79065a68d325ec

C:\Users\Admin\AppData\Local\Temp\AQIcwcYc.bat

MD5 37d23bce53d7c401ad9b359062319ead
SHA1 76b7abc270a4b04ea83e8bf7f01fcbac82dbabfb
SHA256 d2a1311504b61451d0e7b4b0847210a96da96216345a93de828b4d0adf100c2a
SHA512 47cea0cc51451b40b3b2bdba403be7c0467a3f0b9d4bd0a517d9e9ca6c33926eedd77d9038f27d1fec8ea8ee046ccc2392dbe1f14857a84787ce3c431294690f

C:\Users\Admin\AppData\Local\Temp\eUcQ.exe

MD5 8feb9622ffccfcce8f91ebd8fc047584
SHA1 e78a3bd63f796b6b86921c3f34e966d46b19614a
SHA256 34ee9485194c6a5cd93e0f5e45ea6ab6c8a6a479e7ed668269245bf7b6606a90
SHA512 f6f0b2dfc99e92c17bb05deacd119aa366946a100f1f9e8ad24a900fa5107a40ddcc735268a077ba7f70e6e46460eefbff2ec3c7531610f501cb9d45f6f1e227

C:\Users\Admin\AppData\Local\Temp\WoAw.exe

MD5 2af8d788375f8f3176458fb4a43eb645
SHA1 b98fc4b4011c2d3f16eb32fe4e45c9e1e7ad2d5e
SHA256 2a2da99fa9ef0fae5e5cd2d03146c834ab4637f338097cbb60451a29811fd9b6
SHA512 96a8e104bb2f5066d35747a8bc49f0e07178cf9a0357d22398a350a3ee3bc6de94c2b39451391b56694e8e56320c90cbb19babc1ee1ea83d5dba4351b648c6c5

C:\Users\Admin\AppData\Local\Temp\MkEW.exe

MD5 742a5ae0ee6de14dcddab9efe59fb427
SHA1 8bcaaf6309a0e6efa9d694389e30d92ad1571358
SHA256 0e6a0212ebecdc931125de66585a269b14983500007f21f611443696bc5990a0
SHA512 545c0004545cc1c29d5e2d4eabf45d1323c514b39a34a28be2905442a98006cd395563919087df128115c20324285c8d9740106f46e114fbfb97c0874fa16afe

C:\Users\Admin\AppData\Local\Temp\Lkwgosoo.bat

MD5 c281b2815273adf70a1c5d186a517430
SHA1 eecee15c2368e87b8d3e2be51ac1899b809f2f93
SHA256 303f3ed16a289c02e30c96845eab8b76f319075ec3caaeae13341dadf06b1668
SHA512 528b23c829bdfe92d4d70e8f679e80158a801b8e475760a8b3b20bef6ccc2134950a4433b6e6bf07a384c366ab258364188600804bf13b419e05c29e3e692f57

C:\Users\Admin\AppData\Local\Temp\eAgG.exe

MD5 faeaae81fcfcd99ba0421d3897b17f6c
SHA1 b832ee889e0d3e30b98a3a0f11e5c041c5ca0661
SHA256 890fbb138405c0684fb9cbfa3f81dd6da58d34be22f6e6acd902991031944943
SHA512 69bb2c2e9a3d1eaec6d03880c2de400aaba791eca4a583dc9db4662a578793893ecd7fe5d788faecffa8b3710c9b0b7c18e95a0d3978de66624bf1746d4a14ad

C:\Users\Admin\AppData\Local\Temp\SAse.exe

MD5 51112d322369b59ab67a792f76d5bc71
SHA1 2c81663e6e62254fd858b392cf5c8d0a435b5948
SHA256 8e4f340ca1669708e1f0b18d2fa240e23ad0f7a23a509f90842145d17fe4ada5
SHA512 11e67f55c047f697cf6ffcb9acf29bf7a46c156c6c0b5d7bcbd760d7c939424fc1187d94ce51ea20301105f8e60be7ed6d182034eeb570f6600b2682e791598d

C:\Users\Admin\AppData\Local\Temp\wYcq.exe

MD5 03d0c8333ebec1bbf0174b8fe09f6d0d
SHA1 e9d793c00a4bc88b6ee2dd490cc75b9d9b931703
SHA256 97cb218a01d4ad80bda7b22dd8a20cf0a40ef5f2867cf9c8f15037c5d0a10710
SHA512 ed8cf95311e0d88d86f4a86ebd4e8068c5a66ad0f0a7c1829980dac79d3f74d3aa1030012b3e0a77c2095de776e82e38780813f10b310a3bc68fb49b9b9a3753

C:\Users\Admin\AppData\Local\Temp\MMAG.exe

MD5 3069d461f98824f7b3eabf192b6c86f6
SHA1 407f66fef920d39ea034206f40d5d3e87fe98c50
SHA256 4b3a61706049856d6c9d6ae0a700ea221afa9ba04672f5ad9fa916f33b9adb89
SHA512 e90e4fcfe1b9fada1a67ae0eae2ad83148e91b92e7519c6603753ed4c403d39c210bf67567ed9b2a44839eaad78921198f03ecffa934f9efe608bbe1c11f464c

C:\Users\Admin\AppData\Local\Temp\cksK.exe

MD5 65108cad7de64cb7ed26eeda293bbb52
SHA1 582de569b5040e27338032226e53f92bcd4908cb
SHA256 12abf39f0bdf042595a76c4630610c0835ab563d0bdbc76211e4e74068c4a2e9
SHA512 a92bd9ffb1272a549aa9e7c44ce84629a9ea06ac74b52cd1415bf9069e58c80b2f853af756b1ab12111d37c83fb17b27df105a6852fc10ffc24a821f02511cc2

C:\Users\Admin\AppData\Local\Temp\xkkQQIIQ.bat

MD5 381731ae2e074eefd56cb305e0dfd09c
SHA1 4ebc2d01ca01b68c9cc1799794f71c8220eeb615
SHA256 a36857206ae471ae261882e504a6f350723e5d64410e789a19d8fc60e2d1ac75
SHA512 4c7a870b815d86d0ed280e22ca1742575c8675dabff88ba82e82f529edf265530ccbf3f9debe4b81e31fb96448de87f3dcab31f989b0d393875e687f9c06e89f

C:\Users\Admin\AppData\Local\Temp\Osss.exe

MD5 81d4206261baa3a387578e1c4c549edf
SHA1 95b46314e8f47eed1d223a7ae424e73faefe8846
SHA256 3b93a4e941592432710cb12a3276c1e856fe7d703e9857439e3c5e54ed6263a8
SHA512 6500c684ef1f80efd225531ee73059d2db75d9b222ca04f8c2b7e9b314a06cc6c6219dbb32bc0c891604180e05bd3c82b6f0c1d563718c8eab7dd6b073de9a5a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 a2af444eacbcd38a7766134bc397b5c4
SHA1 ac898c6b2525df3822f0cecf91ec856ec6473a87
SHA256 400ba8772b2e029d2b09916933c4fd41a937b875eb9c8cc7f9a2fc326c2d514b
SHA512 fb29d8c9f2ad43f04a6bd9733bba1da969bd011b2851d7e360053e21f6726acae67294f825c306b8cce56839b73d13d6a2322b87d5604210aa77f10bb942e0be

C:\Users\Admin\AppData\Local\Temp\eYQI.exe

MD5 9e13749086b80d563aed6b8ee68a66d6
SHA1 d7a286f918802041c40103872de21bfabde531e3
SHA256 98e0237c3036d2c552158ecbae129ac9f76371e47790d166b3a0e10bd08ec204
SHA512 4e46810481f22fb288792874492a8183ddc25a637d15f0d1fd87c728d94e49f44a808cfe49d3792fcb1c71d96f571d3f245c49cc05b7e0920ef411e4f77c8f5e

C:\Users\Admin\AppData\Local\Temp\DSkkgssE.bat

MD5 988a241ac8f9dfd49efe86a918f39029
SHA1 db010bcbda4ec48da9c5146a0ab1a3a002cbb940
SHA256 396ea446109cfded26ed52a5dbc961ac829999088e0304d8c2af06bbe58f8ed8
SHA512 1fba35f8e32df1a6464b55522cf16cdc112d37549ed057ea2dc85f7180009748e015eaa9722df6c4f39c6a9e9d6cb51369213325fae344e6dcf3c89022620f1f

C:\Users\Admin\AppData\Local\Temp\Ecce.exe

MD5 603f44f14c4c0b66c795713fa8e376dc
SHA1 5200951e11140237dd0469e142208966faa6ece5
SHA256 f62798aac328ecd9438d2c54a3fc91c35d114c5d0be64ebca3e2936712d7d009
SHA512 774f3449ec3b72e32eb6c2c17c0f2a1dea8249000de825f4fb9ab382f0b5ee71009a751c1fb7f6ebbb39f36a224e1d3bf63935771dcd452d07f166100f0eb21e

C:\Users\Admin\AppData\Local\Temp\KcEw.exe

MD5 f1dd41943df6647d2bf13082abca5d30
SHA1 fc465bd4dded5237388d3ecaeb8459b81714dd1f
SHA256 7e44e50b85ee33679be55fc22e501ee9d7814e4a37485bb1c083afc74ca2b0e3
SHA512 4f64943b7f38c28977e34584f382306b14ad7f7a259ffd557dc421eb455ba1ca2f90231f25dcf49d1760bcfa57b1caed19e2126e0db438f175afaeee798e2eaf

C:\Users\Admin\AppData\Local\Temp\aAsQ.exe

MD5 0c7c4cc947aa312d08fc466a8585fc31
SHA1 9400c91df99fd31066b4a2a1a8b77823b6d88b8e
SHA256 b675c2cd41c28549a676c12001276ccc674285ad24ceb3219c4752bb56515467
SHA512 0bb7136ff69eec566ebeb8747a5cb7abf8d9d9a59ed5f11a66151b20c2dab1332f39c5504729e001142f8204d42986940a9b59cf459b8e9114ecf79f67a5d63f

C:\Users\Admin\AppData\Local\Temp\Sccw.exe

MD5 d94631694c3db6b7ab12de489b2d25e2
SHA1 bdc6c7af1bf988bcbc5336029266a12e08655b14
SHA256 40af1658bb48445a2124ca57e24b3f759580c6e8383c29d1a837aa247e80ce59
SHA512 008b1739f7411f58fd916f1c69a2a85d037989c6b4beb7e0e8bad0d7352ce7eaa12a96097998293011b012cf41f84b9586773213601564ad014f846b9fdf68eb

C:\Users\Admin\AppData\Local\Temp\CccYIwcA.bat

MD5 d2204bbb791c763bb6f8e7d973ed9138
SHA1 0dd08ce41d22e5132614f27aa426e88b50d784d4
SHA256 54d3ebfa284b42642bbc5a35fffd90d737bf8cd9f290f2be5cb2577e7480dbc6
SHA512 0d422a36421768ad03623a526571483c0e2a9212eb5600559a5bce6fafbb8732089a83fbb98bfdd1f1c9d6e21fdf237d84be1b3c74c2817a0b15af8169d4bf70

C:\Users\Admin\AppData\Local\Temp\MsMW.exe

MD5 6f1ad1d7600d404ed4183285b85f11bc
SHA1 7657fa96f18343bb48dd1f9b4bbb7a454cd06d07
SHA256 63bda88e50cbe0d82586d1f8ef756e445a0bb64c96fd91843b44fe973327625c
SHA512 033112158d7a52a70bd0d7fd6b518a68a1588443055f8b36b5a48a9d9fe00df865b3e6d4a979d871a02ff6f1e2deb25699dbdf85ac3006a4232f4b73954147a5

C:\Users\Admin\AppData\Local\Temp\wIgs.exe

MD5 443838d4525ccd396608054979691399
SHA1 e6b7ab8a055fdcb13a48eaaa15d06bfe8af2db9d
SHA256 877d3244a15a0036f1b92f02ab1252031997dbb7fce97a3c72e136ae2ba95bcb
SHA512 44651de2d8b2c20443450a176545da0c00dc8d4e59f9ee7342cb7b122289bfda17dfa66cce295740667e919bf789c98d0c01c957db46b40f761bec0d5c96bbf5

C:\Users\Admin\AppData\Local\Temp\iUoC.exe

MD5 82961bb5e02b0f3abc916c6b2140e808
SHA1 4ac8632131fa7fe374a8f580910288bfa9d48f4e
SHA256 b3568800b03086d7da0990baf8e0e7c249f73a4a3b069abc34c5eeee951d0a8c
SHA512 ba6ae283642062a7aabd375adf982e8445b5c278902709a5ebb5784f31deade7ba777da705781ebb4d194a639e7bb37627bc7ca645e44004a168ab957c823b05

C:\Users\Admin\AppData\Local\Temp\GAsE.exe

MD5 7f74344dc57e111f86b18d209639fa1d
SHA1 eab7ee8d27bfc7116d57b1ba7bf92979d078e675
SHA256 c3771e53dff561e8a0992ab49bf1644631ff200fd63d8f57b093a0b7011bf3df
SHA512 823cda79c4dc5bff3f6178e8efbf3c38f693766962e6eae8e4b61a74110c8affdaa29f98f2f3aad1d2d50ff94d9836247af6972a08518726f7edd16db6c5b050

