Malware Analysis Report

2025-06-16 06:53

Sample ID 241104-c926fs1jfz
Target 2024-11-04_0048ee167026646b746be0135974898b_virlock
SHA256 3c17e906d9149bcf28712a3037e7dd455f7ac0fc159c2f61a2130303c80bb6f2
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c17e906d9149bcf28712a3037e7dd455f7ac0fc159c2f61a2130303c80bb6f2

Threat Level: Known bad

The file 2024-11-04_0048ee167026646b746be0135974898b_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (85) files with added filename extension

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 02:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 02:47

Reported

2024-11-04 02:50

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\ProgramData\WugsEkss\tIkIkcQk.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tIkIkcQk.exe = "C:\\ProgramData\\WugsEkss\\tIkIkcQk.exe" C:\ProgramData\WugsEkss\tIkIkcQk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dMIwYgQM.exe = "C:\\Users\\Admin\\WyAYcssw\\dMIwYgQM.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tIkIkcQk.exe = "C:\\ProgramData\\WugsEkss\\tIkIkcQk.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dMIwYgQM.exe = "C:\\Users\\Admin\\WyAYcssw\\dMIwYgQM.exe" C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\WugsEkss\tIkIkcQk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A
N/A N/A C:\Users\Admin\WyAYcssw\dMIwYgQM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Users\Admin\WyAYcssw\dMIwYgQM.exe
PID 2372 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Users\Admin\WyAYcssw\dMIwYgQM.exe
PID 2372 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Users\Admin\WyAYcssw\dMIwYgQM.exe
PID 2372 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Users\Admin\WyAYcssw\dMIwYgQM.exe
PID 2372 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\ProgramData\WugsEkss\tIkIkcQk.exe
PID 2372 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\ProgramData\WugsEkss\tIkIkcQk.exe
PID 2372 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\ProgramData\WugsEkss\tIkIkcQk.exe
PID 2372 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\ProgramData\WugsEkss\tIkIkcQk.exe
PID 2372 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 1444 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 1444 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 1444 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 2372 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2372 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2372 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2372 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2372 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2372 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2372 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2372 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2372 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2372 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2372 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2372 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2372 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2864 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2864 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2864 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2736 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3044 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 3044 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 3044 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 3044 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 2736 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1988 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1988 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1988 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe"

C:\Users\Admin\WyAYcssw\dMIwYgQM.exe

"C:\Users\Admin\WyAYcssw\dMIwYgQM.exe"

C:\ProgramData\WugsEkss\tIkIkcQk.exe

"C:\ProgramData\WugsEkss\tIkIkcQk.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xSMMsMEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TkkoAoAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSMwswUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yoAUQsco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WwwEIEYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mssEQocs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iWUkMgYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zcggMMkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ToUEssgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FcAQEwcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ROUAwEAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aqoIccEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMcQwgQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yokgIQsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qqQkYEcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PcoAEAAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgIsUYQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\REkAcoEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NcUoMAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIsgwkwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qUEUQMII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12518218161391460655-85984382649198901-278948205-17841816271350463942-1804390812"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10649611915970547531039333759-2090917945967881112481843782-490601090350255811"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YAYEkQUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\geooQoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CoMocIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\locwIoIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dyIccQsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "4343224125793115991753579965-193505188349374951678300994168921776433293345"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOssMMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iwgocYMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KuYcoskQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "758904517-847096835-1533550894-1661150532192741209520830164071743986104-327410566"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UmswgYQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wokAEoMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-66416727150973765511851458582142864324-597587190-18667501368522586891448153558"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bEssMQsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "172273851495189270-573148569-15099915071904105597-984421825-7719485681490676618"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQwAMYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hQsYUAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1909967354-8119350461945352560-1667795300-69523957620142635556271239351152909273"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZecoEAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KKYYAgMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1877304133662850475514259428-356845298-1697582398-1015421311470397811-1162138323"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EUMUsYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QMMokwUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1927006613-435721624-674169804-176979931984237432752565654-1916972714-57994192"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-374006034-834159066-1816625840-1689501264309669323282051905-487225849-152592202"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5994623648739343611450878233-83935713314218559515319512631862742620-291052617"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kqEwAkwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgkwMUkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "794721441964201579195973261157844762112807915-46114228118713767481866221082"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOMsYksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1731026283-1321231442179767238953958001752840282-19006387741752025827-766119340"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1426671853302447857-3743683621928405101-1111462763-212187045513658347171744783653"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rGksgEww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jakYcIMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gSMQgkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WaUMMwwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-11115145642134214763-742205168-2001530114-12771934861513544383268219282-1361547163"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yUsgQkEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KyMcQoks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1808997201168459752321095790481913673924-2797078871245303991-561455734-1287856725"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TIIQEkoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xEAoEQkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AuEwMssI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1892987260-1942200621531329214-2139997756-125751248403548772906577220-1602006810"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AqoEAAYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYocwsEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-315378248149835021766155608-1929704828-1775337729-202571022214582235011732670091"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-247484656-209927603115033419481428301227-767160699-1401054130146636495-698142472"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\soQQMIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lckMssIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1502300778463750224123388972021224242732038619234-41863369619584779211428031585"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ByQgosgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1253990066776462411-1910555873-20913070841032279834-228571075-22840965-1275974317"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rMMQUAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmogkMMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19785499181569462284-1791121078-745768160-11034149681745162130-102946889401104555"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1707824461386951291344095835824270908-1357707721085102050416823280791627876"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIoYEcEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6195060053165974631155841744-1016919476881404006-1675285271701219720250230939"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\umMQAMsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EeEgYMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAsgMAEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1686020129-1850368399198315608519867326591993106342-858760243-1639578772-2086066225"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5242705618214757911816264110187279220923967271116173979431571365971085747516"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1274777975-793807226-1300017968-117505087-145669432286892538413209688721745256880"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zOEYYMww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13928103851001683711-133230985-1460255767-1885356545-610882762-1333443405-1544707898"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tqosYMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2026454724160118150219447328571713068331162403509985182633-89778491575233753"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-103793250-1029662274-1819301594-1442158085135738684510499383208895667311087648722"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-86013103617206624621705428214-1056635791-60577819326196542-1870162730-1184411147"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1347308781202137428857634752779183461188579436407300461-1559658911915233251"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-566196527-285513514761181442-1814396609-1806144745945018009-1535369231-1724518878"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQYgcEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KSkEEIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "614839180-1755893728-837083397-412549529-1155013745-1727357301-417134271-1699495544"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1416481714-1915837351751338094-1342151057-1574294193762365190-651076174-1583187288"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qeMUkMcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1527697940-13135311683604303821942703349-460942581205043496031533698414058418"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yOQgIAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2020137730-98728934-498783299-46914720-17163002021044331342483781586-1844417021"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-12211227411485691219-302379124-19381425211711313871-751861069-1264503131-1520139520"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1898883273-848674021-17638645291588182393-2023368915-141643956218780144042040005568"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-12487360197871669-1517029550-1570601884-1690254591-537469713-2104184784-3264363"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19196095501469885931-1090388800-377445558-2039612000-1466095176505804041-388605535"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wiIcUUMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-442215330-793046974-994573400586054912-13254308577288764781248224683532358142"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2005261807-588989253872329488-8007333421647882036139990298920199641691313278691"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14813707831204082027-6865981911738108706-799212336-426017515-13290942091850831830"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCEAAYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10484362132139556195-9252496901350612266-10972765021038030356-547761800-2123961432"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1546995415244320675360622-1417090138-415838353-1507287310-1335664819-1558337754"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2372-0-0x0000000000400000-0x000000000042A000-memory.dmp

\Users\Admin\WyAYcssw\dMIwYgQM.exe

MD5 6e3870341323472b0ffc81f9eead5979
SHA1 64c3b1124cf5527a80ea5b4655ff916e06c741b1
SHA256 4ad97bfa7ade17eae5aa587dd1b30258c56c50ad49c9529cea19b8b7c4c093fb
SHA512 b8697852efebbea74a9ae67706b2047ab71bd83e569a169690dce33654b7fb4a2c520bf994df7785c204a78ea8ca4d8c058d020281d90d6229a12a1619eac5e3

memory/2372-4-0x00000000003D0000-0x00000000003ED000-memory.dmp

\ProgramData\WugsEkss\tIkIkcQk.exe

MD5 e5f7df2986a13d9ea1d24621e1ebd2d9
SHA1 2623dc1f503c1d48ebf68e5d7f37cbcd03daea9e
SHA256 647685ecfabcb248054c2d633eb97f4a40241b96ac868a662b9a6ed2bcc49d2a
SHA512 58776b1ebeaae03109d154fd69ffb45bcd86fe1cda75799740bf067d6d25967bb532524e2c909648c87aacb7296d8c219042667989a8e63e3bd03b3c1ea5d4e5

memory/2372-15-0x00000000003D0000-0x00000000003ED000-memory.dmp

memory/2268-29-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zEQosEcI.bat

MD5 d863c7221342d691eb0cb9a38d594848
SHA1 1148027f7b7be04bbc18dee3031c6aede2f344e3
SHA256 0f3994c9756f1bc9eff4979e34edc5ec60fcd380e205ac2a12799e90773ec948
SHA512 688997e802419810f117d5503b6bcc579be6d21f8c30f7b17539706ac3c384be301a750b7db08e245b37ab7da4a427cd1698cd7b6f89d487e9a603526b488567

memory/2736-32-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1444-31-0x0000000000160000-0x000000000018A000-memory.dmp

memory/1444-30-0x0000000000160000-0x000000000018A000-memory.dmp

memory/2372-41-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xSMMsMEo.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

MD5 d342c2b5f3d16dc992db22cb737ad617
SHA1 615a98744fb22809454b706174597a4d6b6d128b
SHA256 0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486
SHA512 4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

C:\Users\Admin\AppData\Local\Temp\NMIMEIEI.bat

MD5 b7015b249913d6dfff62cdd700f41030
SHA1 8e1e3a4f6b992f6e2be272dff6844ec2328645e9
SHA256 ffd4989fa0fa61fe6820fa707d1a5c680bb6ba3c985b84a077d89b65d71e7abf
SHA512 33927d5acbf516f4478b08be7a3b9c8ccef7c096948e8950893ad329f1f30471f0091a0d6a84ca749945e1548e8dc58d5ebbf5efeab5f1bcdf7949fcaca37122

memory/3044-63-0x0000000000440000-0x000000000046A000-memory.dmp

memory/2736-64-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3044-55-0x0000000000440000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vIMQwYoI.bat

MD5 e2b5272588c72d2b796725bd86b4a7e0
SHA1 d79df26e33b8b5c313b1a77768f225fe3fe37bb4
SHA256 74367c2c78452c234c0f23ab88f6bf3f3defda6c710e63ab2a7c5108e21f4f5b
SHA512 9e3eaf45590db3416271bcc6c30f9f7978220c30e2d74eff8d84441eee970fd7fd5eeeb572f091658521e0509208f43c4624c96d10ab7c36ef79cc2938731cb9

memory/1300-78-0x0000000000120000-0x000000000014A000-memory.dmp

memory/1300-77-0x0000000000120000-0x000000000014A000-memory.dmp

memory/2004-79-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3052-88-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SooAcAIc.bat

MD5 a6ae421298a7f94037d80b635801e5aa
SHA1 d142023cc285b2a09d48541ee662b2f8737431b2
SHA256 611f8407d9f7a367c44f00a6bf0190d2938e8e541e721c00669e48effd120cf8
SHA512 c1b0e9e1cc9e036b547fbb2832b25d8106c803a73e4ee70f04d121e7c35eaa4fd1f800da2f656f04f2f01c148a945944a9c86a845567a55d469c46ac4b14be95

memory/2308-101-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2308-102-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2936-103-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2004-112-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\meIMAUsY.bat