C:\Users\Admin\AppData\Local\Temp\uaIwkEYc.bat

MD5 11532a7b238c704cbf8c2d69a2a4bf85
SHA1 8e1a7e594337fcfaf846fa1b165f83653ec0b622
SHA256 8bc7b2673239c2f5dd76b8f8c6a4e4da4cfe936e30a2a459d74aa8d947a257b3
SHA512 b1ce4090f69656b238bc2d08a5f56acc9329db78b381811253e76535eb8ca1aefc880955e04684204dd170176fae920c0bb4bc495054f08fc23612bcffb937bd

C:\Users\Admin\AppData\Local\Temp\Cowi.exe

MD5 3f8236df62635b7a535c4de4f397b58b
SHA1 6364a975ca2941a373d163df9f25330d9b2a4930
SHA256 ee3e5b032a0e33e819919d8e36e503b5eff163df12ca6b794c78735401dc7883
SHA512 9c661ecbd4a3e0f3da18625bbe3337dfa2e169ed94d3ba925b06e9b519299009fbfd798fe4be64476c252feb09416580221eedee7128badfa747186d5332d9d0

C:\Users\Admin\AppData\Local\Temp\CssA.exe

MD5 9dc9bc2332fdb91b45bd8ea6e38902aa
SHA1 6e9cf419f464cd1749c860cbc695d8b6648cfb0a
SHA256 407e27b749340ef8a1794eea4b21fa9b0e6aa5caf0868ddfdd9d4c77c807597c
SHA512 0b78c4540b4b04e148db2bace5bca000893762b8938e3cad46b45cfd0c77c665bca541f9aecb5273e861f428fa6761761fff6acb7dad92b978683a488ba91c4f

C:\Users\Admin\AppData\Local\Temp\MggS.exe

MD5 4ce54f8d2dd988ddae0fdc890c8fe5fe
SHA1 c15ee542efcb0a79b02d2fa037a2ec1db5410a58
SHA256 3c066bd5c3b8e5677ffc65f3aeb916c43436e1f5f024e0dc92ce151642bb4299
SHA512 fe642ae8a5aacff8add05751760e677a8cd4d83ac3ab58ebc1e9a17476661bc6cfd1a020f54e66f93baf0268fa1ad6819a91e87973979d65dc59364cd695e5a4

C:\Users\Admin\AppData\Local\Temp\qwoo.exe

MD5 dc0a5119ad57d8a9da1895e8ef1cd54d
SHA1 684827c2bca018efaba9dec9fc5b9b3064126c3a
SHA256 a0f4b8f1df791f73fd963dedf5014fffd861e09c30ec82253b52853c7654a8ec
SHA512 143229bdb46affd74316058cdac34d6dda9d719e0439a07ff438b69d93d755e100963534ad4a190a88c00bc3592e7e1e5b5cb7628df4a2c0571e16d60bf18946

C:\Users\Admin\AppData\Local\Temp\SWYIEkEA.bat

MD5 6dd5cbc563386b175787ee5db32fc944
SHA1 03bf98735a55951e53b6b9b8ce2e29878470e19d
SHA256 9326e8de32b8f156105865e51daeeae8cb255b4be1dc635ce39a17dd77ebe890
SHA512 f31fd52a4dc2ac4dc7077a234b976314ff2e0d279eee498caac4c513f6b84b99169e30bc0e93a04e25299691b372e5a0997f1e96ebe53ed7c1c524e7b452470c

C:\Users\Admin\AppData\Local\Temp\uYYI.exe

MD5 42a26d43160a600b383a115ef89760fb
SHA1 8cde885c2a787e0c3300691d140ca4fe52066b0e
SHA256 79c2ee0d6921f34763d2dd72f3c05160dfe8f62841e010bb06d4ef5c2bdb9b0f
SHA512 1c2cd5f14effc9547322ab882b2c07a89a7667501a15292f47259209601ea34011429e35ba2f90b64b38870ed8825ea5a8f7b5e438d814347886bd88824bc784

C:\Users\Admin\AppData\Local\Temp\iUEc.exe

MD5 23053f8a825436f7c762aee9acfd13c6
SHA1 ac340bb59ba97880e5d77fd61af8853129f38450
SHA256 e8487b1a76ad3ac6ac38aa77e5a9bc0faaf67f7d8b8642dec9e46ba2b8025ca9
SHA512 0acb748c4c088014beee7e168655d67ac00abc90b31f73529c6c1e977277365a285182d809bdf87e65c912d0228f8c2b3b662e429ac4ab1181ae31469f74b00f

C:\Users\Admin\AppData\Local\Temp\WiYsUsMo.bat

MD5 a4b3c272ba99ec2cd0f22af456917a0c
SHA1 d68bda90ab741101fd793fc7fdcc03b2fae0e30a
SHA256 378d524478f5d6ad78dd4eb1c0fd82c37e1ba04e0f5832cda5c70c3c89b0056f
SHA512 1f878cd98e5694dce07a1c510662828d5aea70818a759e56066974708bd604c42e4b3a5c3561fe5074c2a1816feb89e0d3e0b71ee4bbef6a6c577b398101ac4c

C:\Users\Admin\AppData\Local\Temp\mwAc.exe

MD5 f0d05d92ec530857bb9b436cbf7c7d12
SHA1 af665a694ca1150c0bfa1727f5a68863eca4148d
SHA256 0dc96b1dc7ea7fd1d3fe3f64131cdc9569b8444ad006e7f70d2e6252f91025ad
SHA512 623bef906da8a171fac0aaa4c436bec8bcd2932899f8602fb1cf1e96e26e64407fc659099bedf0a852ece912b5f0fde2d12233ea7674768bab23d817d6b299a5

C:\Users\Admin\AppData\Local\Temp\wUgE.exe

MD5 99525684a8d320b5262d91af7340ec5b
SHA1 405c3a29b3cb224c61ca0b9e7c8fc403e456f163
SHA256 9fbf9a198b268bc4adb85a92b675693b9a4a7d6a31707281a199c566c9d30b58
SHA512 4f304f6cce597709deea7733fd400c4307d7630545a227c2ccd0028b28b3ccde9f8deff770db596a081d12da50094f1d4f7a929129d08a31a41ca44f33a7904d

C:\Users\Admin\AppData\Local\Temp\GcMs.exe

MD5 243edcb3d332deb8ecfb567c096dbc90
SHA1 6e73a3434cfa2d7fedde95783a654df4359932eb
SHA256 a3b435ae257722e201fbaae606fa482467000f2ce7b3aee8600f3a6fe7db1a04
SHA512 7f35d614eb7af475bf9c0536b58fe3be4fff6b9acfea1ba2b6a7f428ea749c2f046729b5538a0e9a2f71379ba4c21ddf003e5539a4d660f418f681e2858c1e21

C:\Users\Admin\AppData\Local\Temp\aYEk.exe

MD5 ad006dcc86b887de0a2904e33fa5514c
SHA1 909140ee12d73c8f3cc5bfaee4ce0dc31e6aeb7f
SHA256 295e7481371f00d3cf23bafd768be18b4db15aa688bebd4b2db0b093c001a8c2
SHA512 e42726e171f2ed6b94d41450267998f8641698f0b8039126d9fb6d60bbc18f60d0e51fc4169adb9a54b2e78eca032628f695c07d28e5d38c0056582192fe3642

C:\Users\Admin\AppData\Local\Temp\tWsccUIA.bat

MD5 bd87f166c3131bcb39b4afabe5cb9512
SHA1 71943d4992b090b0d5ed3468399ec7e832f22a24
SHA256 e91aad848780b4f01474a532bb8611a3af93c2576470eaf73089efb5896e7c29
SHA512 821f2c3c0ccbac817b84946dd080290dfe78a4519f42f7a8b33068c794c2c48366533470a43183443b6e9e2d89da36ab57a6bdfa54ec82a7f54ae0d73e774a9f

C:\Users\Admin\AppData\Local\Temp\MUwm.exe

MD5 5dea51ac9ebc6ce18384769f914e36c2
SHA1 724e3c5741ccb1c3faf0100309a69a8f923b558a
SHA256 a76dd781e834bf2b7cbef39266e3bd79ada0ecfcdd9db5b397c9676f25615e39
SHA512 8e63595e3265eb6cb40155e20c4d2ad8034a18c4e871be4eb4fab4877b7148dc948b4b6837445d4e17c0023d3ad4335728ce1a8f22781dfa32e7c0fd751d657e

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 9917fc2c37ce9125a70f24ca6f0346c0
SHA1 4f81ca2e64b9e0cde684f150902e580a964a6631
SHA256 8c2a0944b9825fa2f76e3a22d47b8edb574d35b56ede973df764c57b4aee7db6
SHA512 9530ec951fd056e9be64e0913b86f141f8f413cef6c50b742a49a4543355a6836c9aa736f438d89296a099d4dbababd781236c1b0e3dc6e83ab5701571253ae0

C:\Users\Admin\AppData\Local\Temp\BGYYcIEU.bat

MD5 a7e671e7cd01bcb84a7dedc8970b6c27
SHA1 61d93b270ef0cc180ed08b6e4eb358b7d2ccb0d1
SHA256 f80e166121b7dc887f63160e3c4c038d9abd9314ed9584bfd5b5130a6f38787c
SHA512 d237e294a55b0f1ba1328b90c95e9081828aed12e9af2472f72dfd134c169a48bbdabfc3dfd6e576ce719dd47ddf610d105e4480b8ef3a047b9c32b5bfc7ed5c

C:\Users\Admin\AppData\Local\Temp\CUEW.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\agoq.exe

MD5 2b8384d5387dde3dade1a0e479aa40b9
SHA1 c892f0e8a421f9bb5aeeb769a850283836851d4a
SHA256 c8e5cf908fe56f234e39bb47141f0c8d770e5de1e687cc9c2c9487650f13a911
SHA512 f703258b51eca8daebc11260264b4a9adc29af9216aff39cf7f030baf52c0b25b0047f8e515b618136cdd6609f80bae37244f64458db73c567d1a3c90f874def

C:\Users\Admin\AppData\Local\Temp\ygMy.exe

MD5 69843148e33d0abba77e3d68f4924631
SHA1 2b4477c8564a4d45c539ce6fccf8301b88c7430a
SHA256 cc79a28db4f69b3db451d21233ba43ed4f4bf6d0484eaeb5c0135b283542f5df
SHA512 7008c3fa1e19e3c854b2ad7d27c7050165f6e7ff1c5408dbf438d1c070b93875ff15b4c85dbd342e5f85f8f1b4de4feaeb0c133a70537e2bf59c2e87ae838ce4

C:\Users\Admin\AppData\Local\Temp\rCIEAEAo.bat

MD5 61471ac2b0a2527acc528f53f8acacbc
SHA1 d5800a5805fecea8b6688ab8759b98cd864e94d2
SHA256 16d356aa6765402bab03bf0a89fd3bcf6b18145af93e92566e4a268465a01500
SHA512 5e247c0e80a194682d790a8d714e82722d81cd20b879ffa996890323acefef98ef777a916e26af6484a95cf174daa694ea8c30edbb1723df75fa02fe874ff745

C:\Users\Admin\AppData\Local\Temp\OYYo.exe

MD5 c4525e71f009492f8834cd5ec5b12f40
SHA1 767ed4804fb3de5b2c31c44206de98e0d2940129
SHA256 d790477e925dce30e322a6a9067ac8fc14028ce0f200e614743ddf5a9edae0d6
SHA512 c562b81fef53903b40c75fd3d95e99fcb09e86e64c94fa862d1a5c60ab5ef56d21a7b20efd5c4d927273b567337a1e6caf657f9f69ce91e1f400c59f39683334

C:\Users\Admin\AppData\Local\Temp\KAoW.exe

MD5 73296e9369e468a32cb3ccafba1e2a5c
SHA1 0689fe9ec7282b73a48b72e906d1be7f5e87314f
SHA256 22f9881f02835df0512dad565f34e52c566e0adbad179c9032387d90c8940bb6
SHA512 e9e5df2031d50a1ab45d4a680d0a5214e303df4357c0b07cde4efc4080a7a5db6b28cdccc10d146818bc9676215206baf5e1ead21edf197a01c5a6990586926f

C:\Users\Admin\AppData\Local\Temp\eYoG.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\Kocg.exe

MD5 d867a50fafc4a8be25f4b6c7ffa701b1
SHA1 c4445763d6e70ee9fba50774790b7c2650f744ee
SHA256 bc3e2447e7b0d04998d371a632f5fb5844efbe4479ae1b7cd40368374d5f8db8
SHA512 e944f0b073db9f4d1c709d23c6b521a4d9b88823e663ed07a7e2880b8fd613380178a8972f5b9a4fb126d364e80b2a1ff6b91c756f9707c89557d295725d2dbb

C:\Users\Admin\AppData\Local\Temp\AsUC.exe

MD5 241be398ebd38189f262310f7bf756af
SHA1 396f315de0b66d95a8f24dea69a8dfa09ebaf35a
SHA256 96178e73af13330c331485f14415483e667b3a212d5bebf979cf400e7e77bcda
SHA512 133ae9317031059ca2b8a539e59aedd992a21110500ca81966b922d95f6b96a853ec834b8426a5867c3d440c25825bf9d24d90933b0acea7ca52371f4a8c0694

C:\Users\Admin\AppData\Local\Temp\raAwoosY.bat

MD5 b4f2e6295b8292659c38b4687ad06dac
SHA1 d65bfe97090811502c9f252129b23e40b46249f5
SHA256 af56c40da73a3de6745a901baa97377c9a0f4a9388ebff4c343427c5205af4cb
SHA512 a6f74f30946d1e2a456e8959bf01d7b4554e5a22a2ddd294323751c9a9f1c57376da5ac785bb39b0e5fcd55ce469af696b42b7b633cb3e66fb854188b65c731c

C:\Users\Admin\AppData\Local\Temp\ukoA.exe

MD5 d86157ee5b11fbf1ca39b34aa6bc790a
SHA1 abe40f92edaa8355e8fe91f8860de6d2c5f2e253
SHA256 6c2bf982a2da4ed559ca07f29963ecec877d2b70aad90409d25ee21e970e66b5
SHA512 052f7c092c01ade8afa83a9470efc3ac2b4818df77e16e0f4d0e77274d79b0c9a3e5a2c825f15ea6b8209788a4143d44b195785f716af2206c1718e19884d32d

C:\Users\Admin\AppData\Local\Temp\IUkk.exe

MD5 a1c833c333ae38d87adc445b3dabc139
SHA1 199a19fd168a1057359984130802941573974db1
SHA256 ae3844298877651ad1cdc8aa8306f7c127a1f232b6efbeb5bf3244c8c89c6ebd
SHA512 0c9d8393f93305ae694a443e9e6015ac4038ad32acef87bb1e9d9d847fab5d12c3bd8aa282f23b1c5b9442753ebe82dd0adb8a1bbf4898eecefc480cc1fefc68

C:\Users\Admin\AppData\Local\Temp\IQoU.exe

MD5 f41bccdf2d9e3af74f48071ebb35c1e1
SHA1 4c7463a38ebb8fb3e424bc0864a022bf7e946dc1
SHA256 cecdb4d40762dc5892bca131baade7f811b186ec450d4697f0cc2e0a3b48168d
SHA512 e66c9dd8ab858230855ff30aa2a36e0de1604846296830537764254697b32c1495bf25545cea4f34abfdec94e40f85200cccf413685d339bba98a63f24818e12

C:\Users\Admin\AppData\Local\Temp\CoUU.exe

MD5 627c1cb16ee80da766d590395f06e832
SHA1 1a658a3a5d922d63bff024814bf03fbb781575ee
SHA256 5803101209ff1a9e62762cd1fdd156d4e94308223baa6aaae07325eb2288187e
SHA512 88cf99b79634d2861d1589876512dd27464a115453247cee5029199495742d697c072cb0916382a3ecec8b06707399a057b03bb87c27001512245b9fb4506352

C:\Users\Admin\AppData\Local\Temp\SggW.exe

MD5 93e05389549369de4a7b277e88423ec1
SHA1 22f6945bfa1d292740c7167ff1b6e43934579939
SHA256 7b35116c1f891f82bfc625dbfa31648a265fcd3a83dbf762fc048130a905dfc6
SHA512 259d824807dae2d1a1c8f2c801f608373ade9ba18b6db0633326af9aee2b03268f7434a07bb895247e09135b9c2352f414484e5df76f4ebf70ce26624173228d

C:\Users\Admin\AppData\Local\Temp\OCwAMQgQ.bat

MD5 bd41dbbec023644ed60b513531bdde65
SHA1 e7e6951e67acda054fcae51a1d53316891b95b4d
SHA256 b2963bcee90d719ff4124b65f1f565928c2659edbcdc573f232ef6684c1910c9
SHA512 9f6054de0b83786c8df349516ca6b67e76cc869ea71b26417cebc0830a656902101b67f5b771eff248a5857208d17e60114c06639dd0b7b47134a7c609446ef6

C:\Users\Admin\AppData\Local\Temp\AkkQgIsM.bat

MD5 4fee1019a4a8f78cde08e365c5ffdfe1
SHA1 b2928ea88c060e7e1943015756e2bf624cdb6f5e
SHA256 d5847abe1aae73c27101f5f8162647e5e10e3fd924af1c679babf202a7f9987a
SHA512 60a3ca0cf5342a8f194be09440e60d47ef0e7af78f5020991f70b8a3f62b86b3f6c2e44cc501c9e399cc56fed470de475106d0e4da0eb3b713181f53747b533f

C:\Users\Admin\AppData\Local\Temp\wGsYIAgA.bat

MD5 df94b8fe26fe35f8c3fe54755faea7e4
SHA1 c7c7ae45745527c4b14cf8a7c75cfdefdf4d888c
SHA256 f67c168d36b6b41ee97bfaa8cd867e0e17a87287a049f9a60131c0baac06208a
SHA512 976eddf90aec46526a7dc0b4af2c1774d2fe504498b61ee2a7baaf38a57eaacbacbed3c1011bb60bd2200f58a0a092463dbe18dc36e4082a1348ff02118bdc26

C:\Users\Admin\AppData\Local\Temp\PYwAUMwE.bat

MD5 a2b658d31da867b5cc643e8cb2b97b1d
SHA1 1aa1edccee7aea1e137eeaa21abc3b21fc8dca5c
SHA256 1c73cec8351b68f7457fc1bc24591b44cfade0661de621e8d9b56af2b5347748
SHA512 0ad0c2a4d2587330b1224a68f0b51cac3f855ef3cf8c24f5d98bac8547f50f33eca6c70e70ba39666d9f49d730ea43e6fc37a9762aefffd9f6a2fbe63237a057

C:\Users\Admin\AppData\Local\Temp\beQwQYok.bat

MD5 4472428787ab7b3f5be37013b93843a7
SHA1 62eaee3e8c540e7adc047d6cd63e28ed7270c203
SHA256 34fce2ee97dbc39087b9b00912569c101150a3f23011ffe5300c50ab731ff1b8
SHA512 96b3197d866f3ee27629195c476624e20bd1dcdde36e68e91b4fd30378791af35f52b5fa89b2d72c5e637f460ce1ce2a0bb5c4f6230b1f82c455145c652f8e8b

C:\Users\Admin\AppData\Local\Temp\NEogsMow.bat

MD5 dfbece28d253cfc150395b4c8e37b67d
SHA1 7832bd40ffc01d0680df4dc89a008bcbd70a11ed
SHA256 30ef3426d7aa965bde07341c4a7889bfd075021e1fde41f298502896625b03b3
SHA512 f0d73d295285ab0222f54d94aea6df4dc1ea2f5b116bec331453c017d3fcfa4199cc512e0aacceccc323d4f546123106feb1012d46f09a501a43917adbd747f7

C:\Users\Admin\AppData\Local\Temp\VYkkIgAU.bat

MD5 6b623ed80952d84752280ade0342be76
SHA1 ff6715379fe60805b95b626d301425ecae6612c3
SHA256 c5322b4f5624cf35de77371ad68009f69f7a148e0b6963fe67d0c57c79d7d2d9
SHA512 79465ff363db4ecc4729306c2e15492704a87b2607ec24ca21b1951ac887fb7ebb3a5af6e99384f33a6af6475ccd3f4602161dd461ff332fca2a2f1797524e7a

C:\Users\Admin\AppData\Local\Temp\IisMwEEU.bat

MD5 07d43266b33c07c17b8cc419907173f6
SHA1 1a01587101f45db3a634c83d3ef8f1bdcbdebd4a
SHA256 41059713b8f9df3a7aebaa7729b51a60a9faa05ad39ab76b05748f790d9121d1
SHA512 32723baee599191194f4f2b245e7c6ba51e16e402cc71966cd2816cf95794f4fa0e0ffafa33676598f1e8ff4cbf75b53835868cf5c21bbccab27d75ce91ebfeb

C:\Users\Admin\AppData\Local\Temp\qUYMMwgI.bat

MD5 bb0375a2901950e1b5a738b6bb7ab46e
SHA1 fd448b3653be31defc3c16e1031501689d077b8b
SHA256 5de83bd2264c8813f266c2161074bafdc32cc4ce79e9d154b090a124b582fcf9
SHA512 50f444cb6a7dc0ff0c8387e38b88149aa176cc40be1d8cf762088676c161baa0b04068e6f1462eae3b73b7b8ef4353af84f48fc7328c71377e92be889bf30aee

C:\Users\Admin\AppData\Local\Temp\IMQQQwMg.bat

MD5 b710772d76f4601ce7155eb59a5a5561
SHA1 2533f86afbb99138fe0bbf7fbd5e9f7c93ebf854
SHA256 9d85b943124316ffc72f52b558c42dd2a3ac576e52dbcbf952046202d2be7b72
SHA512 118a94714979ef7df6ce953fee2a72374825f0a760c79945878889a1b271ce11326edde5032e5c1044372322115bb34f060b4415e177aa940a2a3918168edd00

C:\Users\Admin\AppData\Local\Temp\uesIQowE.bat

MD5 99d349944b077960f95148dcd46227b5
SHA1 23aea41408ab6e69d0d481a0b13d792ef5553009
SHA256 c7f8559b05a3db91dc11d6424f61ab815fa23b7b2e2f29832c51c2bee70489ec
SHA512 b9d12d5f20e6ac969cb6e8600bf2e3b6dd1839c8620872a4647d8e3bc3ed4abc9c791e1163b360f738d378ee8d5ce92a929fa4d830136741f06f5d2e92051400

C:\Users\Admin\AppData\Local\Temp\husIMQsM.bat

MD5 72332ca1b469225f582c7c7362187572
SHA1 5e320d50f2cb4b85641201b70d8de2ab231a7973
SHA256 d99d19ab71262bd0fdda5e6a0f0e983d2432c9084f58b044feab2596b2e546cf
SHA512 2b387dd1c356c96e47031a9e467db159ad6fbf6c5c16ad09ad90659d7ed27dfedcf66878d37c61ecf50bf1ab166bbf57e47c4aeba1e68ad27216b3ffaa984af2

C:\Users\Admin\AppData\Local\Temp\vKUsAwIA.bat

MD5 3341a5b4744ef04463fc92c5a7646fc4
SHA1 884a5732eee7afafc8c6cf5c89464ab47896f102
SHA256 f1a85ede77b77e86b7f9df192b04ddb2035294f13309a743e457ee349e27a10e
SHA512 f3172b613b5f41e1acdc1890c5fd3c28cb66c7af846325f6420154cd5e447ccc8ffbc81ec25220cd2c8b47f6e4e99850d9ffa29a73b5d9e897201ad80fe74c02

C:\Users\Admin\AppData\Local\Temp\dSEQocQU.bat

MD5 6fb38e9fc6c77fa82d56c91580dc87f6
SHA1 5ac575448b3a15494f4242c18d4c027f6f0cd963
SHA256 77d2573495bc1f903d911d4d7a494722822882d3279e37e44a7485fdcfdb5c43
SHA512 2d47a8b93a681c1f2dab9058627959dd7991c7fe1bc9b964d6ecfd84342096a065c598adf78b835b19c5d34ff7fd003b9ee2a8dd3d8ca70f1c6d75e95d28463b

C:\Users\Admin\AppData\Local\Temp\rygEccow.bat

MD5 7f5291aff92741fa96ffb902de57af81
SHA1 32553cc0d85d194ffad7c3791f84e33e3b41b8f0
SHA256 ada3d157ef679fce9f45057c3a2f7b7a9d423ef63feb1fe12374ad4f21e2d9ba
SHA512 cb8d1198dcc0811c1ce0f2a8cbcd32b0a99f2f9a285c659317ea22746f147182f278c66021759abeea7c15110c20aaf3463864bd77d49419fb963460946c7de5

C:\Users\Admin\AppData\Local\Temp\qWoYgMEo.bat

MD5 5ee912bb2b95981493e4574eadf39627
SHA1 1935a77f90acfcbeb19657dcfdafb6e52d86d1d9
SHA256 1851271881a4a721fd7b751ac3d81fe827964c92e782c60fbc929f78ba146033
SHA512 8f859fa67a437504ad03de297958b82c33087c341d90aeffbfe3c7267efb35c90bff0ee4a7b034b21ddbc0b2fc2bf2a0312b73927a615934d2f841c40298a2b8

C:\Users\Admin\AppData\Local\Temp\oewAswsU.bat

MD5 4669146b0ed2bab4a8b13ba014c7b921
SHA1 8cabefa5d36d4dc5950a79cb57f674df60dd638b
SHA256 83adb0e018bd50e073ba7ad3bd1251036ffd0059f14a90f207824c957620d550
SHA512 89605ae393e4d6ee9f4b2a3ec63f437911a466816cfd360c205d132bd47129fd227947238671cad6cb3e7173a27b4a02eb719e6241d942fe8a3f54fe57ffb75e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 02:42