MD5 6eecb900da40ed5d6eb53232aa77aa20
SHA1 c72654bf0438cb38218db6496d2b2fe5efda7692
SHA256 0f2fdd80d31542307d2fbca25e594620fd3366f07a94d716e5cf046cd54ed047
SHA512 a5e7db8a71535f9750d32be18f096d310f6ca369d5386cb602aa0091cbea16faee1b6d8cf462b315f3894eda10e29814f2436bfe9674441aa27c6a94a676a3f0

memory/948-125-0x0000000000310000-0x000000000033A000-memory.dmp

memory/2936-134-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UIUMAckw.bat

MD5 d6fff3413062045df5e2caae2297f25b
SHA1 98a78b59eaf23bee9d646299da55e89d6cb41e9b
SHA256 7f093960aa7ec073ae78bbd417be162cf11deb0ae74a73f520779073c8ee6f18
SHA512 eebe4e3034e82ec12656f86106d7a7c8303076ace698679a1758889e7a50c72b8a76b3e1ba570ddfbeb4bd764317f3372f1b400b15a11e1b80e77a812fe3dd6d

memory/2184-149-0x0000000000270000-0x000000000029A000-memory.dmp

memory/1364-157-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2184-148-0x0000000000270000-0x000000000029A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\EikEsAAE.bat

MD5 7490da92f3f399dc20ade21e5e4ed784
SHA1 23cc1e97e01b996c5ca38af2cb0c74734c46c753
SHA256 0ebdb6239370bdc8d32a7925b8663375435214c9a8ba77b8e52e5f5af1adff86
SHA512 f7298fcfb39a586fed96a41a02dfbfda1e655692937d615a41b82231dea52a29c0241bcf8dbc8781348f2f501f123de4191f5fe8c7337ec65f29b1e4aa065cfe

memory/2980-172-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2888-171-0x0000000000160000-0x000000000018A000-memory.dmp

memory/2888-170-0x0000000000160000-0x000000000018A000-memory.dmp

memory/3068-181-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RiUMEcAY.bat

MD5 f5fb02ec9d1e9ddce306e16554442061
SHA1 c8b8c75ba275bc9d326d2a3d2780648689ab9f69
SHA256 5ed3e4b38b43546312644dabd7eab4296ffca3b7d1476461cc43779761b0cf7a
SHA512 ad4f2e243f882cef1e10663cc71e765f2fecbe3442256341457132028720fff21778b7a4b7293a096eaf76b5c98fd3b79014240c143f13ff1a4177ee005a83c4

memory/1436-195-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1648-194-0x0000000000120000-0x000000000014A000-memory.dmp

memory/2980-204-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XesswoAc.bat

MD5 36ba5b8bc186b5110d2e785f141c2217
SHA1 72e692e6266cd879b4288eb575d88c6c3354443a
SHA256 497c925a1234b01e97bbe4e30889bbbacc506af4584b1eac769b1e1c54787bd4
SHA512 97d5afb6ca937c545b753cfc39609e4c82a0bdd93c2adedd9526df31b667926d2f86c53d21fae59905743296fbbe5281058c8ac1d730cee53bd942cd13dd1c37

memory/1640-219-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2676-218-0x0000000000120000-0x000000000014A000-memory.dmp

memory/2676-217-0x0000000000120000-0x000000000014A000-memory.dmp

memory/1436-228-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PeYkUYck.bat

MD5 3853d8909cc367422ff88cc66b91a3c2
SHA1 71781559243d28cc63ae5e39790c90e15b056894
SHA256 a28c382efaf2aebd552dabe24fbdd480d9b98618701b86a4ccbb088d97328000
SHA512 c9ee6e5f2df2dcfa0611f7f758d69af0444bb34966f909167ac3ebb1dc9cf3bc6675edf68e853665465f556a935439088004214ab605d77465c71e5cd77eb09e

memory/2668-243-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2208-242-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2208-241-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1640-252-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PsoAIUIY.bat

MD5 5c7bb030f3599abfdf1c5c77de0f1bbb
SHA1 546369b0fbe3e28787fbf5ff0fadd4757bebb58b
SHA256 330aa366eee242e6a0c8f1b55c897b2efbeb15ff5018ab244b1740f8effb2b6b
SHA512 e78212dd2744f1406b9beeefc16f8cca520bd489a73e3540bb53253fbeae92c5eb35a3dfa230f3f9ee16f784047da829c717b736cba0ecded1ea365aab7b260c

memory/2552-265-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1732-267-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2552-266-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2668-276-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sokscAgw.bat

MD5 2a2043f3ea239c5c04058348ea46cf39
SHA1 385b9cd6ead747e4a7eab1ee9a9929705024f259
SHA256 e9f923f0709df17c3f133cc02ca5118e585d1ec0b893b64f3eb751ab18d92d36
SHA512 b7f19e594a73430f0241e74443061b41d674b68102733bb808ee24b448625ef67e8b58fc6c78ee525f9ab0334472c76f39446b9de7f67a4225927dcc6427f3f6

memory/2188-289-0x00000000001B0000-0x00000000001DA000-memory.dmp

memory/320-290-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1732-299-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IWUwkoUY.bat

MD5 b7ed745949b184e701ac6da3f0e22dbd
SHA1 d03279526b15960d043e21b8e342cf14c5706498
SHA256 1292b47f5c308531794f81f54db4b73735f885e41c3b6e9486131cc5aaee1498
SHA512 9c02ae94085197459b15d8cf3e6dac416d5e69a6939afa56b55c1608499ecb0607afac012a6ebdbb9163fc619b29889eeea44afe3174c8e5c12bf0e4b0c27d6f

memory/2644-312-0x0000000000120000-0x000000000014A000-memory.dmp

memory/320-321-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qyQEkoAk.bat

MD5 b01ab430323125bec4c654dae5d25265
SHA1 ec1b869df5857862775a74a77e71702696a66ade
SHA256 3e0c698dafb6804d2cb9c754afe5ab802a23f6572ca3dcb0fea18ff8190079bf
SHA512 75b2af0313a6234ed49c21b31690a50703f2f641e124e54a44235770606275f939d13e6f4065879021c7965a89aa27cc2cc43387cf67d099526243d147e6792f

memory/2384-336-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1768-335-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1768-334-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2716-345-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CWckMIos.bat

MD5 11a61833603c750f8ae210d07d6c7423
SHA1 d13d793e21a6189d2f171f1d6f245c2ea745323a
SHA256 3a45821b4cd2e0c1c678508ea353a92a5dc7265d8b33ad086b540707a20ccce5
SHA512 9479f61b4405fc8eb04d35b540ee41fe06209689ce8b3ea78bd860f80deda0dfb80122abd1146d6a024051b6573b09410ec63cdec35a11d73f14196a3f426f28

memory/2472-358-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2384-367-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mIwwkQgI.bat

MD5 e83816a80c4bc3c6630b29d2728e8cf6
SHA1 07719f8e41ae52cddaed4aded4ebca3c2323e4e9
SHA256 f51571df0791670da5e5eafdeceba48a4b47ba3718a2cf0d89326dbc24989fae
SHA512 eb4881145ae9857649e5e81834c83dc054aa0c26bb42adcadf58bdd8c400be669a7c530cd09a374b6cf101ae96d71a26af13bb5a219a263e0da5183a3a69f251

memory/2436-381-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2948-380-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2472-390-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xqEAEMgY.bat

MD5 a7074372206c27d1d0728b9932487d21
SHA1 2d5efb852da5d788d94582c245dfc7dcc85fd241
SHA256 0deb3586ede7a17c8e02ee847a2968fd395795309acd71dfa164ada5b783f744
SHA512 c1c418fbf735b9dd9baf9ed04f4b626065b4109705c3d2cacb64697069311946593eede1d6170f55263bcfd864f6ccaa643cff8447b48259e929304d62b4aeda

memory/1292-404-0x0000000000400000-0x000000000042A000-memory.dmp

memory/332-403-0x0000000000260000-0x000000000028A000-memory.dmp

memory/2436-413-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lEUUIUAI.bat

MD5 1b39961e10ca7f6ecd369b78423cc8ea
SHA1 305be5bf6153a7482b2b734b298ea0c01f170b8f
SHA256 722dc3c4bdd7d2b6be6920ec8d13cf60e4f31bc711e6256ac447eba31a8aff4c
SHA512 08afbf95ee404790671653f0233021dfc684e7e7b59fc5a8f7fa255b378b68f31a393d04a1b5f91074b2c92a9f22fc7127f266bd74ff6945a0d971092a3bc1f5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

memory/2840-428-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2728-427-0x0000000000160000-0x000000000018A000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

memory/1292-452-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wAYU.exe

MD5 f597d596ead7f8b39c1aad1b8edd7947
SHA1 838d4331132a6633a1e592bb08f01a9cd67b3b77
SHA256 0f6292355710bc910a08759e086b4d96f65bfe2071543ed4ed3de03257046f00
SHA512 dbe062875435768f7e6c4cfe92693b76905981af27e7ae75f5817cda8ceb0b8ddbffdf06e85f0971f236c76b78950b6530c4c0d00dead9b9269b41e7672e7368

C:\Users\Admin\AppData\Local\Temp\FsEggsIc.bat

MD5 d33e4d6921840e5e2745367dd25adce3
SHA1 eecf65defa90ce89cbd14bf4a60a89dca0fb2bcc
SHA256 f15859a1b74dbfe02bc9cbd233fe38c09fa541e859cba5d388ede91e288df703
SHA512 57c7213d7c26ed25ec336307697c3f39ea4b6eb5873b35a7a3da0934027d21cacd19b14fdfb94d6b77363ded191147659d42e0d065618d11f46f09c1e95009c6

memory/1816-466-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2840-476-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2512-465-0x0000000000130000-0x000000000015A000-memory.dmp

memory/2512-464-0x0000000000130000-0x000000000015A000-memory.dmp

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\pwIogsEU.bat

MD5 9d90eecf8a01ed5ad58c3e621b46eef8
SHA1 97cbaf3d6952382751c6caae6d3d1de85e020c14
SHA256 27de765ce296cac7eb7c94a19939e07643730319ad3f2f4add23386de31fba10
SHA512 59c21f113c62600d06381ed7e982c314b5f2f1f8d96a1a1d76656ef7aecc5b1bdf2e9c1846499df30429fdb61d238bc11095048046c401a61e5f810cacbe5e5e

memory/2920-488-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2904-487-0x0000000000200000-0x000000000022A000-memory.dmp

memory/1816-497-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QgQY.exe

MD5 b40af77548e0701e77d676c58c5880a4
SHA1 de37405fb1510a2d83f073fa8f831432fb965083
SHA256 dd745b2235e223cf9eb65afcaae44ba9a8a739786f8f9152d29d9bed8d9487b0
SHA512 56b9f3ac799ad25b0b6993b1a7f6b7b1e875afda23bbcc5475df5ae7254d74cd701e9f76290b71839bb3ac93491587c2261eb41edcf0e0acc5e7dc595c4bf8d5

C:\Users\Admin\AppData\Local\Temp\KEYM.exe

MD5 54935e450de716da7a5c0252740ffdfa
SHA1 666d5084d8e7cbda41896d6d0d72bcc429402ddf
SHA256 1f7148020344ea14bd8628d2d606cde5c0178ffff5fbd559b578b14f535bbbd1
SHA512 4ab0d6f85a8fadd034406194964dff327fe5c792db0aa48e95e4bf506ff873e6bc64ed8245fbdb944115b590410a119bcdf7dc9104ed8f2c97a60d7b91133808

C:\Users\Admin\AppData\Local\Temp\AAgs.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\sUEA.exe