Reported

2024-11-04 02:45

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (84) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\ProgramData\LMAwIwsI\twQYoMMs.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liIoUkcI.exe = "C:\\Users\\Admin\\WSUcEAck\\liIoUkcI.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\twQYoMMs.exe = "C:\\ProgramData\\LMAwIwsI\\twQYoMMs.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liIoUkcI.exe = "C:\\Users\\Admin\\WSUcEAck\\liIoUkcI.exe" C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\twQYoMMs.exe = "C:\\ProgramData\\LMAwIwsI\\twQYoMMs.exe" C:\ProgramData\LMAwIwsI\twQYoMMs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A
N/A N/A C:\Users\Admin\WSUcEAck\liIoUkcI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3580 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Users\Admin\WSUcEAck\liIoUkcI.exe
PID 3580 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Users\Admin\WSUcEAck\liIoUkcI.exe
PID 3580 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Users\Admin\WSUcEAck\liIoUkcI.exe
PID 3580 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\ProgramData\LMAwIwsI\twQYoMMs.exe
PID 3580 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\ProgramData\LMAwIwsI\twQYoMMs.exe
PID 3580 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\ProgramData\LMAwIwsI\twQYoMMs.exe
PID 3580 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3580 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3580 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3580 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3580 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3580 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3580 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3580 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3580 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3580 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 404 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 404 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 2680 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2680 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2680 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2356 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 5060 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 5060 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 2356 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4964 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4964 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3612 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 1000 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 1000 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 3612 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3612 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3612 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3612 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3612 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3612 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3612 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3612 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3612 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3612 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe"

C:\Users\Admin\WSUcEAck\liIoUkcI.exe

"C:\Users\Admin\WSUcEAck\liIoUkcI.exe"

C:\ProgramData\LMAwIwsI\twQYoMMs.exe

"C:\ProgramData\LMAwIwsI\twQYoMMs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWgcYEsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAYwkcAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYgYEQkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuQgcckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAowEgcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAYUYAYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiMAMoos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmswMEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQAgAIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOYAkgMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGUAQgYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYUQMUAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUcIYQQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWwcoUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IiIIoAUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uswgwQoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWYcEEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyIkgQwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWsYgcQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIQEkYMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuUwUEUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgYMMIYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGQUYwYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoYYsokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOcQEwQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEUAMQgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwMooggk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEAoEEYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymEQUoAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qywQsIgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssAIgoUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SokgIEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQgAgUoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQMoEQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWkwMwsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hugYUEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAUcMgwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYsAIYkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCEQsEYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcAswgAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmwgIgEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYYsYoEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwcAAAYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYgQAoQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISMskMwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmUAoEQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmIAYQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQIMssUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIgwIAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyMMYEQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKoUYsYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AicMwkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auUEcEcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqIsoIko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEggwEUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQwUIggg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEEQwswo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckoIkQwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KasAwgcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buQEAIYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEkkUogg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jycoQEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQggwAYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amAYgowE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCAkAAoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOMscoYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOAkYEEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSgwcEII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWMEUsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqQUEQEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQokQYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUkokMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkAccMwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMcMwUAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIwcMQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEcsQoIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouwgcosE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMAIwUMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsEsYkYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIoYUooI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAEsQIoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCAoksoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FywgAcog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIQMQkgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaEYAYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQAIwokk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmsQQYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoMssYIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqsgYYgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boEcAcYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuMEcYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgQUkUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycogEUAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqQIAoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQsIsksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkQIcUEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGoUUsQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmYooYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wgokkows.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGEAgoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCMIwYMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYAIQgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv nBDEIIwjFkOryAjvQ0MHLg.0.2

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwYUoEkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKcYkEAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYkYQcIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGgMssUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3580-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\WSUcEAck\liIoUkcI.exe

MD5 c9c85a2fd193f99a6e178ba001a9e51a
SHA1 2eae121ee8214867fbd1df09efc4408ae28566d3
SHA256 ceae9dd9dd51a29db73d053bf6f5e76136a1a60c190e6d5399058887133f955b
SHA512 3dc8bc6f98e5aab8203e081f495c56ca814319cc86a318ab58b80d41ae1695cf852aefe92e52fd1fee0f11cc5fcb04cbf5e3b0a8a18a43443e4ddf144975fb70

memory/1944-5-0x0000000000400000-0x000000000041C000-memory.dmp

C:\ProgramData\LMAwIwsI\twQYoMMs.exe

MD5 97d25f8c4213cd68869487771b2676ca
SHA1 8f1364ec4a5f1680ac34b0d14589b54ae3c89169
SHA256 38242012ecb0b0f586f70656bee35b45fd4c3a6470effff05caf361651218fb1
SHA512 373612a8a184d2ae5f28368a6124bbdbd9a766fe76120210b9df34d881e3bb6276773d2fbf40cdbbe22e2b55db8a492e4caea50d615ae09704d93acffeb28a2f

memory/3536-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3580-19-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eWgcYEsc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

MD5 d342c2b5f3d16dc992db22cb737ad617
SHA1 615a98744fb22809454b706174597a4d6b6d128b
SHA256 0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486
SHA512 4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/2356-30-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3612-41-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1480-52-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2664-63-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4304-74-0x0000000000400000-0x000000000042A000-memory.dmp

memory/864-85-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1156-96-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1816-104-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2312-108-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1816-120-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1864-119-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1864-131-0x0000000000400000-0x000000000042A000-memory.dmp

memory/864-142-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3668-153-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5068-164-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3460-175-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4068-183-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2132-187-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4068-198-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4480-209-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1864-220-0x0000000000400000-0x000000000042A000-memory.dmp

memory/980-231-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2588-242-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4292-250-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1620-258-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4612-266-0x0000000000400000-0x000000000042A000-memory.dmp

memory/916-274-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1052-282-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3424-290-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4980-298-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2980-306-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3580-314-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1496-322-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2668-330-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5080-338-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4156-346-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2884-354-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1272-362-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2816-370-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4340-378-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2540-383-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2176-387-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2540-395-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4536-403-0x0000000000400000-0x000000000042A000-memory.dmp

memory/408-411-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1424-419-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3060-427-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4600-435-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4608-443-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3752-451-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2236-459-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4548-467-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3240-472-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2176-476-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3240-484-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3860-492-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1140-500-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3576-502-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SAQQ.exe

MD5 647f7ea75cc578096491b046e1fad9b3
SHA1 026f9defeaa6f9ac73c8cdcb29a9c6e75dc7a7b0
SHA256 01980e355a4717041ef680dcb734fcb8e4fa466ce005143c4063a8101062b0b7
SHA512 9f906985a6bbced0a65d42844daac25487ec2b01792ffa6a936dad1e9a949dfe87a5428797c65464347bece56749ea2df8ec6215527b7aae336732bad77e73a2

memory/3576-524-0x0000000000400000-0x000000000042A000-memory.dmp

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 c0dec0a9fb0ab97e65ea39f08d1d7dfa
SHA1 3ee9c4e04471dd28c7d2069e2d72bbb34e13b453
SHA256 a868447d950fecc0c197c708bf7277dbeb72d0d833b06c9b17c8e16a7b5065c4
SHA512 63d1b5e6d595039f7903f20d254892ce4d6a53f9cf9e12646f99e7794d704ba0362a2ff5a6f22cd4ad0fdb3cbc75e12078f5e2a3f30aa0a1575f186b8ac2a1c9

C:\Users\Admin\AppData\Local\Temp\mUMS.exe

MD5 ca505934c306617570b8bb995f5337f8
SHA1 27d34b3232a93cc33beb19c5a024493f9e109505
SHA256 f637b68ad13e413d082e07668ad7bd56b9cceefcac0d69bae731b4434f28844e
SHA512 5f4a37963bfa9582a53c0e9fcc20f4fd863f2880a0136701a0a60cfa846d25947de62c6a256b98a50b689ad77231a36a16b9ef646df2819a82692f99e0af8c6a

C:\Users\Admin\AppData\Local\Temp\KMUw.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\wAYM.exe

MD5 79168973721fece79d92f59e9b1a4e2a
SHA1 3b77be9bf977c123ecf1dd5273ed1536aa82203c
SHA256 de18a287a66e87ea2fcdd6560e73c20fc7ebd85e683b36f0d9f725232e087fe6
SHA512 47e8c67f367ad39b7ab3e335e39557ec0f30578c8c0e397fdd947c1747c186a1bb3389163d318cc3ee292ae16b5f0b95e38e47093f254439b6ece264b096375d

memory/712-573-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Scow.exe

MD5 591eb505c57aa5bd5f1247b341f88fc2
SHA1 778bb7718ae72764aaab9bcb3ba6e5df98b8bfd1
SHA256 aa44189bef75a84dcbef1e2876cc12982ddfa2686691c2b7ae11cfd17d17de49
SHA512 444076ff61b19aaa68cf27be9c06fde2b55e37c5d86e90138091724f4adced9f3c5e5c509341a5acb7d32471ecc1f0977e8f277c28cb547e569837223d76cd52

C:\Users\Admin\AppData\Local\Temp\OsQU.exe

MD5 70c8ec912950f62f2d56baf3987af636
SHA1 6d9e6f03d0d1182730f173b4d446ab43146835f3
SHA256 32859d50d99d3e02dcc030130fc25c4ef9e5a18d5eb15bc40146c6add912c544
SHA512 aacef63ea609486678aa481713059ba8f1e10610c69cf9e5580eb80da7966a9ad622a7c1ad1e0357fd753e607cb45d2b7fa35d1be68cf62824a90bc725965682

C:\Users\Admin\AppData\Local\Temp\QgAY.exe

MD5 1db0f7a62c2a459d31d7ad6bfbe502e4
SHA1 8b3e21338b01f7c222b09b0310f764c3183b4221
SHA256 ad6a00685236b7657056c3abcf3eba8b6ac142e1c02fc2347d31288051eab831
SHA512 9b270b711a0d8129d75de2ab7b9d61da17fbd6219ba9ebb72211ef91104189dc4b58b13157841d6f3ae7891696f94e1fb81202ddc5306b34449aa100ee1e3889

memory/452-623-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3512-624-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iYIg.exe

MD5 e44d52bf6495c7b90b9f4809d1602e48
SHA1 6c4e450d8950d2b59af994b144f7c0e1635986d9
SHA256 6a0cc7e096eef506f488eea451d5d69e4597385ab5cb64e33f506d0703955df3
SHA512 8ccd41ea71a4b174de589e9561c088cb5408bb24059a0f8120162a72a67c66c736e4455a074d2c404c367ffe01d8df5f9a929fd8299e466cdd046a49e98b7cb0

C:\Users\Admin\AppData\Local\Temp\sQoe.exe

MD5 99648d5a032740921f0d22afc8ad2083
SHA1 4b3227c2c995c46702252dddfe0c81ad1e5a7362
SHA256 8facaf6cf808cf5b0f17298927dadcceff1ccd646f6f2e832ab3c7570f99adce
SHA512 1f75407094b7b3ec22cd72e3d7b958a0bc5676da7f5ed9cbae36060b50bf08468b45d9e5f5c9bdf5e384aef48c21f02c81c8f2876a6bdaacb33cf041687844f1

C:\Users\Admin\AppData\Local\Temp\yIsS.exe

MD5 0425dba2da133dfa90dd4354deacb9d9
SHA1 35cc393eee488188af3c88a9ea189c944e1b90f1
SHA256 a045ba9c4eb32b83404a513f14c0a5698850e1095c6d2101ee5d0d17d2998645
SHA512 cf489ea0a4f268f51b4653e483f2f3aaf70c3f2f937d7202ae097ac9b23f7eb087cc648ae9ead6262abe5bfad0a83e34b178b345139fd3f1757a228372773074

C:\Users\Admin\AppData\Local\Temp\oowS.exe

MD5 a5885ad025ce9c5bfb3381bfd25328c6
SHA1 02a7483a34a8d0a62e228091280c674eac52561e
SHA256 9ae848b298bd800e28d0c5984de140888e776a7c3893fca54d34880532db411f
SHA512 b88c4472f1e16a6b8f454fe191c84e557423950ab234196d80763f3616a79f35ca204e0450c497c3ffb9597b060cb9fd712fda2b782df0060a5028cdfacf3348

memory/3512-674-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3080-688-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kQUI.exe

MD5 028aff8bd4f223881289500d295fbc85
SHA1 d776cbb359aebc99a146ee8fa85d4f419d8ef1d7
SHA256 54856003565295d745c2607a2dbcd53f7f6285dbf3709886cd9a1786195f2d69
SHA512 cb5bfd5178015de43d47c4533effe5f6a4a2fe46e4e587951c311502afc2aaf0da63659b92d0f1595466d4786d99f32305d2e9b4e3638db047f4cc19d41a260b

C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe

MD5 d693a7f9416b862d3766022b7c219b58
SHA1 748a9e7f61ca3252fc6d1c3c95e1742403efbf44
SHA256 8d92b3442c96191ed917bb4ab3dc2d9ac684016bd85bf6cc619a3d20bf3ce8f3
SHA512 ae058073425ee1ca036450091ebcd98b1ae4b712ad705e2074022454c208445d6af1178eecdb3038ea2efcc98b463349c0781947e81a60729f25e1e14788546d

C:\Users\Admin\AppData\Local\Temp\osUk.exe

MD5 9969e3c8b44cee75d840515bc1bf7005
SHA1 0ef26ecfa2edfd8150a65743f3e818a2698a06c5
SHA256 cf58bca4a7d984bbf99af3c9bb3173de20086dfa664ed933f75deddbc7bef06b
SHA512 faded045fa494d0c6a76530ee52e0541fc4587aa8d0b546bdcc825df84646a9adfae2718a42053f20e9e6325e086ab4dadce42d12858100ca5ac50a1acfc473a

C:\Users\Admin\AppData\Local\Temp\sIgy.exe

MD5 939c89b524dd30fc157e86e570d5d0df
SHA1 812546c2871d650bc0c07924ecffd3a3ef1a7201
SHA256 ea01cf33f8f248321cec2525cc835eb040278077159c42260aa477e80bca7174
SHA512 a9ae8a7324cc89fb08018c52ea87c6d1399283cc67b650d6216948e0684fef0c40c570d5c1b03210a68d039c234981c364ce93ce997ed707f5b6747391eae9c9

memory/3080-752-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OQsM.exe

MD5 baa8fe5442d326acdfc57e522d6eaa04
SHA1 a8d7166730314e6fb27c4c270742f17434dcb0d9
SHA256 b5be1836c756cf1016e76b725b8ff17105910481d1bd388892c542a986756273
SHA512 3d3c887c591677ffdfe8758f25f3d3eb427f268bfcec7bfb3ce017c107cd72fa191719dc3c05a02f56180c12655a5e8d1adc10d210b52406ea5a9cdf70d6df71

C:\Users\Admin\AppData\Local\Temp\agcS.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\ssMU.exe

MD5 35a5a6c2662671d2a1003440e74e3c70
SHA1 f4587b9013ce5a025abeed1e770328e15551584b
SHA256 c42bf5331af59ad396282999a959fa8ccac6184e91002cde22cdd40dbc5d4cab
SHA512 6bd4281c7fdb239b55defcbc7d63013ff4a367dc4ab46011856237293e1566c1469af4548ea8d7d0275dd8383ed26690e328403632d04d1e3fc57b8ff52c7de2

memory/1672-781-0x0000000000400000-0x000000000042A000-memory.dmp

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 d4d642d321b87aee686b6632c12824f9
SHA1 49e825227d0ce2eccf9492c9fb0a317860ae68cf
SHA256 d5e3682d5f0f5a95b6f39d21bf938a4b7c48f0a29ab5e527bec33c40b5784dfb
SHA512 d5168c464d67d61e33d9fbc0510f7a288173f19a40a434592baac3621467fa63efc730950a4499193fb0c3af19e7e0b21801dbadd8f384860c1c6f192dddebdd

C:\Users\Admin\AppData\Local\Temp\kccs.exe

MD5 75a7bf928b4723c6b3f09f590b781f39
SHA1 e62fce94d097f7129dfc5b56ac7e06bac18031b0
SHA256 d779e454690b10a184a5881bf8afe87de561ba3dabe523ed85a09fecf788dbea
SHA512 db7cffe0d99ceb8bc2bf63159ca7df5382e98cbaaa693dde1a22b38640f3c64f317434023018c540b7e2aa882e0f8bbfc36e9a826ccfb711b4020a5530282413

C:\Users\Admin\AppData\Local\Temp\oEEA.exe

MD5 012d59ee3acbae999c8231ea70bd798e
SHA1 76d5f04b748b8d2c7f0bbca8b77987e704325de0
SHA256 46ccb1d52b840dabd2857921ab796044e67ff8353a96d3455a1f97e62997d379
SHA512 484ec31c7cb555d622c634996425707d7758552d0511d6d491b00211727f89ca4093dc9474d38f34d544a14a765af2f6eeb9754832136b95345ae7a44a036c32

memory/1672-831-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mYoS.exe

MD5 67c0fc85570a77a410a93774a34b3df7
SHA1 40b43f72e69762bc6d76c9a5ffc2d90b93f3b29f
SHA256 42785a92daee862e70e563cb856f0361ee039e9bba01dc61f28ac0d96ae60772
SHA512 536a110b86d97e685eaeabdbf9a8abd59ab659f487d3597bdfdf74daccce23b98b7b2f72aada0e46e36183cac597fd91f94c4a47fea979935fd7a9e256648ba8

memory/3900-851-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\awEc.exe

MD5 557b55a9471623e4c11a3f429cae7221
SHA1 85d1876a55f34cbc53e86c33d375a01829fd115e
SHA256 cc56dda632fc6782873cabd8f3c9c406cfd51ca87f6dbbe9793dc6dd777e682f
SHA512 2d3ae844a2947ba7c1eeb41bd5eb9119e24a9e5abdf211143e12318b35b691f2b41d9daba6d9d7edc82a29b6da5fa67cc5ea22c8c5682bba8f07fa73a0bda56a

C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

MD5 f4076180074dc555ff80cbe452050a20
SHA1 dc1c311bdbf43fcc2c7284ddfc53fa0616df7413
SHA256 02cd85d5dc1d5488726a0f11e957e0b8973a640dd3a4e31ed107324340693816
SHA512 9a881abeb407aec963d179e4eb4c81cf55da3d93144c54cebad5e412b18759d2d9106f17934f6bc98192688c2795d74acdad17479f06a979cdd0b9665768d64a

C:\Users\Admin\AppData\Local\Temp\cUgo.exe

MD5 f51fde273cb7b6c5e56b03aa837ad7da
SHA1 ebff319ff27d4b64684fb6160899889beffbfb78
SHA256 691b9b6da257068a33e352389db5b6e4ca8e1d1de6b586612064a23dcfa8e3b6
SHA512 2aeb99b1a152e0d904bf80b64d224be0f7b6c2abb6cc3b6cd52d7fb8ac948a2eb47b0b14a1031a4304fba05c41438fdd099ea8c5664a764091652bf9564cb6fb

memory/3376-893-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3900-902-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QIcg.exe

MD5 242630376cfee9ae0ee78e8e8c20898a
SHA1 4ed881881e9596526d4edff65bf320b9bbe044fa
SHA256 6422a9edba4e2386a1efa8b0c5fef34c4a046205730b5c1b3e4bdf6dc8985941
SHA512 0965da3668bb7a5928db9008b8d42ac6320126c6b3514eb16b8a4e20d6c8acf35302c83f57ce6bf1227d74ff4ed80cb2e8d6784846eaf8d024adb8fb9a199fa4

C:\Users\Admin\AppData\Local\Temp\UEQo.exe

MD5 6c9132d01934ad1da14e53596c7f52ee
SHA1 92406ec97e91824ed57222daee87355f6edbd990
SHA256 27741c3ed54f75a0e32443bb3989a85be7b515de3566dec2039608e491876773
SHA512 552acee5e6e4677d7a683818e626c80941f2bef44ec095ceadbcd60be75cfcaa98e8d333a4cb9ff7609baea41e68aba548775dd59c18f2e8d70affaaba9dd0e4

C:\Users\Admin\AppData\Local\Temp\AssI.exe

MD5 4ff44968f478b167625e94e608b56140
SHA1 0d7baac46d2705ffea6b15747f259772d53177f0
SHA256 9142ebbba5dfa5d1f5d7edb8def55844da7d44984a8af10c73e9f3e6b5b52742
SHA512 0798967d57e96c284a5d5d43b6801f52d2ca43f67929f7cad012e58f755419092d854bc49811bffb3170e09f2ff740e04d01cc8c22806ae71d5ae8d2a428ef75

C:\Users\Admin\AppData\Local\Temp\QcEs.exe

MD5 371978002afd6057d2430f8ecc9ce023
SHA1 015dd962994a25a26ea0cd9eedcc303a44b2d4ab
SHA256 200d64f8719b91845de64f918810d333124cec8c3ceeba084950c63650dc1625
SHA512 99432d079f6384ce5a8cf9d9c2512aff82341a0c7e21d0cf388c91a5de7afc993bbd0539f8c8b64de223b96db805ab0b9dc69e035f904956885d713a4d3cc0f5

C:\Users\Admin\AppData\Local\Temp\csIa.exe

MD5 903e0c64e0534c0ed1fe2ee5d776ec2b
SHA1 a148f21254065e92453d712a4d94c933890e951f
SHA256 3b325e74cf563eaddf6de173f4b454164dd7a14591b7aad0860886c4e9cd4cdf
SHA512 c6dabe3799eafb69b0816c203114b3a817fe915ff79c6400275e91478b8990aa9a428602a360912c25827e4f73ff0375b31c8befb7142c72442770608521a796

memory/3376-988-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IsQC.exe

MD5 49489f895702c0d72eeef2309b1b1535
SHA1 d94273b997b73f7285260bd63d9cc58ce4ec7cb1
SHA256 2fd9328061c570ffa54473c945d4fb6e5dc4a2419f2edb9ff81ec741078f6a62
SHA512 b78299bdf49790a5a967e0aa87ba22b7e1abc04769f44b222e8731747f894371d9e654a4c5bf80958d64355125cac15de3d2286ec3870ad0801ce0a3dc71b2bc

C:\Users\Admin\AppData\Local\Temp\YswO.exe

MD5 52e10ad401df694f4a02c8eef706ef87
SHA1 38f619e39c9e8ef7e95acbf24f8ee89030617a1d
SHA256 a891857417c80c43433173ed0e0cb44c9af8561a9adae7bb0a4fc4b70cad6c10
SHA512 11a93aa0c4d28a4718e5f4369a271d4962cf93ec633f7b7a3ef288ffb0f5cd7d42cec3ffe6332eda0585e321f9d39046f5bc910ba9bdfa0f5af442a913375204

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 d08f030a30188e3590e8ab42b75eb5b2
SHA1 cbbb729c3b1ada77507be2c27e6eac7efdc7e282
SHA256 17f8b463371b4792d015a1e070ffb35a9d77b71603fba334a32226c5bb543fed
SHA512 adb2ad99c3b13bc4fa3b8823d49aac4eb6759a844eb91dd5e8926039e2a0367ba2202b270fe7e6e87db347e30128d737dc0c492f2b37f297962dc653f520bd61

C:\Users\Admin\AppData\Local\Temp\EkEi.exe

MD5 1d67a2d598f2fefcb383b30b0cda7ed5
SHA1 de65a7efd855dae7e540bbc9680dc822bb48cedd
SHA256 979d58903f00499f4dbf13375bd0c76d86640dbdc0b09e18a4608abe3aa3b3bb
SHA512 5defc7497308fae53fe1e0166d5c3d91c817bf3af330c6064dac70c36a3764ce55063f799044415cc69a9eb80170a99e6ce46c282cd4cac8ccc6f96127c72973

memory/980-1039-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IYQE.exe

MD5 c25456882aa2be6e7b37a954dbf5e3ae
SHA1 035d8d062c64c8f1040c9e22ceaf0bdb84be214e
SHA256 591b83a8cd033ae52e4c4e5959b3d024d48ab6f27b008f0e918651bb6ff114f8
SHA512 22d12b25ada2445d1cb9832016574ebd5d67c06f6a57e0971b039e0605c28c9805503b30a3f9b789f054ac3a177bc4207baeddfdddda23dbb5e5ced76b60e4e0

C:\Users\Admin\AppData\Local\Temp\SocC.exe

MD5 d71351b3031514403d674774b66ddb75
SHA1 6a2e3e314549eb99fec789d86330219762a62128
SHA256 3406bc9c8c3c5db052698d0b3012657c5fab67b92ebfbf4e2c1f3984cd27d06a
SHA512 c8b4e6d47bfc1bd5f69be07cf7366f58250be0a6e1d260c2cca98ebd0d0d8fff7a2e90e5186cca6bc594189854df1c966f591386432d2c0e26de88435c51b7a2

memory/2124-1075-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SsUi.exe

MD5 fc52ce86c17c9591e225b3c5a73eee5a
SHA1 6ef98cf40b619b491abc78f5c29a0a3e75cef0c8
SHA256 9f2dfc74bcc8cdbc696a2ca74fb8170c2df8b6bfc4cf6504ab86515ae57e0c96
SHA512 68f74870405ff6e1143dbbfd42fce0e00831880f49f76023ae44e5ae4c74121d66b746cd436f54b63be54884433debb1c33d55729b6edef1ce3d02863a91fff8