MD5 68f270eb42484f8f6ce6c2c3d072c1fa
SHA1 59a6a190445f465740adf9872a04e3ce9df7093a
SHA256 1567634677e9f2e2dd248c2a2c8beff068927d461676d625410dc35d5c06cc5b
SHA512 ff1b3c7db487a36867277f80294788e911743bb23d619a0c4e9fa9a7dcab156ec9d62aea9956a6f43fc11f18eb6a0db705fede663aac96034c66f1c458e1b76b

C:\Users\Admin\AppData\Local\Temp\WEkUgoog.bat

MD5 6c896130a457b85d5e6e4a415efa8d9b
SHA1 f70f53c527ef9527e2f32e9d8ae27f8f6471fee7
SHA256 301e71d4fbd1014aefd0947570d43746ace4a8239c67df62c9512273629e3373
SHA512 28b52a0b0abfb354327988fe736bd46d8238177485c48f71cdcdf6c645fe6f8e564cc05ca8dc09df1ed6426cfe7dbbe8855fbd19d82c04027584de37511bfcd0

C:\Users\Admin\AppData\Local\Temp\SMgy.exe

MD5 2b7b364446a6eb6194c3207fe2293fbe
SHA1 60f4b51c3d4065e33ed41e15c20fdb201c34d9dd
SHA256 31943c5f6eb66fbd23f783891bcb52ba784c146b1138cf7891b541ce91115083
SHA512 1431104a321df848574953c5d35e6f72b465ce87b7896647700b3fd679e06f5d1b924d1522cc35cbe100cc20e2c7140fc51eb29ef944d26b5895251cbc64d050

memory/1744-561-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2004-560-0x0000000000160000-0x000000000018A000-memory.dmp

memory/2004-559-0x0000000000160000-0x000000000018A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EAgg.exe

MD5 565ada808ac531c04f02d65d4f6eb3b2
SHA1 fbba4f32a029b7f74ef6395ee3183b60875e9d56
SHA256 aa2a3c067a61115cd6d7878c3dfcb91db09a50c4a0fdfda52fa6136f102f2470
SHA512 aeb20231fa64a4c31d1acc9be64c493fa9617544388d1871311d781e07013c5c70727264aa14f191b7eee7d69264fa47a749c0cd84e0937f2b783d73406bf071

memory/2920-584-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ioco.exe

MD5 40068f364dd9284feff3a3043e1716a4
SHA1 f03025b22742d2b634c84c82d9a421132f031a1a
SHA256 a0cddc28a6bdd4adcbbbb59e5f825f8628b93d5705795eeed4cf5dde329c6720
SHA512 42fb0186a40030620552b18e5b41023ab9e70e11d1cc3c0aaf06f9dcc8cc29d67ac725104907f430edd29b8ed2fb3934739eafd7b3077c619af756f2092f1982

C:\Users\Admin\AppData\Local\Temp\KAsE.exe

MD5 e31471b211f867c649f8bb0eb8d65373
SHA1 71026d8cfae196e90f53d625bb54ada565b73c98
SHA256 f25d08deb60a3c45d4c82626363bfc26f23060a63dbb52b892a8b88fb08f0a0d
SHA512 9676cc139a7535c93ca8935562138ce50db46c40b042453b23978d854f2ec0dcd30017aa5818881356f431319b4c9ab5067b29cee60ca7b8c6ae7233148f7f59

C:\Users\Admin\AppData\Local\Temp\WcwG.exe

MD5 cec72c20d1b3b93ec2646af0992e6c57
SHA1 2bd6ac319fea848e3fc4a173e66e16206b1e7bff
SHA256 1dc5485c5a49e3d5337c4fb988e2bbda148f62403b55bea2ce83241e2ade4f4a
SHA512 2a27b0774bf13193d9ec4d456284f6e718ebafe480fab139a5c67d8f8adf2321d56316d8918a9f3ec98feae44697cb92a952366907da83a6aea37e0afd1f4a72

C:\Users\Admin\AppData\Local\Temp\cUcy.exe

MD5 22e4e7664cc8b8dfdd35bd94245b2556
SHA1 dc552cdc63e2d0319a0e4b000781eb37c082951a
SHA256 7c6a2d727754c5468a456c8e04c9951605724b237818dac33075595c58c9b66c
SHA512 732a44f182fcf162c8aad2b23404dac1b2d05c7a0d69434fce14bed473397214f29c6421b99c7a2ed5ee20bf7620da5ab4871e90bf2f6624371b53932b154a10

C:\Users\Admin\AppData\Local\Temp\aMoskcAQ.bat

MD5 6b70afb4f7fc2293d31fea23ede2ad72
SHA1 6e5fab9e7c9d481b02a8cf01588d69e3b7777f01
SHA256 2db228301d7466a6cb1d8634b77c498743d9e5fa15c1da62c6ce1b8449d6eb71
SHA512 ef660c0b4cb3dc456fbcaec2f7e4bec4d82719fb0c3879d70ece514ceec2b76ede68588bc6b699ad5b2afbe62bba5c1a4b9eea09e694dbbf5cd6c38c275e6fbd

C:\Users\Admin\AppData\Local\Temp\mIoE.exe

MD5 6e5726113c32ce2a4b16a02c5648adf3
SHA1 e09d241acbdc31af0f7c0ea116bb12f14d533acc
SHA256 9287f0214f5d2d29cec2abfaf9631ac070dfd9ba490a8ef733187235c65d3aae
SHA512 baf75f3fa858b8be8b31ccfcb48094eebed5547d3d16e60580023cbb4225b313e2836001f3b495649b308750b48f7fc374773e1deeb3ee19127aa1273ac7ee54

memory/1116-659-0x0000000000120000-0x000000000014A000-memory.dmp

memory/2800-660-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1116-658-0x0000000000120000-0x000000000014A000-memory.dmp

memory/1744-682-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MYEO.exe

MD5 d812b3daacf9c7b16b266c49b2a52919
SHA1 ff48b403738b8672703e27c03a3bb729f6bb4203
SHA256 b737e6be217021e86681facff142024ad0e4fd0117f46db7f30bc745c8f6036b
SHA512 509a279459579c01dac5811abb9822dc514597022c6288cd4ffef11c8652e3227a5e945c17025fa4b6bfafe49e83c3956c0c507d60cc62a279413ba77c1adf88

C:\Users\Admin\AppData\Local\Temp\kUIw.exe

MD5 3f7c2c887d78843b00b4f9790ff9a906
SHA1 bb70fba0b8963494e6709a2d9b35e8217982a501
SHA256 85c50ef6f53d974e76e5fa11abc20c436c2f60cabf1763da221d1979becc14bb
SHA512 306e50ce1f5adfd22c3c46af4efe5c061d5f19e852a9a1cb66a26ad51e7d2189f346f4da4a6350cbaa14b93457dd990d2a153757b9834aa3d1074f023bb987a1

C:\Users\Admin\AppData\Local\Temp\kUQw.exe

MD5 e9a485d354911bf95779974592746939
SHA1 8033d04962859e8925bcd06ce5e5b60b5a755f1b
SHA256 def12779bd2b3715bf7dfa93cec05221c83badb569a85563ee03b4be2e23c8a7
SHA512 8df46afd63b72c45607144a4daae2adcd85a2f91a726f5e1fd995f68ac8d9d062c83e7340d448d6d9b558598e5c3abd54b6f7fe9500863db5adfaca0e25ad752

C:\Users\Admin\AppData\Local\Temp\KMgk.exe

MD5 f02b41d5ce6b960064d3ec323058a672
SHA1 3c01f3e46b1c84064317c53de93aa670aa8c26f1
SHA256 2f2b8f44e78eb54e9a6758c096726cb48786ea688ffd6a15810170f35b883e43
SHA512 0e8cd636c1384f92196a4314e3c497ac55c15c3dc5dbd8050dfb62b6959d54c25d4174a20a619a9e4ceca106425a86651ce818fb39898e0177b7143da218a440

C:\Users\Admin\AppData\Local\Temp\KycsIMcY.bat

MD5 b7a47144872b7ba18a6fbc1dabe5c2be
SHA1 d517c0fc9cc42e8ff21336f2169f3e5df364eb94
SHA256 6665df8b21f1d7632802740eb68e97bc1bc3c0d4638b36a17004b8c1e9c8bb0c
SHA512 63e36264c2aa0aff95b1133f95c158314734fd324e7f6b6021c8d51e8d32677262d8d2337169d29259138c72d6002224b20cdd7c3042fa0dd2d0a85dbeecd98f

C:\Users\Admin\AppData\Local\Temp\agcq.exe

MD5 59a71b5a5c4403e381adc67ef2be5bea
SHA1 2cf1ec6d6e8ec05a3e2f461962b0cd6c3120a63a
SHA256 248c1a77681117de35c7d172f17a44d2c41fbfddacceb68afb4718fed84db0b2
SHA512 8dfdca94a05a2516798529cf464b50ca7ebddb1230eaee3ce2d0ef0e3c70308fb3011cbb6f644ad209395305907b033767402c406e8d105365882f19845477c8

memory/2932-744-0x00000000001D0000-0x00000000001FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAAI.exe

MD5 5c6d8054f4ebf0a2a25b42b43f55a01a
SHA1 bdd6bac4cc414c0fbcb08d1b78d2e707fddbda84
SHA256 92d414ed017ffb9bbf82452435160c5aa60547891453314a58cc117d662f7de4
SHA512 aa1e32480ee41725c94d05fb08ec33319f58b19eb5211cc045f9dcd38cdb3ddfe9e0f451930ad883dbeed1f0c8544683444c38bdacb674438a2ecbbf20cffce5

memory/2932-759-0x00000000001D0000-0x00000000001FA000-memory.dmp

memory/584-760-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2800-768-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IEce.exe

MD5 627146e8a35ee2e0c869cc7f1296a529
SHA1 6c72f9cf029912326a3156a891e405d6c804a084
SHA256 01097706b7fe93f30f9ae090f87810f98d448023f339744372c3e5a06c684362
SHA512 28d128ec0426a5a43f70376b82f0f8931bb8205e10df05947ec81647160861afc15505619ec051de6da2c8c6f79099ce56d3fee5a825ff5df6aa4b441efb4658

C:\Users\Admin\AppData\Local\Temp\WckQ.exe

MD5 1d5153753eaf0104558559c7c46b00ec
SHA1 e4168a70b2fcc9465395f426a8364ac9885b6622
SHA256 e6ce076a1c402761099f26bd21b298fdaa4a6090078a8de3549d3c8012063404
SHA512 effcfcf042da97bc145b348af1f2dd43441f1775d4f82fb70f95dff65072dd3aecc4bf11260213bd266e3f221af8617f9addd3776a3e762d89bb35dc832c9015

C:\Users\Admin\AppData\Local\Temp\mIUa.exe

MD5 c60ebc0f919c1e1f96f85a17ac6cd72d
SHA1 46c9448222bd91bd391117fee3eddf694ee618d4
SHA256 accfed78633405f3d43abb8685a969a33ca78072cb54ca3f72d16f53d72586a4
SHA512 8564a66c92f0bb608d57db9c3666fdc20f96ce8eb77274794a73bee8f8d20311d9e6dc6aab1cf107c3f4986c599089e3674b36ba7a0cd29dded494724afb90d0

C:\Users\Admin\AppData\Local\Temp\esYU.exe

MD5 ea1c02ba8a8749e7c99e9d2345508f22
SHA1 cf5204dc22f10a2377e8f8608e49315344c213e0
SHA256 08c22f649ba3ac3faba679e0911d6e3fb81c979c6f04fe742a7d05a1f653970f
SHA512 c4312970a7c10e05c869d53e61bda250f675f2b48ca6f95eff4a82caa72d8babaeb54c7475c4d6b4321824829aecb576662e932f9d79c19c7caee4662bc1a866