C:\Users\Admin\AppData\Local\Temp\gocE.exe

MD5 276a98758db08809e004b2c036fc0fc4
SHA1 260e5d125e296d4b815d000c265abec10aacc6cc
SHA256 83b3b98e8f3ae7c78fbace5a64c77d11651ad787ad394a2c441bfaf6423c1d97
SHA512 f639f9d7eb2e1325f86c3bb7057f2f2f55aece4652e5ef991317df646b85f2c09683678fd68e73d1f5ff8178839d0447d3b88607d5ea399f9ef65dfb05c45cf4

C:\Users\Admin\AppData\Local\Temp\UkoW.exe

MD5 67f9e90ce56f545bff6fc4f0d3391ef3
SHA1 9605ceb6aa886e2b0962aa4398e7bb4da3f430f6
SHA256 532822fedf6d97415373ea3231cd93d2a9bc25207ece8116d90b34a72914069a
SHA512 48a6f955835c4d7b93393e712bc8b2c18955ec85bef801d1ed4512b7de4a32c7987e71e81e5136f948a1d7e512307c117f34e57c92265e8377575b278d5ae10a

memory/1780-1122-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WIgK.exe

MD5 b772103a1c64de8ee90701b85037d886
SHA1 4cabe71068884e8992203297e6c5f208f4330aaa
SHA256 d9ca1d185e87e72569b150254adc2ced78535ee0a298b3178b4ac3f55ed041dc
SHA512 1e15167b559670e3ac6f30f23bd854d69b1ab406750d3dbebddc34afe810b2b73a9fd054baf628581baf49940b5d9773bbda6961a6682f7c05fc670fee408c88

memory/1096-1140-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AcUe.exe

MD5 2872d611577e254c9391e1b790094748
SHA1 edc116fad25fb2a783eeda7bceefe352b1406369
SHA256 59f21fd8186c720f8b94c64829874a399ccbae82614bc66a660de40e57a07c0e
SHA512 6f3dd68660b015bec53336c2b4d6c7de0fc8a528384255ac5a746f0a33c95a3b33e44fcb8ee4cb4121a4a80690e12ab7015776c8d8501eaabbcfed42c1704eb7

C:\Users\Admin\AppData\Local\Temp\SgkW.exe

MD5 9b2b42f123a7723f69a24dde524958c4
SHA1 73eba3a2b47d2494b929b0f5f5c4ef19d65af318
SHA256 c8bb53a816d98755e5e5cc5823098b2bb3aa9a47cb0f885856dbb64f2343afb2
SHA512 732170557036354befa3a52692150322497add1ff4271637a056d6ca5118d450d99e5d5224942fe18a9e6512675a3237f47f5db4c4970de0f98a0f418a89030a

memory/1780-1181-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qQUy.exe

MD5 0bec895e45265734e208c277bab54af7
SHA1 3aba1d69de5703f98e75b71aa560f28f0bb36db7
SHA256 d6f07d1b60b4fcf21940dcb698c7ebb7a57a9fa3e8806f1ad6976187d3992ef3
SHA512 80b8082c3b4ef636bd435c3969be006843af6ed6422b16038492877b34e2e3d961d547831f192dd09991e28d1f9439ddb7c4fc58c93282aae63f94233eb3b448

C:\Users\Admin\AppData\Local\Temp\WwgO.exe

MD5 bc8fbbbd4cecc2dcbd39a8bd350a8339
SHA1 72897e2ec210b6587a5a26e2ad3e84abfdb552c8
SHA256 38e9f813e231be12cad1e080b8af4bc582cad2deb75c44a2eca6699a9c1b7f50
SHA512 88e5cdf0e5b656c575cd26da368a569ec0026267024c82616a59500f1902e10337fbcb23713695a7098438ac27c85fdb3a11ab7cc02d533923092eb7fc1dbd23

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 99ff41ed946aea0586cd2c54453e8d30
SHA1 bd2fc80e4e02bfa9f2f78a7448a6416e7aa4f3f6
SHA256 33d20ff32718928c6ef6a3faa969bb8de4c3a322e819e8856adbff2afaa21b17
SHA512 536cf6ee42bf6e4a0a5c4867f8b3f969f6f468f6ced57ad8502ca98cb034022929d76d5110cb53250cb828cf4da85f5d38aaba8fac362846ebd1da4d7b9ab784

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

MD5 725800076f19c8ae250e209419b26285
SHA1 5171bee7ef0282b62c3311d6bf2d2c9984507b88
SHA256 c412e1b0884a38bd466b5f609a420590cba7accbddcce1ff677fedff9a0913d9
SHA512 205d85f641ff40d74d6aeb3474b93e4aeba55af006a907dd6c6c34a565886112b6ba50a427fb28fa1b5b64784cf2f6c60facc049bc2a62d7cc855b090d5866bf

C:\Users\Admin\AppData\Local\Temp\yUAE.exe

MD5 1cd78873156dbc95219714331b20516f
SHA1 47be72980328cf9f338b8062fddef33c9f3fe2e6
SHA256 b87bbe74460a3ff0240183a3d86032dfb8238fcb5adfcec24ab2e8af28a7308f
SHA512 aaf15a8a37213c6b6572d6e6d332b290e58a04a9a6535911b5350ada6620cdcb56eda2fcbb7e7de8d158d0ee73ab87268a89b9027fc947302f7914e4d966dd6a

memory/2916-1254-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\awsm.exe

MD5 f298d4cd028634652d8337a4fc5bfc5c
SHA1 67ca76aca72ee0c03ee48f95a4d148275721be98
SHA256 a553b7cecda864ebf7567b7d6e000d6a916d67421bdf3fae9d64046ded341b3f
SHA512 6950d6761b358f9a6f1994d21838c3f505ac1c2dde9ca40b5c1835961a6fa752a5001067d334217d996df44783d97a798f4b7d20ea481fc10661824360dd5704

C:\Users\Admin\AppData\Local\Temp\yEAm.exe

MD5 4c92fa1d248ac9020e86d93cb412329b
SHA1 4fe3af1c828891a56bb1df0fc737e5450c591e4b
SHA256 385862f781e1f529520db179662d5236f9762cb337e429a667cba0aef500f4e4
SHA512 56d2e2d593644aa7784751349346b905565e2de1cb07461fb20a9bac8019d223394ec7af47264c2fe1d24587679897b91eeb3441a791b86a26efe556ac001bac

C:\Users\Admin\AppData\Local\Temp\YEEU.exe

MD5 b02ee8c34d96843c7a73e3fbc12e5050
SHA1 e951843c8fe4815b9ddbd67446146500f7391f5a
SHA256 7c7a68ecb248fd1f086016bcea3ac7b277e3593708dfed7f115abb83f3af81fc
SHA512 9a04d7b97a6d37358038d868fb645ad82fafe04ee8cd2362f176465b33cb1c71f6d4ce00ec043b2dc33dfe192c60ce7b2766532d66b51ff5591189cc2428726f

memory/3444-1303-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qUwW.exe

MD5 c25189b203b8923f4347d593a1bf0406
SHA1 241bc857340e4cadcf063c1a07a8412b9c829e93
SHA256 8b6672040e1fcd29aaeebc4d88ab6cdf35770a726b1a4df190b1966d917cbbbf
SHA512 db208114652baa641b4f1cfd279ece5d5779e59ed25335216b3786d0aa38b50a18185e755db89cbbcb65693e7b95b7f12f83c59a0eb68966b5560c9499bfc358

C:\Users\Admin\AppData\Local\Temp\cwQW.exe

MD5 836419b4420761bfc2e500ad765e494e
SHA1 254117cbce9f29412e20106975d1912610c87d84
SHA256 69ba451b47c5ca6196f282bbfdebd48691c26265066b3cac958751c51588cdef
SHA512 dc338f12cb34a7a78b51f2b4b591e7d7b09cb98277822351f57be837d2a1bdc9ea92c620ab924adf84f4e436ce26932131946c9f071cbda13a2a0ef564961570

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe

MD5 8a7598ad043b526e565954c42b16410d
SHA1 607a30e51a6abb3171e75bd828710543d18c1688
SHA256 2c26e02fd10ed5c91e32d5961984494e22865fd3d41cf2d86dfed32d567d4e9a
SHA512 e8da80dd7ce77b112752a9bca8660bb59a37e5b04c2c358c0ccac547976ff5112ce3a52b90584313c75aaa3f30e75bece768ba251ec02ebaeb0ede72f4cc9ebf

C:\Users\Admin\AppData\Local\Temp\kcYe.exe

MD5 2ab8f3a332077da383777c3df10228c0
SHA1 1b9a6a5df0513134b23399f42d8b2ec6092d9d2b
SHA256 ee9f11562e636b08e2cb0972e384b97f11881c13f50b515f0056e8b091b1f8d1
SHA512 56ca25ee88e857ecd70b47e90707cfe0bc303bd4bb1f41f787a9323084ef2d37aefe9a44adde3bcf04d378a3176e51a46b8bd4ac69932be377ba0a9756905b51

memory/4872-1381-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uwcK.exe

MD5 3fa41a97ce18159f5b40af3f219d6e71
SHA1 45be5223f5568edbcccb7a297a561ba0cd61d24b
SHA256 425d8aa6b79f71e24f6435d3d9e2a448d06b98a1b71588dbfc5160f78ebb859b
SHA512 e3ef44f3fcf215b51308a06574bb79fa5ae72653932b9c8bdd2bcdc6bccc34428ab2aea552caa7a6002b96ca7bd61f7bcb0f448ad7f2153cabb2aeb99b682f09

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 35eb3c474ad7d28cb419dd2b8ccc5d9a
SHA1 4f4b615c9e8a20bdb5f892e48a20aa017e5d2c03
SHA256 20ed1cc679e119c172eb686b839d1057ab9b828574619e29b880143a6b6bfdcb
SHA512 39ed1164c8badd5ec5390a286cf2d23a1893bb6300344711034c695acee6bdd0bc7e0c0d0cc5e76179a1c3f05d891a697169c64b1aeed1d7283ccea6a3a551e8

C:\Users\Admin\AppData\Local\Temp\kcYI.exe

MD5 aaedad7c4827b1572c8af941b9723114
SHA1 b2fa62ca50146f2a7016c1bced58c7bfbead2a78
SHA256 80569128de8ad4c5f9c4d7ef5d1ed11066957337b281ad434aa33f2dddc13204
SHA512 a6fdfe8203d3c463cb8c38c819a181a58adaae2e7233ef19ac094820711512bf01bac485550f90b945a46528099e621c8dae4014c28a266f16214f6d845041ad

C:\Users\Admin\AppData\Local\Temp\Eswk.exe

MD5 0965622f11b0f3cdc5a6453c5bc3489f
SHA1 c208e4d2abe823fed434dfae159d6b066eb03f95
SHA256 398bd3a88724d36e70206e5871323db045516452035a3cb1d2000125a18728ae
SHA512 7e3f6fcfcacf6dc4c367ba221bb4707dd55dc31a5673bd4dda2173d0041b26c98dd62ad799493348cd947efe76dc608506c25d68991798beae44b80e9ff680b2

C:\Users\Admin\AppData\Local\Temp\IEkG.exe

MD5 98f550067b1961860be63842357783ca
SHA1 6822e568cf7276f3f1346f700029f146033e6626
SHA256 e159d04dfc99cd04c1aa963c7175980fe548c1ca9f7fe8ce68000a2190d10f45
SHA512 f05d9fd80e2d892f3fd41bc048f11f0b30c5a8e3c93961f8a0b37d3c6e769026cf03c2cb7fd38aab0f17c69099f77cae4d5affa245da04093880b65a2c6365ed

C:\Users\Admin\AppData\Local\Temp\iYca.exe

MD5 70b60369ca3c8861f8bb9de409565e1b
SHA1 a7317318b9f29079dbdc96c57993d894508e1d4a
SHA256 427d529b87802c8f9669fb1e06c30927a9757d9d24625380f7ef7675ecba0776
SHA512 b23394ca5ac6648739c4603e3ed8315decec432ffbaf0caa3ffdcbdbfa3d56209b69250d7663199cd77b0974790f814e5a30e727d48fd99887693453ff08a53b

memory/1088-1459-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2160-1473-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Oswk.exe

MD5 603bb3210371e0b3d51529469a546d41
SHA1 150b20689e2e83d215ebcc188b1fd3aa68794748
SHA256 bb657b5922028ce9d468d078cf758fa9dcdb61cf53778cfff8e325b03e35c180
SHA512 a836769021469d56e52f2b336ff82674f36e819d5bf4a75663dacf9a53b02786bff8ff3a91ae8a8a9161c866ee17a8875144c2cbddbc2ddaaa2af02762909000

C:\Users\Admin\AppData\Local\Temp\CgcS.exe

MD5 2a0538682a07a563647c482463d95942
SHA1 531733750ddfe55a5020d1b0f4134bbe3294efa7
SHA256 9612d0f59cbd1b70aee0f256a4f38e06d7ada25e213353b5bb2d5d9bda4dc2c0
SHA512 f50a3bdecea034b6e20a564c94196aceaa4bc16c1a099148f26baab92fe893d081a96a089438260698d0c6d242599fe9610a12e305d98976e288f57bba1bd280