C:\Users\Admin\AppData\Local\Temp\aMMi.exe

MD5 2727cf3c5bd6f7443b53e94f2c0b4cce
SHA1 90bd14aa8f6cf83f9265395ad7567c1115700147
SHA256 5988d571c6fba87fc399f3b4971cac5398e1b2db117243a2ea64cdb0905f3405
SHA512 f8f15b8d3185f84caa2d58009962339cf5959d6325b7545da2d7653a27fc97c3cb3a209f3f92dbc45572fcc002002ec473a8d886a15981858304ceb5744ac27e

C:\Users\Admin\AppData\Local\Temp\iMUoMcEQ.bat

MD5 e87358df0a2b853a0bfe7aa7fd5257fd
SHA1 a9d11b1f8826f84901b892d8bc243fc90320d328
SHA256 6af5dc013d4da29d503011bfa26653d94bff5a7a68e439330d1e6a8c5e78da09
SHA512 37ad821dc4c97a23ce5a71a309139b4a1c61832effc8b3b320525b29c95d21176a2da0e8ac2c703b450ef8fbd22c51524ec3e2880586f3791f5441785bbfcff2

C:\Users\Admin\AppData\Local\Temp\KEUK.exe

MD5 1bc433434e86ce5ae1bd0c43cfd0dac2
SHA1 f905f7188d7693bc5d52a10a52a0451979c3b27a
SHA256 c427d3c9d78ff8f996f6eeed8dc3b4e7f79b3cb1926ac2b6f91b5c343f8b2c26
SHA512 ae4b9f4c412eb3896f5660b391c49c7ef5f6130a39fbeab84e5f88fb0082d691dda3bfa98142f4e325a02ce7ade54023ae28d022f5378825bec19490040192da

memory/2140-867-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sMAA.exe

MD5 1707f535ed123755a26f0d905794392d
SHA1 a52460ebcfa32a2633258694b47f95267bc38567
SHA256 1342ee5f1f241667176a6bd64d6ef38a0b8f6e0214c519493dff9bedfbef0f06
SHA512 5b24d761727b2cadff5e1deed95ee36f6175c3f71c1bf3ee4816ce57cc4c659d25b546a1fca04cc8f1ec33fb1aa13a32517216bac8d480c5519402f4fd39a182

memory/2648-862-0x0000000000160000-0x000000000018A000-memory.dmp

memory/2648-857-0x0000000000160000-0x000000000018A000-memory.dmp

memory/584-878-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUYK.exe

MD5 aad8e8a6b59dc8a62acd08219605a2ae
SHA1 922bb2554a0fd9b625fa8e965212843cf70e5f3f
SHA256 63d1837d63b108acf9d2aa1034f07bd62329934520faa4fa5fd81beffb946198
SHA512 c75e4c45a76a799c98112eb3e21314a04eac2b1f3db9aec455138ef57681325b55baa4f2551e2aef66a7245b89c9092f4b698c51aac5481ba532cb04db1eb5c1

C:\Users\Admin\AppData\Local\Temp\PsowcQko.bat

MD5 87827832b91ef9f469e259bbdeb44e61
SHA1 23fcbaf069d94a1ef0222246ae24ee92dd77a158
SHA256 6d052a4f79f58a4dff1dea9815b964fb42f03a21a073909a6ed3144f7ae0d776
SHA512 ede68706c9cd98767fe4934906fb020f283e24fc37abd94811926afd021e8be6ec4a6cba690053bebfe332590ff1a5a976087f5d38bcd3b961b4572df69b2b1d

C:\Users\Admin\AppData\Local\Temp\Egow.exe

MD5 4b33a56082cfe7090897582c2e4d326a
SHA1 de694a6e39606a9a5cf39d9b7dce9efb54e93d2e
SHA256 0f792e53f01d37c4073692006a63dba748ef586896e148a8314145ea47b4daf8
SHA512 178d34f2d890b88e6433585161bf118159be893c55e831ae799d6f983b0efe77d781b9f661d0859f2e476a6fa0a7b15e31f7ea8d1aa2307e6ea8bd7464712d96

C:\Users\Admin\AppData\Local\Temp\iYkk.exe

MD5 ec23e593816dccf225afdbd928965098
SHA1 21b96f04753dc30fceac61be1bcb485a23085cbd
SHA256 59dc2649831d80ae870513051e048fda65b2d79076a380fcf49e8815751ce61e
SHA512 4a4f148ab6eb566610fa217cbc41259c5e3c9cf28a725657d019ef0cb5004bbe20010a897199dbd5e2618b7c4916a7bf0e9bb3e516810d528b72f749ddaa5607

memory/1528-916-0x0000000000130000-0x000000000015A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wYEa.exe

MD5 1cc3422f86c42acc723087fede13f282
SHA1 4fb4f7df3a0b04d515e1cd774c48d8b08901cb38
SHA256 040b833b777531d2cf97a633b64775d2fb50776fefad6422ea660560d7b16da9
SHA512 5664d39daaf71951838e15e7663a0793c565c7fc107cd76f2354249245645fdfb9ac3547e3b889a4fcf93cd97900aa6d66766d4560db983df7cbb2a5a27c115d

memory/2140-951-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MYco.exe

MD5 6b2abb063de46942a45dc1d0e2e322f8
SHA1 67841adcd5c99999bd79066538960e963f539967
SHA256 d2f7b2f0d949df101307f3626a291738587cfe2ed75b4547a8908c01f5c666f8
SHA512 a71335f4ade4d3ee5fb1dc8427ed22389db1d60dc31bda5a7797d2ce7384d59df1ea706a1f0ca0a6b3e676ebf60ace5761b739067b60b724f85e677e89bbe55b

C:\Users\Admin\AppData\Local\Temp\MMwQ.exe

MD5 715196c3c4c0a4215538711938da5fb4
SHA1 98cd72cdd70db1c18a2e0a364795e4fae1fe841a
SHA256 3b73fb38a10c1d8644a4aa7e30ee613d0e3a3cc2eee6d0884fd4e07bc943ab3f
SHA512 bdbab0a354e98fcc28143df9bdd7776b86c560c7a213966bb4afda65dff8608e6cc61a1cab2891b63319c522314c6d904b8b70f6278b54360994fe0d20e9fd77

C:\Users\Admin\AppData\Local\Temp\qooQ.exe

MD5 520b14de6b13598ab541c857205d7f71
SHA1 c2d8073e48a6d2938f3bb7c6e017228222eddba8
SHA256 37d41fd9a58693e50b3568fabac1ce92cc6eaf001aac43e1b1c43cca28416953
SHA512 af8ed03516d9dc557010eef8297bf5dba25590d66c9470f92c173d9a0c783f258b931273fe3ed5000fcc48d2974d1170b163286710c0fe38e180add5f24c9b08

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 0cf6d3d7ed6285b05a026c9d53b904da
SHA1 d1defccae54cae22064fd6bc57599c46e307e89f
SHA256 a65367d51038900ead06cd9f0e26cd97f17746c164869b2d64193d6b15528cdb
SHA512 c288095203a241b276ea314974fdb83c4621b6552cef1d37b5bb8a2c56d1c61f298a0484ba5641cf7b1de64579e20a727aeb4c2cd465693db7a5486f9ee4649a

C:\Users\Admin\AppData\Local\Temp\IMUM.exe

MD5 7cd87200c0846bc25a9b896c89871f76
SHA1 3428b7899ce50b666162c58aa1a1775f2bf09f99
SHA256 5bb67d296281f97bc871e9514c1e4ddb41aa649e34bdd9c7394224bf83067172
SHA512 d52d7ded0105dcce97ca492e85e836c64236e14a6341d9325377412576d041005503fbc749431bd577568f11aa55ebe79e2660eae82d79d3a110f8cad5cc7c62

C:\Users\Admin\AppData\Local\Temp\JWkYwUkw.bat

MD5 720dd27bfd7fcd41ca02af7095338353
SHA1 a40f449f86aba87b781cf88262874a1a659f9aa7
SHA256 a3c5aaf903edcb634972bd886ffb590b52ed54b54e06f3e0ebaa3334cdc26d3e
SHA512 60ecf435693cdd1deaf50a752f4bf8f0c0aafb0f16d1718f61936a20304e7e9dffba1efe190840b5ca25ad37efea0bc4fddec6da44428d3afbb2edbda9d273fd

memory/2132-1026-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1640-1028-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2132-1027-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cIEa.exe

MD5 e2dad5e2b01976713a7c72b3556763f8
SHA1 8548a80882c0aba4a25c883e1f72f519dcf238cc
SHA256 e9ac93cb1ed06c356e22c47617bda2853b58e6753cab24cae89e7cfe06379633
SHA512 77555bbdf3c8b7fab711609dd04075d2df62284119604c1f8f15a34b15520b3df19a89d1ba374734c53e5516ec6b2ddef0bbfe0d4893bbded91dc46b11a570ac

memory/2008-1050-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WsYY.exe

MD5 3001f4848d002932bf9736167b76092e
SHA1 06de478e2207b30a5264de2a8d53dccc9b72c596
SHA256 f62dad47b8ef65cd1c74f1125eea157ea10c721eadbfbb6bd6a6bb48c43ce45c
SHA512 f3c029fc4b95edc42e71b8e99f5096f5012babce2bf7f8ee141ee2498cd6bd95eb7565a3d045a1d534496414ad312a36d6f702872b1ae23f0ac2d388aa3072f7

C:\Users\Admin\AppData\Local\Temp\QIQk.exe

MD5 67995c6de29ec3c48cc76b9638660541
SHA1 a713ee69fc138695c205c14d83cdd3075e10eb70
SHA256 06e10cd621ae876f30b86b715cb4e2b0ad3c5f60518991196f8dfe5bdc25cdd5
SHA512 a174530adeac10bf51f9d354e09dd9d32b7c55815bf7aac60c4df222530b01a87e6d1c63286cb8463caf39adac7855028f903903df7a46e14ede31ca73847f95

C:\Users\Admin\AppData\Local\Temp\CcUs.exe

MD5 ba0f965a25bca6894250072aa5cc349d
SHA1 51fd89192c1815caf63b5e3fafbed13d59cfe667
SHA256 f956948558a550b868ee33a1d2c0ba4f8ac6a33df757374347dd16c4003b8598
SHA512 a3ab0cb636126a5f92e5d43f3bd1e12d6f3d6b4079f72fe2b2dd5dcb1045279cb81dedbf3762a8bb90acb0dc6bc7861342017252c3007a3c2dde8b85bd498ffa

C:\Users\Admin\AppData\Local\Temp\WsMg.exe

MD5 e2b5da58448376db8091de104452e0a5
SHA1 551bee3f6c55b2a384b512fe87605cb77dc77959
SHA256 30af27003dede68f10ad384b065a393f132929044d902ed0667dd07a68cc114e
SHA512 4d89337de5e404a957c18752fb44730f492ea3416edad3075ed20f4382acefeab20be433a9770e0478bccdb666ea1f1b4f7c3da0f16e62d9b16b195f60b2439a

C:\Users\Admin\AppData\Local\Temp\ikcO.exe

MD5 a3078f53e73a93d8272f017709d9cda3
SHA1 0aceb01d035b22a70c366177963c919d92495f4f
SHA256 2a01ac000483dd00a97ea11bcd660d861b0965883e85ea0131e12e21a48621bd
SHA512 91db3f348a6cd7c7feae5c09349a066db0d3bc6ad0cf2463420705ccad2f0f565a037627d1cbd1ef09c0365ff0a44db771a2f5f297884d8c61acd7b673b945ef