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

MD5 329e7dc6c3403974cce7c3827ca84fa5
SHA1 6f07459ca53c1bbc5c78e4857be5f0cc16d2b4c6
SHA256 8e2f90ca069f5515474d01250cd968849999f0a9492cd77f0096f61ee5d58087
SHA512 2339211739c93aa7e6be0ed3c65f11ab4d0ef6640d3e6428522a82755f125e72a184561bb33038d170f7a5e284691d8b17d88d0131ac8bf5b97470be5b7a8219

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe

MD5 214ea6e7f5bfa777485738cf19dc6225
SHA1 b5c16f2fe5b47764b25e78dfc569745c4aff7788
SHA256 dc1302ead2d1ae62490b42f1b63bd3e525b25e48d3d8784d7b329906f6740a41
SHA512 b7d649eb96cef5d5986061aa6d0377c39bbbae73e904e61cd48a225446f44700f753ffa13964cd93ea7f60555b87c32d53c99659a5e9158b6f6fe3e2183d4b59

C:\Users\Admin\AppData\Local\Temp\QQoK.exe

MD5 70c735f4865ce92ab22699ed2f78b487
SHA1 6a6fe18202df81d423b8ce75461a3a62cace6f60
SHA256 818af31871eb7275ebde555e2a4b47492edf322724fb8dc7112fd3305e362f4e
SHA512 ac698115245aca9dad19d9224b448acc679e76cc662a5bb7ef4f4282aefa81c7359386f8791559bd7e98eaeb49fdf13c68315a6c8d94dc02b6799e6e70418389

memory/1088-1537-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mkQI.exe

MD5 25354fb7336c8df3a3e7fdca8bac2e0a
SHA1 4c64c9b9066c19d2074404f55922b080a07669a4
SHA256 cb3567b38f8ff9308f9fca84b04c2f462b055bdfad259a408f6fdc1055f006db
SHA512 abf9329d13ddaeff0297c41f4f3b89ab77cbaa2820be770cdba36803ef26394dd953774de70f5571179eec0c67c0cd39552d7205dc941d3d57c228216517d499

C:\Users\Admin\AppData\Local\Temp\IoMc.exe

MD5 ff862e1ba9d46ca1dcc3d5e259d4ce28
SHA1 06dcfe2f3dfc9ee4a33203f3df78dee3561f89de
SHA256 d5be73fcd2a3f55e5e1d20fdca3fadfde8d90a576962fe6f29d032b206e1d17c
SHA512 8397923204721bf49c0b78b2d1dd3e20c173d6904d257168a449919f477d82666bde38954560a4b41d70dbba2e9af7ecb7a1fdb265fd4843b826176aeecdda97

C:\Users\Admin\AppData\Local\Temp\GYUi.exe

MD5 1835b52e3a2b29fe70ba4e862623f706
SHA1 5913f51e9cc1dfa157d5a93a8cc95e3f6193db1e
SHA256 68b8aadd7d54bea920d151fa62ea53fddd95e6594f1d2de2ac4c7c9105679074
SHA512 81b70c9d571cfaab5f597dcc398bd41bf203ec55aee4e39015321d9fe7cf3e14d80bdce15f675951d2bca7a3fc1bfda161846cdfcf8590e150d06d0f804da4e6

C:\Users\Admin\AppData\Local\Temp\EEcw.exe

MD5 56f750feeaf37bc276f8ef4869b0784d
SHA1 f60180190f629c414071aad381db0014a118364c
SHA256 324a2983fc2a0cc94e53145d63e4f9343429718bb9310638e283b9f284d55fd2
SHA512 85a1f81450e12ef69a42fee84254097ad054fc1b0980980f0d4bedc3de1b233684dcaf2fab5e94a35c190773be69c02bb2a447cee69a54e1d2b26d33705c6dbf

memory/1228-1601-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AsEQ.exe

MD5 d2b8c4c8dae6522f941f1ff4f0e2a18d
SHA1 a7524da3c852136fa01d573159e4bf6a5b50f170
SHA256 ca405f5f0b886a2b8904f76e73a9aefd00004acbca9346dec84bb3e18f82fc7e
SHA512 6d46f35f6a086a9156075c01bf2a8c5371f5523c88052cfe1e70081d6e072d3d0444df40b8e7ba6669fe0ec7850b684220e44bf3f6869cb6e4602d31e38b1f18

C:\Users\Admin\AppData\Local\Temp\iAIO.exe

MD5 f6ac2b2c601d444352789291cb722196
SHA1 aa093422f5d9235758522c041ffa00e1fec44ece
SHA256 7006474cc622d7d5b2a01ca9acc3ca2085d091f788e0058c2012c9d463bf0c7c
SHA512 8061170ad74495ffb9d1922c9cbec31ce47883a12fed0fe71bf46e7f24cb0d3338014dbb7166a15e941a4586d860b8b814b1be9f235646dc86f57723c6bb3763

C:\Users\Admin\AppData\Local\Temp\msoy.exe

MD5 cf419c4de6d62a2a41572c5bdb0e87f5
SHA1 78523e0a2e7088de0517d95ccab28fcba0c2db27
SHA256 0d05f8e942964f0d3ba8aaa034a108eca93a9c463857de03a2785a45e4bf498e
SHA512 927ac93d414d779c846402c7c10ae3461d6cb33bf63c3618e4903f700eba2c47639af528abcb533762798367c77ef063a1ee2028947de9894790ab7cc365925a

memory/2008-1651-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GMUk.exe

MD5 7f0e6ee86bd944f9c651092aded956af
SHA1 da541a4aed51b602897fe1a020679b8b38f1e912
SHA256 a3ddb4b812936b8c9d80ace04e2aad64702da5f7b4631b5f069087e03aba6c69
SHA512 81be4191f836b8f97bfe081ef677a43142cbcf89e2fbd1013339965b12acab21fcaeb707a5d6cedc2b16cea5237ea8aa8083416ddb4cf9ca12e221db08a308b0

C:\Users\Admin\AppData\Local\Temp\EkUI.exe

MD5 f5894ab2faee6fbb4aa2af7e1acb361a
SHA1 0acc6142288506902af63ea2486354e609880af1
SHA256 36eaf2efcc173b4e1f82fc32e8efa5aca611635a3226742ab1a8c343eeed84c4
SHA512 5704ca35b9f5a3ba416c306a66e30e9722fdaa00318c27844c82d7e9ed76a1b5c1deb0f5b4526429c262149daa2bda68a8e1745232c597e6b5447859f7ad90b1

C:\Users\Admin\AppData\Local\Temp\usoU.exe

MD5 bd629b1a1a940cad1b68b9f849323295
SHA1 c02562057b426fa2c190397cfa0112ce1efe80bb
SHA256 5e0c5daaf38877dfdc0fbeff21807ed048824fb1f03965bab2deadef7df0e5fb
SHA512 96c00b10c28eb53a0f25031aec6ea1758f042eaccfa3b07be35e29e71ad4bdf5c84d19292ad7777044f03d8d5818e4ac29997976528c73ae8782dfecaf3461c7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 0d4310c4b3fab45c8233d590bd3a5da7
SHA1 66671e14f085c01921f9b30f0e5c3af79924d6b1
SHA256 6eefbdf4ade66f015dba6f600475beb92f57e46762746ddff80624912b5e82c2
SHA512 3eabce6d9adf331e3cd4c432eb639d87465f3d095a5c14e8f9e1e86699111cc79de2d8c8d1cfbe92f091569857492ebaea983ac79806c72327d302b43da84ff3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 04a906f79f8a1bfbbd217343b9fb0e21
SHA1 5ea930e302ee75f406ffce9a427cf62c7b9e0969
SHA256 3ccf0f2d1a4e4b2db927db47764487930ae1a0cc5f6e99737cae5ff9ecd7ef89
SHA512 32fc124291917e54647582ef730f49570261fe24248d386255cbebf1ddd1fa1d0b6acb58b2cd2e6a4379bb7beb7551e1b1b06cce2fa1aef9c0cbda04521d3dcb

memory/1872-1726-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3744-1730-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mwci.exe

MD5 f4f110f0bdffd7892137d876c67268cb
SHA1 db9f3f68f7ee934404d26b442bf357f869148ee4
SHA256 4ef058eb6597e63e9ca2dcdec7aa79e2c6a55c4596af16b8e6ca51e3cba15d07
SHA512 1b866757e6db1b8b139a9d33716f98cd80ec6e51bae0b213f71508e8f98525760cd59db99a6089f567fedb1c4c7ae8c1b3fb1a3cc575a25873f0167299cbf01e

C:\Users\Admin\AppData\Local\Temp\KYMu.exe

MD5 61d70bb0f9c03260fe13d0cf7ae56acd
SHA1 9c0ef6c4aeeaddd1646b88f05865d130150a9183
SHA256 1e3fb064181f5f8eb885728b220a1b094481958595a297d0b473fd6fd46264a5
SHA512 02a90d14d4b13d0c5f95686d98faedb17ff9ab6679cbceb1aa6a58480074b6cc98e53768d41db4c7713be9af9796b144c82960e49ef97c7e42243b39fc097a8e

C:\Users\Admin\AppData\Local\Temp\wMMk.exe

MD5 cc79e3d640bc6e13127a1b5e91590813
SHA1 730ede751b5e3e686a1ec8aea7279a1332387761
SHA256 5c5531ec6c37368a7e10a66b3a488e2091a41b0e1b51334afaa18335dcdd4d46
SHA512 b4f3c8c021bc92ca2854537e37d1256de94f823c1352eb0942f1266eba8397f08399927ce129e8cd0a859e9bd673784864013b7399c658e52addc82f65c09f3b

C:\Users\Admin\AppData\Local\Temp\sgQS.exe

MD5 a053d394cd5114ccad7e571fda164958
SHA1 6937ba480215196ecd5ca904a095ea858bff75d1
SHA256 2943910bbd5922dfbcbf9af6fc208b8756fedf44aab85af5cf5a5cd65182f024
SHA512 fe038e6a1567abb2d28930c1e4e0ad0f069dc262d76602eca1de72cff8b0ebbc06baa98a5ce13caac1635a6147f83fcde5bac0d3ff138e820cc4072873730dad

C:\Users\Admin\AppData\Local\Temp\Ogws.exe

MD5 4c413c296c64d8c073cfc683c98a0bd2
SHA1 47af5d4b090e8bdb05faeb454dd60edef5aaa8df
SHA256 7f8805e4c55aeb08ce4a0b4cde665b7be23ea7e68765fc099053ea5009fb06a6
SHA512 1249fc010dc78368034a6c2ffe558cb7e4599ef18697106e97446e469f12d70d5c98d861020914abdddb4525a79f7647f246992e0a69dc5d56720d90540ec4b6

memory/1872-1798-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4372-1809-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wksY.exe

MD5 966567c118488254370c26b6f96f3473
SHA1 b65c08ae7c6f617090de0eef5e4cbc75b97b0a0c
SHA256 1549914803403d7617330ee5feab09ab3260c007d7403d8e05ee016bc95887ba
SHA512 2d201a2b4c2487d49a84d160805569e38cf6a8a509fceead43d22a7d1769ca50f6c8ea41e4cc0ae2638c4a586c13b717ce33db8c38be92daccbc9334714a5bb0

C:\Users\Admin\AppData\Local\Temp\QEsq.exe

MD5 4f900454dddcdbfa13276d35ed803daf
SHA1 3022e612d2c55bbfd0c04b018ab7d6c442b79f41
SHA256 4b9b46f8d6e44d0431d477314fd6a5a64d78381cff238f2b2f48bda47475bf50
SHA512 a25704679e5f1bb448afa1b550b7c3c999ca78360c67a1ffc7c8273cc49e4405ad24ee884f4ea88d0d30f62b637e48d97e38b39710827812404e2e4d28833d61

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png.exe

MD5 e5e162b1b40f2b1bbe7d858ac82c359b
SHA1 def046e3553761e929ba2a85896131188c518243
SHA256 1af269d6ffe3b259b55ef237bd4b2e5cda646409a54c0db49aeaf167bad1df94
SHA512 4f75edab74ad2fce5c3f1ee9f23b3e133aa330b0c13f724c0fa8e48a7f75c9ce738746754318a9311214085c3e80cebb7dccb551a519f79442bfb7ee2547fc4e

C:\Users\Admin\AppData\Roaming\BlockSearch.pdf.exe

MD5 acf6a66fad691e1592832ed717bbad37
SHA1 b7ac80d0a9797771c35459bddf0429b33fe5b17e
SHA256 23c63c25ff2aa265aee2d8fb755542dc2513257a595ab0cd9fe75eca0199185a
SHA512 cb6556c932e2ab31053cbaf2a4c2170d85696cbb5d7b50a74f473d45ce982e4a91ec250e32ac426d3e2b048146a6b3d297ba86e6454248baf43a8d136701b51c