C:\Users\Admin\AppData\Local\Temp\lgMIkoMI.bat

MD5 a435fd6e9fcd2e40213ffb67175dd399
SHA1 61c42fdaf794f1b43dffcf60982834b8e43265e7
SHA256 c797de09d819de86f025e23791e3fae6ac8a71b53b9d8937cf2d7eb30c7087dc
SHA512 cdcec35c1f1e52d27159679ec725c096d4c2c97b83e3cc32505e78c647951356da5a8919e4d7b0c4acbd0d0e00bb77ce0d30741793bcb19cd272ab0b3ab5729f

C:\Users\Admin\AppData\Local\Temp\igcO.exe

MD5 0e63e150aa87cc1c7d20d82cded082bc
SHA1 c12175215d2ff7aed12b86e66ed030b7156ea6de
SHA256 d37ccaae5b3db3aa3c0d44b2cbc0446055bdef81cad03a095d511290e654b68a
SHA512 53bb029d12a71bfc5b6433b3ec631b4e8b37427d6eb3d8d30421efdafa6d613d3dbe6348cd64a289a4634aae654352de5272ba00a1922d5f1dd5249166d2baa0

memory/2804-1138-0x00000000001A0000-0x00000000001CA000-memory.dmp

memory/3068-1139-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1640-1161-0x0000000000400000-0x000000000042A000-memory.dmp

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 9edc7481db98d32f39b347238be8961c
SHA1 4fd75fc1ab7679aa3441a974bb7c8fc78adc91e8
SHA256 6d575f96a49f0070be25b276736dac7bc2f87a14f3d90f8ec2ecdb3e619f3aab
SHA512 3c927cadf07c15a293113ad4cbffb77b0affb543508cb3c1712743bb2d6a4b562969229c563f568062fee1d2a8666ae159dde40f64f4c6bbaef382cad973ce74

C:\Users\Admin\AppData\Local\Temp\SYkc.exe

MD5 4e4e5f777399e081a3ce6087e5c0cc50
SHA1 c6c7a40226b5e1a75f02456f14ab296ee910d6db
SHA256 9356fd5dbc91e8498c25c63036f97147ffa7dfc123b8c8c8930f499439fa0aab
SHA512 4a4a92f8952150adaa23a14abfe0a96a0054771e223b636635707406787937b48ab81a44fdbb0851ca28f05cf6d6e2eb47e201e6ce072c4d3b25732408f55f2f

C:\Users\Admin\AppData\Local\Temp\uggK.exe

MD5 82a151ab7c33d6672b723a7de230ab11
SHA1 c55d3be79902507cad0d6f938de1c8ac18e9910f
SHA256 459f3ca3c5699a971989290b76031964b80e8fbd8544d470270da822edba021b
SHA512 105cf54d146674cd2dfc09e8827430ca9e44483713c3f611489020db99cc71e044a7e02dabf3b9a7563cd08f49e211857fbd29df243417ce0f6a8e6311594f96

C:\Users\Admin\AppData\Local\Temp\CkgM.exe

MD5 233b2554109c1b09f2594e72f49aaee8
SHA1 88e49861d5dc58ec3702e16ab4218c9a438ecca9
SHA256 ef3da7a3a6ca503946ea8187ecc4f5ddefdab3898c42b56f12836be214560b12
SHA512 e081f560d3380e6de6753e38b662671af617e065e5e3cd9351390e7e0304c4bc426602c5d39e3852d172157ef22c13f061826bbe4842f2b11d8c34298b3cc821

C:\Users\Admin\AppData\Local\Temp\owMs.exe

MD5 80c33b739de987dd7c6ffc606080e29d
SHA1 d3c9861076e6a3d410a45a433a57b09905afbfc2
SHA256 0e4192529ee4e1c3d890cb51e5276284d80c0621ea6020969df20295b03d6752
SHA512 7fb40c9e0b2d43a2d0ac85c392568b3c546f6b8e2b8726b4b265eaa652b2faf3191c0dd11e5228612d8114d7b5370c9232ce5b711db232f9ba49d2d060d75d5b

C:\Users\Admin\AppData\Local\Temp\QIEy.exe

MD5 28faa9cd4a574abb8ed6a94ea35b0655
SHA1 fdb76ec6bf6fd65b4019357c4c70fe518033a0d3
SHA256 a26d486dcf7567d35e1eca66d5d4233fcac6bc3c3073262a8e7a92e399ad6e6c
SHA512 783ff9e6d1783d7e398e0985cfc834d32ea43afdd3ed73ad2c833245b292616888a48de39f09fa094a45a0dd287973cee1d9490d8dc8696bf8a3691d21712839

C:\Users\Admin\AppData\Local\Temp\BUIAYwEc.bat

MD5 b5e4ad79c1ca5f9989064f975cc469a5
SHA1 4f8b31e4eb5d2af790ef4794ecc63558a6fa3ef8
SHA256 acd2126937537b4c7c28b585e7d3bef15e1feccfccf9a526ad14ec80792b1d10
SHA512 93828a36a61cf283a5bfe1ebfbb98673893fcb2b5aa614a0480fb67301ce4e0e9649f0d95ba76871c77119732cc012c47eb390cb974f5b0274ce3976d0dc9de3

C:\Users\Admin\AppData\Local\Temp\eMYW.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

memory/2896-1249-0x0000000000170000-0x000000000019A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iwMy.exe

MD5 a1fe94fc1314e48dbf785f9555cfb0ce
SHA1 e122ce7e8786616e455b5b58da7bbe1ee8c970ec
SHA256 ffa801dfe04707fe6a2bb7d6d4057609c3d75d6139834b9babdeeab56dcd0ac1
SHA512 54f8eb0c01aba5500dc14bb061e6e7350a927a8ee210c1f3e30ae0c5e73e12336c3110ba81076c46efc29625b8804ffee5d00ad1ad9c7015d68c5e82398c95fb

C:\Users\Admin\AppData\Local\Temp\SsoG.exe

MD5 3d079395df929b3d7f2a1f4b611ca4c7
SHA1 1df1de3a58028588c8f838ce4c020daab036770b
SHA256 418845aa5ef783c730ad4016f9fc072ac271261f9e38fd4e3262339ff4dde94a
SHA512 e30a17d544c55ddac42edb85ea9634d8ceb5c4ee125067d9b767d0ce869f7fd3fd093ee19fe151bacbf43d4797c6d8a2a0617262d58ae19f12af7fc5c1545673

C:\Users\Admin\AppData\Local\Temp\ScYs.exe

MD5 e78113a0137b43f8b6188a891253912c
SHA1 cf372231d03b35e7fac7bc731fc0187220aa3a16
SHA256 fc2d5d8c4cb2d9aa7cd156929e693c04389a04b7edb119c98697bad6c5561191
SHA512 1ebb9a6a1f728d5b16f3910e291ffce3b1a35582a3a36cde1586a4119f888a42c652f0b8527b71edbe7e25803a19b22e2b45e2e8cb7b32bef4fd208ef554061f

C:\Users\Admin\AppData\Local\Temp\SIUm.exe

MD5 ab155b38435c8e0675e39e0430101432
SHA1 b141f835e5e5ac5ed716ce4de3cf4cd324e47af1
SHA256 899dd7dbc2c12da3ddaee0705d9de63c5e730b5df684b6cae3c858b59f96b60b
SHA512 0b8fa7df1a3a8643d1b45bf943c12a3b557cfdb280c72421f86e80e5baac66210306d8dc7f149700df5782b5259522aa03bc2def3bd7922a13d4a662aec94e4f

C:\Users\Admin\AppData\Local\Temp\SAQAAwIE.bat

MD5 7803972bf5164ef80ec66604e9620882
SHA1 23a6e65ba40cbc946ebb8bd750ac4c94cc7ba4e4
SHA256 430298bff2175a234015f00ae89168786e0177050ac17cefe8a7734440ba774c
SHA512 6c99da7ab339e296c29e7e2b1856e601716945ab6f9e7c429f339330efe55b2e53a3a3fb6030d4e4258082c38937ef0e15189ed1553a83c763d343532354ae2d

C:\Users\Admin\AppData\Local\Temp\QYIm.exe

MD5 d67e1af5051bcf9bc06402b825064371
SHA1 48b15704cea249f6b74dba2c867cf7693293df53
SHA256 2959223c3d3dec6856635c6466001376328bc6c22c295cb36d145e34b85007d9
SHA512 19655af3a5af3960ea3d5c76f010febb2975eda9d65d838266c884055aad2fa2c0b782ee5fc505270e3cf31dac9c9c2ce8ef7860a8058286d180a3e0e801f197

C:\Users\Admin\AppData\Local\Temp\QUIm.exe

MD5 f68f126a31b6fbe6caaa6f38c3959db6
SHA1 aa2b9c6288c814b4cbfd3018f139b879a77b6dc7
SHA256 1ff4fa9104d04ae5adb3cfab72abbe606908605981c90de65c173d802c1b3f10
SHA512 810e9408d547d12980d3869346377b40555cde031185173a24591286c8187ea7354ae5d27a9c56db356abb8bb93d462475361813965f221ef4ac7c5b4145c90a

C:\Users\Admin\AppData\Local\Temp\MUAY.exe

MD5 448a09f65f844fc31418fa05cefa0403
SHA1 ed92b891806e632e6837ca001e112c8cdb8e49e3
SHA256 2c8087e6b11d8d659bd6c98502cce8b282fa757742edf5c97873e70c03eeca5b
SHA512 f5963726e61a7a1411b1566b0215b4ef478db5c916c24fe4cc9ae8204c2a71595e98f037a395e5e9fe21aef909be1b8759fc90ad3dd327fb80f2b75efb601d20

C:\Users\Admin\AppData\Local\Temp\SmcEkYsQ.bat

MD5 133da5b52e11fee0ef5df830596f926e
SHA1 62d7afd68e60b152a0f98f71718624324722a734
SHA256 1be7f8fc381ae55976541794839d702b5b4d53630876e869030c809baaf321de
SHA512 78452b5f50befca4581ea19d7d0a30ff534937eb86241b77c54dd3c53b623c0cef23b367d73f0cf3f2e673d7d9c7cd46710bdc087e900faca46fa04c8aba6e77

C:\Users\Admin\AppData\Local\Temp\IoYQ.exe

MD5 54aaaf1275118c9d94a4d36fba137210
SHA1 cbbfca21e67324eb896af8da6b60a133846883d3
SHA256 870e4fa88bc04c02d1d24ea75b72957e60ea2449514b5c847267b10528f92a31
SHA512 f40c56c7c40555fb1b2873a13f0cd01a2346bd8fcd9eb745f19dc7a50fb0a43cebbcaa62e3d1673f0073527fd441f7bb3c8187c30071c224df1e5a5dd2b3b891

C:\Users\Admin\AppData\Local\Temp\iQkU.exe

MD5 21d34ed2e6c9ecf549ddfe7ba9f7044e
SHA1 6d6aa8d74740939e9ab5aeb2bbb76371923827da
SHA256 887a95c337ccfa878216d0542319c27a7a2c3d03feafefceccf831cf1d352c52
SHA512 6afb4ec90cfc76e2c4d0de81cf24a9adade0794df9af6ddc95761166744901f40fdf065e4add7b89cdac8265123b9b19a5de82d3854ea7a465c2f3115b2c70e4

C:\Users\Admin\AppData\Local\Temp\Cskk.exe

MD5 d66298ab34c71b13cdd73f40b981bbe6
SHA1 c19c29071c601bf4aa5db65d14721ce4d32ceadd
SHA256 86ba659433f06c28d6be4c9a3e266e20158b1b0865e2fb3f55c826ae1b9588d6
SHA512 202221a502feb108957bc2fc2a5db269ff9ad38dafcc073532fb0678b4fc1c7b43902ae863bfa906652d4f05484dda54ff887fd14a1838d16aa782fcbe0b31a0

C:\Users\Admin\AppData\Local\Temp\KgMI.exe

MD5 9578f0e582c9dd0a9de06352e1848804
SHA1 27a4adabfc94c63283ee32d12374b68b8a4ababe
SHA256 eae80e4cd208b2277ec2af93e403cabf36e74954874e9a65a05847cf386c60b3
SHA512 795d0e9793a8158111a20e6a13e2e2631863e7cb6eca28f9074b1649b495832a81815d8bc7cda61151cbf166a6881c4b84b78eba5b33cf75dc7662a7bc5daf28

C:\Users\Admin\AppData\Local\Temp\aOMscMoI.bat

MD5 5e743912420feabbfcfbe082fe3a627c
SHA1 4f19917e461ccac36dba02e29426cc52e2883e13
SHA256 0e9771580f1b7cda6334824a964c168dd23c3b4f559ffd43ba44ea045fba64d3
SHA512 352af8861196ed7f8ccc0dd4dc2b204cf6a6cf2b70a2b156b17e79bf22299db3204b7227bb81191b80c9fcec8866272b0391fbf748f1488aaec29e6b01c2a7bf

C:\Users\Admin\AppData\Local\Temp\ykoC.exe

MD5 8a167a81d54a8dbd52e3f1ca4d9219e7
SHA1 3d2e57ddf608cea6eb46e8285e51ac59c6f43e28
SHA256 17ba3d32b0e3da00c671779c4d51bd547b23f86cc34483c9bc3a5f5d45cf2b9d
SHA512 55b02ea66a2222df67d3048261343996464146c61fd82f476d9b1caee5311a91d9b3133f7bfb742c987107fe09d97e5bbe5818d801614df4835088e986b9d96f

C:\Users\Admin\AppData\Local\Temp\KcMW.exe

MD5 c78319e6674e1eaabb534f015435a7df
SHA1 31073114786e89f7a21701a55bfcbd09134885d0
SHA256 74707e8a727041c0d122f955f71ec716b5bfcfb6708261a54a10bf31e38ca0ec
SHA512 3c9f17f656385fbcb3dbb754bd5cbaf3cced0021677a8f4b12b4632de2293ab060977a282d9e8ec746baf45ce05a882fb5870ab31237a1ccc6d0df2c52b670bc

C:\Users\Admin\AppData\Local\Temp\GkQw.exe

MD5 59e045ef76e4ee6adeb07b261a9d8435
SHA1 82a7180dfdc6fe3a9076c3054f46719f7e23392c
SHA256 de31fb3c0a3e60e1e54aa2717b944794b6ed59a7b54bc126d9091b6a4cb0c974
SHA512 9f26dafb03f02443877424ed9e5ed1463419721fb26710ef7c449075a5991bf65a7b122d9503f7fe6528e2f75a6593beb75c11cad7000701a048d54f9bee3208

C:\Users\Admin\AppData\Local\Temp\ZSAMUkcA.bat

MD5 5020591c4ce9db86f07aea987efbeb16
SHA1 d68e13b73b84c4eeeaa9d2142a1ca0a79b3d4766
SHA256 3ec14e980f55394ebb2670fa509c8494e7f95b6b685a09bbb9e21d12d39afcf7
SHA512 f8b5ae586a6d6a2d58c019852612bf6872d944fe65291ce4d5f44c6ca3911c3013809a30653d2023e7679b56fd63f23949cbef382f5702f8f10a93f4427380f4

C:\Users\Admin\AppData\Local\Temp\gEUG.exe

MD5 e74397bdce1e4ef8f23631a32b2dbc1b
SHA1 e10ef92b07afe6aba1b9da6a10e4abaf91e1a71e
SHA256 27b20d90ca7aa5c184a7a880f64d58f5930c43d721ff77e2c7c50985fcf8f7a3
SHA512 15ccab22b55ace6d22cca78d09748fb48c86ad4bee19e63ca99d58ae3b552c5f7e608470250a799a2c01370391e31415185eed936454debf2b8e09e0256ed6a3

C:\Users\Admin\AppData\Local\Temp\ugsu.exe

MD5 913699353ad98f7d64ab9dab8c867b1a
SHA1 4f15b6d80b12fc99acf409f4ac15f74d02b77ba9
SHA256 4137a46e3fc0671b70d5cc150bfff31d8d9a916621203395af34e8c1ce64c82b
SHA512 bc15a0ecd643e4cf736d73b57fec721db12672f9d14306aab162b7963d8ef8886a3bf112429da83d2d9c57eea18db6cec8a6e508c49aeb18dcdff933273cb722

C:\Users\Admin\AppData\Local\Temp\yQgm.exe

MD5 179c2362db2a6adf0b4526c1f7c315c2
SHA1 f13b125d485b9972b51254fdd0cf70aec659f80e
SHA256 3c505b51ba95153d99ba330cf0b8734a22a9300981cff262afdce46c9b417f4c
SHA512 3ce6a288c9511d6adbc7583b9227e546680d6423d2e4a7d3ecdae53f3238626a8e93a1e65be7309bd976e6416add64bd28b07a3004ae59dee20ce7ca7e840501

C:\Users\Admin\AppData\Local\Temp\qEkc.ico

MD5 2239b3cfdb5b6841bb2dde95edcb306b
SHA1 d027bdec9a533832ddcd54bdcf318ef2a0da8e60
SHA256 ee2532e247bb7274af8769def697dca7b356d65706d3753ee317bdd34d72a6ee
SHA512 fd7f1a89ea4cc76a89542d5b8c1ef6461261e9190d9cc1412cc62437eacc01702b729eb5c951b5db66270640f96608b7e30ac8f88b276f4e79056fe80a098c1f

C:\Users\Admin\AppData\Local\Temp\OQUM.exe

MD5 15e060bde4fdd96934a637a489ec1d98
SHA1 bbec26d60bc1162035a9a1e4bead7b02b94a8ec8
SHA256 c26c615fc49519049d7a8cf2ea002039d702a4cb5fcccd9a88089f46cedb3b90
SHA512 1a925fe074630b992196fd5a5ff8ba20318f84a7a3e64c745c852a512e70bb9ab18561d8d0e9a903c8ad20102b4393fb2625e0872477914639a2d1b483807115

C:\Users\Admin\AppData\Local\Temp\CoYy.exe

MD5 1146fe2ab8833ba985f11618485a72e4
SHA1 71f09554a4f9c96f4b2a592b739a3537f6443236
SHA256 e40314be5dfa687b9362b79bb7cb1c727ab4721ec79fd6baf8b00d6a2b7ac6a1
SHA512 d519e3d0764d4cf41c7866ae41357cfb563a07353b42c7d5df85fd48b5842394ad1f6ba133c20d15dc9df49d0c182c65ef2193b7015480e47f1654a4253c7fb8

C:\Users\Admin\AppData\Local\Temp\ZEYwYwEY.bat

MD5 43646db6674ac46db95ead4996f165db
SHA1 a5a55b1ae4d24e5ee18c570aa2cf3e2477fd3983
SHA256 ca94f2688f177ca3941b14e208cf11e7676a41fc13f3fb923c6df2f9afe70abf
SHA512 7f19757ecc3a91051bbd8ad7ed72c795ce3844f40b92a2b867bdda43a245b7d7dcd63610f8d356ffbbec9383fc7b7d6d0b4fbdd89865e4821228787896a50d8c

C:\Users\Admin\AppData\Local\Temp\Gsco.exe

MD5 81bcdd224c90201c5429e26480ea9c2d
SHA1 5a36e2a318a1b46b2e30ab933b45c40b4d5473c2
SHA256 b380a82021cd1a4ec111207b6a7a09ccccb2d51d91ac5c0a1abc11bbf21c0368
SHA512 bc00fe648c43d96d0ac9e36327a613d73940d6771242d5e761958958c696956b88174e4e1ced13890f4cd270ad40c9d0ab599a464d68d4417acb40b4feddf37b

C:\Users\Admin\AppData\Local\Temp\gwEq.exe

MD5 a012d67fa80abcb2f59dbbafba82228b
SHA1 5da43c893d167caf490674f118b1649dd4a59363
SHA256 a95fc3cc3a11397492561996481b7974dcd9905048167bef8b9ee9a675778d59
SHA512 722a339faf2e8522b46671088fb4e178dd5e84d5101866ef93d6be11e04ac5375c7a847ad406e1170b8832b21373c0f8e937f212bce6f7bb19acdc46d9c07de9

C:\Users\Admin\AppData\Local\Temp\UMgQ.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\SAgo.exe

MD5 0594e3c195b95bd3ab6427ee92be3874
SHA1 5a93524a7b32506510f9e946be256b3d23376f31
SHA256 a5b985864099178fac631f6e53baa73c19d9fdf2a65eabf3bee34a1fe3f08629
SHA512 fbcb3e4eeb9160b86ac9c21774cea11821775870cee4371997c94451d979c1a653bb7d3a8bc3014698119537ea52cdd9bbecbb1c03a60dfe0e8d6c8fa312b8c2

C:\Users\Admin\AppData\Local\Temp\goQe.exe

MD5 c5e8210f3bf731ee593a10bdd9cc00a6
SHA1 a4c7e46dbbee9af0eb4a9d0a6e5e2144cce9c31b
SHA256 4bc13801e7bf8c2f7e6b5fe746b0a77aefe37ea4f866c47eafd85a4a16c7eb44
SHA512 ada38297c77aee43a7a56a8e3fc4de8f50b8be677641050fbd892104ebd62c3e2874a219d4bb8b0fa19bb10d48ff766762ad528a9d373a1bc70dc20f02fc0f50

C:\Users\Admin\AppData\Local\Temp\teIkIYMQ.bat

MD5 893fc9ad26eebc075fb09af14c1cd1bd
SHA1 9fea952ba355eee99c7bf52edf4d9d982d6753ab
SHA256 3a0d23ad74b8a563161084bfd8c44b54da297cf1232b67c77d9adddda33f414c
SHA512 5716833557137fcd0fc48012defe28424180e062ee2ec7d42f0948ad64e0ea863ee71219d15902488d00e1bf8270e1949449c8761841ef03b41a9269d7328baf

C:\Users\Admin\AppData\Local\Temp\Kggc.exe

MD5 26959d2cc4d10d15b324451192753bb1
SHA1 9fca8818a966e600d3fbe8d535d4e85691da2814
SHA256 b1bfa186aa88069300aaed730f9075bbfb6a605530eb00c1230c27220e759ba9
SHA512 37241144e1c4c605c31c9fc23ce06c6c6dfe4040226d17ecf459f1a4f1d591367baa6ea2cab35f3f3e8b510668e23e8a523316cf9d18833cce7a2f5004d50694

C:\Users\Admin\AppData\Local\Temp\McQU.exe

MD5 9265c9b3a7897ac0887abbdb08418d97
SHA1 d6f6440a4c528c3697b1391a39bc900b6bb5278b
SHA256 616367e0b1bbf79f7f8b559f802af9a1a49efc64a5b8d9e72af104d9eed1eef3
SHA512 e7c40d9b62360e87111d75f98f11479d18df50a7dbd1f58fe5fcc348829295dac66eb99921cde4a5e250b4a35e3378143d7200250a97cd8a845ade1c97b4eb4a

C:\Users\Admin\AppData\Local\Temp\ccgG.exe

MD5 bfc6d7474840a6ddecc29bf76da07192
SHA1 d7771c95b610726f93214df67d0d3b4585a6a506
SHA256 4dc5021d658d49751f34002a17a9fc60903c0d6f47829d9822d10591473b7e55
SHA512 192be9ab6af608c3854e82425f67ce124778c0849e10dea5ef9982879c2a45b7f1d87d55b7fa3dcc8691ec22b5c2608e58da8247c3c69b20e3289bdb8fda829d