C:\Users\Admin\AppData\Local\Temp\GQgE.exe

MD5 0a64187d27e52618d9a6a6c421477c3c
SHA1 39d51468432f272cc0180b142a761bbe9a2476e7
SHA256 1fbac5c3e67ff3b3840a08b5ecde8b203264fae9417ba279320975c013c7a861
SHA512 3f2483bdca945173ea5b6ecdf946b6a2b5a5a535c418cb867abe57ce6a1ec304faf04fe774e746b6ac40c542dc01e5583b00ba75dc62ed1a88b44db20b0895a1

memory/4372-1900-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UAoC.exe

MD5 f34b4994d30a1db9812c0dcb8614bdb5
SHA1 634616d190daab88fcf145f5fad0a7535d5bd0bd
SHA256 8bef696c19e90f1dc55b42bd1080714fb6417db344a85d41c89ad69f246baabf
SHA512 377a8f826b0de50f7a239d8d26c4987e5cd4802ebbce8006e939abaf75943b7638e57449fb9aeade081d27b2c32c64f1b28d8f46ef50e32195aef5282eba9156

C:\Users\Admin\AppData\Local\Temp\AoEW.exe

MD5 05721ee6256cfc15a6d1c3db7dfb54ee
SHA1 dc7486b3a3e178feee5157b076e6db07eb4db2cb
SHA256 3b3d031a9518078d0aafa16ffdc49730cc5f0e20b11717b4b272aad33377f12d
SHA512 43174572a700c7e111a5ea803769ce9ce59e9409e8b6a3fdd4ed9f0299ebeb8941ac1cb9f7d2324ff9e63eb4849fb3ee35a889580644c48787b8a289bb28b2b9

C:\Users\Admin\AppData\Local\Temp\gYsi.exe

MD5 f5eba520ce3a11f5de241f3098a6d89a
SHA1 e41065a7c94494cc1e9c68d700b7e695089f6be3
SHA256 8f57f308095e6143f68836428133b3bcceffb6fa730dcf3a0bb0074359e62c75
SHA512 1aed951638551933ec3077e7db89f6d49a4f49c4c94d870dda27b2ebc81dcc3294bb8c816c1c799fb0e0c7c0e958d15ae3388dda4dae7fd808c17d06ae1b7bec

C:\Users\Admin\AppData\Local\Temp\SMge.exe

MD5 35f7aaa8b5bcc0df8259299599df7342
SHA1 bab0c03af3a4dfd8a0e55e1252cc52bd785283ee
SHA256 a7d16d70ed71d2a9e2e3280b3fa51d01a7104a848d424abcda1d8ed29252ef66
SHA512 58eb82ee37263ae8adf5973397eaf8424981a259a7626465a7b4787d8d83354c2a3dc0d69754a3a316abf5958a3892b2f8199eff0320d695580903926a84c686

memory/3784-1950-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eIQq.exe

MD5 056ecc16009951c60aada5d445851613
SHA1 1aa5bf912a6cb8067420afb7be8984870d21bee1
SHA256 0f0c913417cd895135c6e06385be52f64a6eeb0b4ce083e730c4ca12460cb109
SHA512 381d52d93a37644e0aea6796c3f41348acd85efe27db6c6a5b5c873669fd0822407386f9a8c75ce6103042b2a4c0a7eb85338d8e9e90537816a25d28b8628662

C:\Users\Admin\AppData\Local\Temp\mIAQ.exe

MD5 2b62d6831a2f7fa70d5cc71011152876
SHA1 2e9c7fbcaf04307ef2bebc63d385046e406c9b54
SHA256 f3c2408fad2c845deed454201f91a5065353e22dd83cea12726771a692f61c27
SHA512 46d714a7353ba9ffc0beeb92b415cb6150d1cfda3dbf849cc2b2fcb19cb0eb2024f9f723592e3cfb663d4a0322aa93eacc5b8dd8d586bcdf025e8cfb5df23f8e

C:\Users\Admin\AppData\Local\Temp\QcEe.exe

MD5 7eec8d61cf75a13525169cdcfec2aaee
SHA1 9740c42972881a063ec02badf625103c602a69f4
SHA256 ccbde297869bbf5bc0bc66491f5713b5bdc9e5a7b7e1d27180f82cdd693ce3a7
SHA512 d2cf59e5af9558054d1b8391dfc3f6d8be5df32baddc480b650e0dcc8ca54302d72b42e09a3f994621fb3d2655807ac364917d8bddd8434286b810ec5e2e40f2

C:\Users\Admin\Downloads\EnableTrace.xls.exe

MD5 7765d08c86285dd1650fd6451338cd52
SHA1 1e21c58ba404b1f29893e4857012601d4a4f225f
SHA256 50b7372ee2f6003bea67595431e37645ebc0c59eaa1002c91f9e0ad28ee3c2da
SHA512 004b7973e439a1df0bb0f0999ca5507a0f60fd2ee7229242d8553821c83ae477193869adcda7e210f7eee65516627655f6651474ea37fffae568f761dcba8f1e

C:\Users\Admin\Downloads\MergeUnpublish.doc.exe

MD5 42135bbccedc25f2ed97881dfb14b7fa
SHA1 a15fcca9d548051a5f4c5c7a45dacba1bdebf83a
SHA256 a6c3ce3fe402dac88bfb66c58050ced509ee1815a09164f78bd37d925135144a
SHA512 ae29ef2d58709624edb500e9d51182a0f84ad07e2882410de50a6fb6c7a4cde7f86aad64e910eaf4c593b710728fa49c6d9dfc1906d210d6c7758d69cc49ca11

C:\Users\Admin\AppData\Local\Temp\qMEw.exe

MD5 c6fbb62c8a25bfd8c12436ad4693db50
SHA1 521d75f124058fe45912c67ccce0ff2922c2733b
SHA256 49c3c9c19b924e361f7be7f4f2da1f73110028c6dfec22f4b1b5a47f0fa2b7a4
SHA512 06364fd1be8863b62cad70c5e24d54d7a3ae7c24fb0282634ad4e436823f97cfa20be3ee10b0b9dfd66e1fb54d2943150fa76eca4f0ac18ef174b2049f769c88

memory/1736-2042-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AssM.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\MgYY.exe

MD5 a95c516469d1225f7ad2ff9c531325fe
SHA1 b31a9393b857d5e7a5d335601b34b0913daa5e25
SHA256 9df7e25571f102f2669fdb1e4a22f352015280f396edfc2d1e18927b46f9454f
SHA512 e6132ce08194dc46800ec07bc72a68fd328b405be57d2dc4f1cb5e52978dc08dcb3a5a2f158bc5933fe0cce8bf8c5d69807ccc8c797b7996c47088db308a5fba

C:\Users\Admin\AppData\Local\Temp\EYsi.exe

MD5 87569eeb4ec6c3dd498db2ddadab37ba
SHA1 a5e8ff125b647fe8ce2f2132a49673558aea5287
SHA256 228d404393036df75d4bfcdd61f59cf57c45ae30ee81e9927c0acc9a847cec5f
SHA512 913c7980b1b2663e58cbbff80ae5dc16fd2e1ac02044407170a3e0b2024d39aab4eac5a275f116eb9b3fc1548ba48781448d020efcaeb851a85a5a1f6bccc20b

C:\Users\Admin\AppData\Local\Temp\cowe.exe

MD5 5a022becc1092b9d0f5e96bbc68ca0e5
SHA1 95c7883ace756364590b35e63436fe4dd388a6c4
SHA256 eab92a5830ee07c16b9eae3159eb83b5fc15abde8e188e7cd3c52df09474165d
SHA512 07f4c49d66e9bb49284f3d61cc67d91f3eb88395b880d37ee93a31fa0c2e4ed478e79a200d16580d1b2cdc8ebf0448f4bfda799a2bee11c0a2176d74e9bf49a2

C:\Users\Admin\AppData\Local\Temp\AEUc.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\YAEK.exe

MD5 44c186bf0afc313d755ca3f057b1eb9d
SHA1 238452ba3eb890a74bb69ccbbb34520c2bffd6f0
SHA256 141f9ca5f151ba284823578b53c3c94950e0ee7321898bab669cbd29b07feaec
SHA512 044e35c7af99daf44c152fafc3f53ab3200ee621f65973a92a7afaea9612d351b3f5a32d0e1c1839bea4f4dbe1e8c5658909f90ef40473dda9312930d5c880a2

C:\Users\Admin\AppData\Local\Temp\CAoi.exe

MD5 4fab98f17c6928379b98cd1e0bc468e4
SHA1 dd5d8d1e0b2aec26701f71b4e5188a763e71429c
SHA256 a3df109d45103ad9d4953962f38feac847538f3ef07e029c161134743549c87c
SHA512 0d881a0431b7c9c27bf517bbcab5661ac18f1b477a871a5f373abe9a86a89856977a7ec5eb449fef66eaebe8daa18b3a967e6745652dc35b748e4542d8c55fd9

memory/1548-2120-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KsEs.exe

MD5 d5815ec1f2c39466e354030a49086a49
SHA1 db8f2b92fd310feb9b1f1b9108402d7999cd4c6e
SHA256 315719e9608a71ad080a828c0a7165431e79e8d4b1c3557eeac5aeb451c581c9
SHA512 1699da9b57a7b2688f6320e4a5f8e73b2cef9c27804d4487d9b26b9ada259bf0ed377673f5998d81589eb1ba8c939e0846935880fb76218b45188e0e46225084

C:\Users\Admin\AppData\Local\Temp\wkUE.exe

MD5 ddb3379e7cf7cc2f578df8706d96a283
SHA1 a632a3a76f9335a4bb358382d9f9bd8ef4448cd0
SHA256 463e0d925e4fa124c010e3ec5ef8dda6722b274eadd870139c8ba19fc8b05956
SHA512 0d1108208a1966f4b9c66a457a5550a8a1941dcec215976f390a150c154afc27eeb7ca4b3bbbd2f27514f56f274d93733cd4c03f2088aea961316b99604caf76

C:\Users\Admin\AppData\Local\Temp\Mwwk.exe

MD5 0920869e9b64892e477434f53b7de38a
SHA1 9aac907e1f094feb56f5e42aaec7e2ffd5f7fa0b
SHA256 9c7ef0db2d73b04119055df39ea9c5fdbcde5bdacab1b8c5dc845c2ab44496ad
SHA512 bbdf0e22622b3b5cc801a1aab675adb1ab3ab405ece675f1a89552eab230afea21ec068bad5ab7085d33f145a340162c6bf45a9b43790a04b5b08f58bdd256eb

C:\Users\Admin\AppData\Local\Temp\wwsw.exe

MD5 2d0cdf754c0bf93d186dfdebb65d7aff
SHA1 a5e0496ab66614981e90b0df2c3a4ea73c9fb204
SHA256 d4c81baa847a2b3cca19e9cfd996d3554671afa88df6ee5b4e10661e41b2aaa5
SHA512 df8db4d7201dc3252e708195b8d4994a284c2b79bcd02d1ef768dea3355bdcdeec630fc222175a611cef8efda035953fb0fad704e89669fc5c7c84e1b64bf6ef

C:\Users\Admin\AppData\Local\Temp\UEgK.exe

MD5 22be7021e972371aee27e4d95475e371
SHA1 dce5c1770a057b8c913f8576e8200c82e86321ca
SHA256 96acd86e6bd3d7b4b439460dd8d2864f5ae5f9c39693c40bef8665c9d89e1847
SHA512 1a3f3de80001cb315f7f607257e9c985b91129dc723e898b99298d51e7aae00a34c09fcbdc08d0f0c3d090c97c44216b719d1dd6eb02ab374141f8c24de9e54b

C:\Users\Admin\AppData\Local\Temp\kIwo.exe

MD5 0459103d749c585acedde812898288e6
SHA1 482f51a8bc71631e8e92db341cdcf40d3d5b72c2
SHA256 2ad9d5669bf7bd7c032362d1265deb7da1a94c2691788fe10d6837eaaf8d565a
SHA512 fe393c85405814ac47e352ba8b1de034abc7a99a03b796eacc266134c3e06fa629490d46f9a954dd05311a12b4197440eba105c21e43fbc78d190fd25c71eb1f

C:\Users\Admin\AppData\Local\Temp\Skcg.exe

MD5 4a45568db7cc8478a64e08fb1b500ef6
SHA1 c419e4feca0c8b5a2d3a2feb6d40f9f57923b143
SHA256 1dd48100f1b92a6a4f65db0bfade4943dce59658a62aaedda09d25fda5aa8580
SHA512 ba63458dc490e699d7fc8b4dfb3ad38eb3ce578406ede842060a10a2d12a4bf83daf066c683448d7ebfd489b2060e8104a9dfc1e45ef3a1d21807266812d05f2

C:\Users\Admin\AppData\Local\Temp\gUQg.exe

MD5 a56e396de3755b87014c9089b3fecd55
SHA1 3895e8f5fd6efb6e820058049464876dcd734f6f
SHA256 bbdc8618096d0a748778ad37aea030ea77cd4e0c032a83485ea57beaf8093367
SHA512 c79cd06031f9e3aa39a4a8fb62c3b2257f43dba8d5acea7b85444663b9ef7572e1b3a4af4ffbc49da465b50bf4119785aac711f402f985e0a316a518fa241a87