C:\Users\Admin\AppData\Local\Temp\IgkK.exe

MD5 4903827a222c1e6d8a506223612226b8
SHA1 49fb0e87f1500355ea1b173be328b7c0f4e2973f
SHA256 c0f1434e8df71edf7d30eb20ce3a1f2f3c1b4a1cbee6400bea4a50b8c4f389ed
SHA512 3dbee9297b4a462e81c27ef4938f7fb536aff39cf65e5eb11ea56d7f850205a88749a5accf5dff177b508ae5567227902a40cb27f4dd30c56d9efb2040f33432

C:\Users\Admin\AppData\Local\Temp\FUgUscUw.bat

MD5 e4b1390b1efc51e98ba5986737650943
SHA1 a4493ddf8bad70ae1b65568a966cc863b77c79dc
SHA256 650941b0c1f56680dd8c0fe9efa6f7ec03f7c8f82ae544aaa32b366c507e47c6
SHA512 bdd0d4fb580e80c902ee6c9f89c4c7558c35d0db020cdab019efec325dc7bd4b21d469f2d9c5b13d29ce7c44961ed5b89fc1b49e85ae2c6c68eb720ba3206938

C:\Users\Admin\AppData\Local\Temp\aYkg.exe

MD5 6789096864a55c8bd1ea93f01e16ea44
SHA1 3b4afa06f903d004b5bd687bb136d3d3ad19a545
SHA256 e0aeea0571babe8ec82ac3ff78418e7805102bd2c7d3c3e9e9c97a3cf227115f
SHA512 64f03b675630cddaa9570b5f701abcf1bb617f49d663881d97267ca02d093258d567f34564c1fca1ba5446c48ac61e8c3d523c1ee70f8bb407bb199dd1974e00

C:\Users\Admin\AppData\Local\Temp\YEUo.exe

MD5 3dfe4284859979b8c2f9d26c15d16414
SHA1 f69d43a67346fec5b4afb8ce6ea5a34704441d36
SHA256 b8103d68efd87f5b4dc0f38f9372bf0650c3fb7204ded27402cd5e881a7e6ae8
SHA512 bb285cbdcbbe28bfc4c91c20b212f6ab79821112a8839753bbeffb39af4b3012008869dd2c377594cc2e9227b5d28d4f93abfe038565b8f67e0f6d178d6ecb77

C:\Users\Admin\AppData\Local\Temp\aoAG.exe

MD5 32a544d82c8eb9a3b092eb63495bd2c7
SHA1 878305021ed96d3c878e133ac5bd1b2271df8459
SHA256 6ed363b0edea746409589e38e3a328329375c60e64cfb066b4ba98c45b93ebed
SHA512 dd8b12397299aa46c572c05dbaf0d3bd3bb8a40cfa882baec55fcb201b06740ee3202da6a540d472a1ee5668dd9b36991ab330dc0727efc5dff104fdf3e1e7f8

C:\Users\Admin\AppData\Local\Temp\WYMAEoko.bat

MD5 65acc421697e07d406d1565c1e1f0fd1
SHA1 9078be499170646bcc85cd6911a82c3ab11b8823
SHA256 b81937beb1534c65db594d7b691496d7b11bf90acd855d75566360bb53c31e37
SHA512 4206e0fc106ebc4f40e0ef2a94d656afb2720c1d0354c959d9855afcdceac0fe42c0f2a557c40d032a67e7ea9b37ec75a25ffdc41eda02bd0e01b9a63c93d988

C:\Users\Admin\AppData\Local\Temp\WUAe.exe

MD5 1077c537e94f7ff83d2210e0e4e8cd0f
SHA1 ee68b56ee7d282eea15dd0615e25659a4b804845
SHA256 7cca6234a2bc18151e1cdde94bc619e134135e9635ebdca98afc53cec5c9f952
SHA512 216df5f28590ef5eac211d3e29def23473d22a62a4de313d7176d72f6a95dfd48ae8cccfb070125b99aa0d35b1de2ce0a44c422b40e4c267b2812e292d0e71d5

C:\Users\Admin\AppData\Local\Temp\Wgko.exe

MD5 4ca6568f0cf5642925d66c091ae85887
SHA1 d7d04bb28378f6f0dd87a09e94d485d2d4261483
SHA256 db44302f73a35dd70979e026fb2e6a6cd5d99ce55255d2f1049df25989a3e6ac
SHA512 95b83e9745adaa60a9c67a2df9b578deb5327f81accfd33a76f47bc4d1a3d26b2ab00865c3ff80057287f80962b80e749d79cb684cd74f68823a7c41972989d4

C:\Users\Admin\AppData\Local\Temp\uYIMoMYs.bat

MD5 71dbc63e3829e16b0e38bc1318a3c6f0
SHA1 f3feebf6437a4fb246529d124b0cc264b62a447f
SHA256 04af1ded944e6b50813d00233f6f565c697bd31f027d941990d54997a4c6f15e
SHA512 22b0e4e342c848279eab4a550153f27f17dbec7fb1229f0415b6710c22abd118e4a545d8248b1e29a1b9cca584efd5efeeb0c15b8af698f1d6e3d356f994a51c

C:\Users\Admin\AppData\Local\Temp\Kwwo.exe

MD5 01088d0cea56d28acbb077c329a7d85f
SHA1 2d6ea48bd8bb3be69320ff1baabb404fa1dc6617
SHA256 9adf4eb3c069061f669262db5c250395aa7932133c6f51e74d30666a14387b46
SHA512 be69dd18c62d461e2884c5ea09df18906412586b8c827f49f3ef1d190685c52fd83c7aed5af31fbe41c12d89b0a0f5c8a61b6a95df87e830b8b85680916a436a

C:\Users\Admin\AppData\Local\Temp\GEQs.exe

MD5 f7fe05d8d02b641e3b1d5a12061affd9
SHA1 6b28bc7e37a17e8efea21a3d6e2efb26be39ca99
SHA256 90f60297df71030ac2b97da2e22b1b6fc8be7b7c148bf642ed0c05dc230ef0b2
SHA512 b39d39618802ed2abad43e03b1f8c69c67c1751e6845e27d6f545a8ea19355f7ea52678705afe0c5dd18a42e651cef74ee49a2b89df10e65c2dab341a61b70e0

C:\Users\Admin\AppData\Local\Temp\YIMgUUwQ.bat

MD5 ad3bc7b4fae8162eb5e8eaef760b566c
SHA1 a7a055c487575f8ed865bc6ea04c1b86c13d06e2
SHA256 402d97f1abd2ba4405dc417ffc812150908d4a150a129842b30530c6967f0436
SHA512 8086693c19959540fef60f7610fd64f997e957973fc82daed5c94fe5b2d3b5dc3bccc62e897627082950203a8f4dca2e09021fb8b3f9c03213301286916513ca

C:\Users\Admin\AppData\Local\Temp\CkAM.exe

MD5 ce0494df1825d10842aa9c6257a66e3c
SHA1 301e375fd86599382327bee8271896bca4b55a5d
SHA256 ef9163cd4d83684b8877e34948d5b7d65a517c1c48c77d0c697da609a7fb6035
SHA512 aeaeb84d876f65bba87e4bb78d7c8694872b2397ee88535a926d1ee297e39d18560f33dce788da517ed697a7a02ffdf88fcb996bb6bf454127dd654dd568adb4

C:\Users\Admin\AppData\Local\Temp\wcYK.exe

MD5 20d8472586b542c46a57ce2869322804
SHA1 90eb947232aba0386724d6482bf11e75e00d9fa6
SHA256 8785b3afc6c8d616252c8bbfaa88341ab7d140d731d85f80af91fb5e432a5624
SHA512 76f7bf2a4a7f2a195f4ba15e32c53bfc1223e15fd5b1ff36148fc24b6893ff42a497fbb923490c079ee18127968b73f47fac6ba3a26b541ef7861678c96cc319

C:\Users\Admin\AppData\Local\Temp\gYEY.exe

MD5 eb4bdf2f6f28c3c8a57234cc81c0a51c
SHA1 77e6ad036ebbcfbbe75814e6a7dcd18402ebe504
SHA256 08a39fdf64fa97be57666496d5a40d897780f950f60756c53f926a5fb4e3c7dd
SHA512 c84f8318446e936c3898851d476ad4948c59701d49c9674d75fc327a52808ed9610e8143b1a04b7d16af82050fd771d45265a9b47f9288d4e0ee3bc0b20f0ccd

C:\Users\Admin\AppData\Local\Temp\EsMU.exe

MD5 78f7871126a0f71c810b81a83c7bacc7
SHA1 a91247349d455424b0ad4b87e7b2404c86b62923
SHA256 5ad8f0e85b47bc74f385b39c6349704554d697d05cabbb5426866624a8e4965a
SHA512 22ecf3466d707cc9287c588768774ef242813d1d82229783477640b5d3155ca0031b2f2500dcba7764c2ea1ec7d4a5adf23d7e6fa1533c6bc70eedb994e48118

C:\Users\Admin\AppData\Local\Temp\KQsEgEgM.bat

MD5 55987bae2842a879bdde92b0a8881a6f
SHA1 ebc4b7c167eca9a8941b75875790b710b0e6eb9f
SHA256 657701450cd2dca645c09cc8a53a9344fcd558a34cf32fe161029bf7e62b1fbe
SHA512 7811c65c65b70de9130d2366563a180647c69d750c277bd6634b9b0bb87fc5bd24cafa02347fe461342d75330f63eb3b6912e9c974ea24a012fa5c985a64d41c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 c80c73731a76f094f5d7a57a8bb65641
SHA1 fe9b6db61f63cf727c8b69223d02ea9d720e326b
SHA256 cca7a9b9fe57f9f9a5653fe0644895069bc94d67cf04c3f086213a349f819c15
SHA512 4af99b2e04dc861f6de63e06b60ff1d584b0302afab959e19a4a215164134f57152ae0f99d84c4c7798d4e87aca92361ad4bf3a77b4ddaf89716f9a3697f2c24

C:\Users\Admin\AppData\Local\Temp\oYMy.exe

MD5 1f36b33d181c2a79d0e33a0618a27b4d
SHA1 185560ab2af7fb4ae37ccb1c0fedd40d8a923086
SHA256 8330f4e21c98974556b5dd20d2d3608a3e79b5b153bd2b7b4dc5d402dc5b0b7d
SHA512 bbcb1231aa88fad239a24ebbd1bdb581f0ccaa907ffb0c669cd870ca4c64af72f8952d23a38e2f2ba36a9ecb3ac13efb2ba562803a76a2897f43c6c31ca084b2

C:\Users\Admin\AppData\Local\Temp\qMoo.exe

MD5 f9444b63070084a90d43cd04637e8f2f
SHA1 e212b9c8d1f0a3e33b253b061fd20a5607d1b5b7
SHA256 a8f53f2fe51842714c46da816217ce00ef3b64d02a77366ce725914a907e6da6
SHA512 dcfae0cbf52fae056d3f91bac998f838c7b7a2ab6537f76fcdc7a0a96129ee61126dee1d73d5851b4cba8ac5cc541afeff7c7be521d4017b2a638248e4478937

C:\Users\Admin\AppData\Local\Temp\LmUYoQog.bat

MD5 fae4d384e7e54f4eb90e04c00e5bfab4
SHA1 75e290b86db9b76b1136883f9a902ac7c40bbbec
SHA256 6b0b0bcdeada97ff4f210f7cfa15ff0f7745a5db3af64020668ecdb6a7e0f6d7
SHA512 d932651ab47d12260f80834d75c7c3036b9d24199bdb5b1968bceca9bc3ef31f0ba20f322f5ebb979439457491d073b6ed554e45676b9bb755242ac0e3d2c4c9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 f9e0afdb3878a00ef8660c701f1e00ec
SHA1 c3a97ac4e79f66f36c520b8e5a3fc288260b18cf
SHA256 c36733d4d0d18389c7960786e81266f4b9b3e7ae5b50392c52a2fdb0d8be4942
SHA512 b2553994c4eb3928a2ce614ddb0b21f905655e4c33b3fcc617d7cf19aef76721d3eae01670ff555bd1e0a0c30c1575b11cd48086fa269f6090b0c5969acd46a5

C:\Users\Admin\AppData\Local\Temp\SEsm.exe

MD5 62388df8c18bedfe4793c1bcc9118e62
SHA1 18f5b248541c221d9ea88c404acb9020d216c8dc
SHA256 2e53b3d57ebcb7b9416c127c21a3d2df8e53779f89453da7538f5f20865f77a8
SHA512 8648e2dff5962d153e3c8bc2e59d596d4b853fb2e4de646a082fc254115da53ab06087952498c982b536c45b13b18ed7ce65ec7f53d381aa786a2796c8f4eba5

C:\Users\Admin\AppData\Local\Temp\aAkk.exe

MD5 5e4a75868802ee9fd49f681ded6ae6bb
SHA1 06380d64f0d632d3cb51ce066dd33fafbb6d5744
SHA256 2f30385bbaa9a51866bd98b7a30632ca62c882c0d2e07347452d4fff57179e76
SHA512 f279e96e0858ec699e7ce1b02f838007ac2a7398cea46c262852e2395e8a9659b5947f089ded3c81b82ea31cb2f8c23a37827563012f470ea94255ef46db5249

C:\Users\Admin\AppData\Local\Temp\MEYw.exe

MD5 390cb6aa36d6a2ec42690a603297992a
SHA1 7b9f330d2b5b5055ff24a2c29db1db0fd3fba5ab
SHA256 1ee4f424bfd350f6cef50aa7a60663904c24c3292e677a64fdd7cec95850095f
SHA512 7d58e91cee679ffec413cf171731784f4972a88a064b1238c1d4f6e1eba63f1735d5401d60a1bc4e37c8574481b021019f3e6859cdc5943d966385ec67436575

C:\Users\Admin\AppData\Local\Temp\fSkAEYMc.bat

MD5 d4ff3a49f9ee22ddc15df76b2f738c87
SHA1 6606228335a7651d59783087314e4e3b1830aa7b
SHA256 f1d6253df040cdc6d65c39ff2ad17d0feadb51c6f63e205f78d119a5f3428af9
SHA512 ec9d6b03e51129eeddbce99168e77dc9217687add09b4d7e90d5d343a03b7b501ac9f27b1195f8db6146d236ec2ac3ad164a3eb5eed7093eb827f59cd1a7a35f

C:\Users\Admin\AppData\Local\Temp\UMso.exe

MD5 4ca79424aa5ec4896a922f98dfae17c5
SHA1 53db050a85bf4df5a31ceaf3e7a622728e5a5932
SHA256 2aef81cc3445bf6881727a5f2dcb36fa5bd5c31d5c4a919e47b5be8a27d19550
SHA512 514779685d3d2689b38204a585abafac4a3f1f3cc2f5afb0e587af9ceea70e557d59952c870734be93e71ed0dbf2df9c84e16abc1ebb8c26e6cf2bb04dd380c2

C:\Users\Admin\AppData\Local\Temp\mIUm.exe

MD5 b83a4c2b0b55d9335246569d3c4bd40c
SHA1 3d8d8f3977f0c392a4b55dcb85fa80a14c6036c3
SHA256 18eb168d454209250596774fd228ffacd0895b9a97ba077d2d3e8ac043293375
SHA512 20d6aaeafa1e8c3c3733cd13fe5bfb0327d0c14c955849df115ea453360bff4dbdf5d9b0f9b621e5f8c7edf120531eede6426a3832f037b082fa9a3dc3fdabf0

C:\Users\Admin\AppData\Local\Temp\QUEW.exe

MD5 c5fe6a5d8cce9683de4692032bd787d8
SHA1 e05dc3fcc6ac842b5253e036aaae7cbb675fbe32
SHA256 3fe15278c859451a061c2713247223400d99a59a19bbc71b8af5ae95331b18a4
SHA512 d931eccf2fca5b50302dc28c42e9fd9e99e663ab53524d9a5efedb81c696ac58947107d49f32373c82e0709cd33aaabecf31190188de089c7d2259561ae4fba7

C:\Users\Admin\AppData\Local\Temp\ZsgIcYYY.bat

MD5 0b841a00b564b0bd7ffff402145cd672
SHA1 c26c294225eb53f1833697a936417a543eae1415
SHA256 7affb5234006058d13bc903a6c29839babfbcd14824b736f06a1421ca6892788
SHA512 cf153f5037a85111aa8d57ba55e5556a373750d661079d9cd4e00807fc164f03041b9f67aa0ed7281c0fcb77a53d1c338875a9b8dd4a64b4e963b880679fa247

C:\Users\Admin\AppData\Local\Temp\YIYQ.exe

MD5 d03dd06497f253b386441f5854ae31b1
SHA1 c493a2d99e0b35f524169e5f4c6db553ea784803
SHA256 50b7305e669d2177eb87406625114bfed2c234dd256b1d8ced0c91f4b91b3762
SHA512 57d6c8bbadcfe37f8dd5446583d026f5b0313cbcee5ae5673b696141e143476f1cc142f5f9af8b969877a361154d30009b8f6aa5c550fd4e50c8c48019eaad5b

C:\Users\Admin\AppData\Local\Temp\mscg.exe

MD5 ffbf7159ed41fcf35a600d89f7ed70a5
SHA1 f9bf24cc3b07d7d5e6f6fd83db11c62427a36f38
SHA256 5196593813bd0b9a065ad0fbf496721c566397ad8f9930cffc785608ab51392e
SHA512 3d77935a0353f593bacc69385f101d869a27d98c69bee99f505a1eb456c351ee56589be1e3702bd04d226d67237cef4b46a03880d74b6effd9caf53be52a2453

C:\Users\Admin\AppData\Local\Temp\CQAy.exe

MD5 e9a17f17d948f671c1c4a6a38ca65d2b
SHA1 76611f024e04790aa8f8088624b4cedcc7a2ad77
SHA256 4ae93a0e223eb4b7f30a481ff3998f0787285d28c3b81f9343888ce07c4c681d
SHA512 2393c97649398c3b9242fa8f2ac49f6d1366c4b8c4e4844b74842d55c35fafc5fd4143f56dd2508073f8932d5b4eb433a7f23b54d9cb32fa57d22bf41a95afc8

C:\Users\Admin\AppData\Local\Temp\tyYUgAgM.bat

MD5 db819f2efc2ef69f70970ef59621cba3
SHA1 6874f10ae9aeb38f45bc8011431d5b0396417bae
SHA256 3251a3a7235bef046d3feaa148909b1cfbda5e3835e4b625a09f6e7a06bd4114
SHA512 d3a5be39d9bcc1cacb40613a4354ea9a5e3506e32ee8ab8873ad20217bf79fdfd990e63a10558ea4d97b8f07dd937c740e7a532cc0249e6ce3314d6ddad365da

C:\Users\Admin\AppData\Local\Temp\ucoM.exe

MD5 d45dc42c9e8602b5c8fc090543a9df58
SHA1 f4d6dc13e2fa6582e71d735d6b582dd6998933d2
SHA256 091da60b9541635817dab2d9d046f499dcbf7db9597fef7734b82f981d05e642
SHA512 7dee133bf9658686ecc7df542dc0c8c0f0a72106ded01f979b7e4f0a5f65f447dad3bc64687075a806e4c47857160612941f15567a32f195007fd1048ba5ad00

C:\Users\Admin\AppData\Local\Temp\oUgm.exe

MD5 3555c8631d106918dce0dbf92c77290e
SHA1 009cca5ed7653a61be28b4857a154c24e621e7ef
SHA256 167e71e42a4006fb5eb3aad3bdef0d369ef5df2dfcc49419e186dbced991cff1
SHA512 af613ae7a197068bff89371223f87fc8401d1792612a34c8645a169bb7b4f2d660ee399aefe314f59bb14cac6d8c10968642b660a2b9d4604c9738364a1e5fe9

C:\Users\Admin\AppData\Local\Temp\mIEC.exe

MD5 da63c92599664fde2eea3cd95358026e
SHA1 32842c72d7f22cd50c35a32a5ac8936ef0be1580
SHA256 d3c1d81eef90c13178094213497ac478571d7c73f7cad391eac56af9401fc87f
SHA512 bb5125925f3d512cf148e43a1f7c8078ec2122ce03559328d479fa9994a8260d3fc5a7ba67ea39d505d5bdeb6fde627fb3ce561bf40ce62086e4c97e344b91d1

C:\Users\Admin\AppData\Local\Temp\mIgq.exe

MD5 65eb0df808adce77308b589bb0fd4f61
SHA1 c6cc81aa14c372696d91e921fb10453508568f36
SHA256 d0a6c9cf483082b3290a09b22f0970e35dd8653956b213e3b70478897f2b90fa
SHA512 5b9774379774607a70af8d12e009680e0555a44b3f39b39540402fa9e7825b1e74f350a8ed832d6f7ef414ab4798ccc02efb16ff1752e9d64d22e70341a184ac

C:\Users\Admin\AppData\Local\Temp\iwca.exe

MD5 dc018ae42ff8941d362b5aa58e396aca
SHA1 0918d012ab85b00059d930019a5308779c59e894
SHA256 d4a7b7c1c2e61400f36f3d60380e941e74fb0585967fbab5b9d91b02bd79bd25
SHA512 c64f495757af1109ea45e849eae65f6669a4f3733d13a3a96ef61fc25c56c2e6396f22ab1d8fa28c900f289b4b4b701776086b00dcf94b2e0266330ab66905ee

C:\Users\Admin\AppData\Local\Temp\hsIUocMI.bat

MD5 059a66780b482835c87d15aa8740b105
SHA1 a38ed6eac9a90ac775f9c62d4f1f545020df282e
SHA256 ad6e51126c7d7041823af9349f0592b0b3b202a26a37ad4db731a4cf260f254b
SHA512 589fa1133792044368911746440f510fd4243453e255d6a1f3a5993e8a7703eea846a48505ebc1292275240cb71a175f8a7141272c1d98ced8b3b44399b720ce

C:\Users\Admin\AppData\Local\Temp\SkMI.exe

MD5 4e81787128833d8d94dd5e0c642bd3fa
SHA1 e783f82c55ac3ef0a092b26402892a5bbe1c8987
SHA256 8e144f9cde93983979057d6afff89c1392b15628397fe5a34fa76465c442d94c
SHA512 dd57eb793fe8bc286208c25f45f951d9c6d4971f6452d01555b926ac06cb50db0e4c53e98a15c59ca9757989fed5a6d4147a364ad37d417fcd687650da6a52fb

C:\Users\Admin\AppData\Local\Temp\eMoI.exe

MD5 88b76f0862c34fbc301954ca5c2c7ae2
SHA1 5abd9f7e1d0be60a33c50085e85f3ab9c1db9dd6
SHA256 849b6b94544c34374c217aceefad5bc197c908c0df6946ad81f94e6f7348d0f3
SHA512 707cb06e61cf51d8caa331751fb6ba1292edf25303b2b6c616c25c3ebdffafc939deb862483870055f8f79d87996e086df2f5ac5ddb5db487025a0e92c71bd8a

C:\Users\Admin\AppData\Local\Temp\gAkg.exe

MD5 0f809545b1164c7d7ecdc32e95834154
SHA1 9d916770ab60a01fc572f4348267584faa6b5c9c
SHA256 cf68fc323c76dfac4c622c14b3a83074c49a03f2b7d51b878fbc77b6c4e85420
SHA512 ace2f6d4d3fd356805225b5010d58111147a1991022191d58cc53bef77034adf691086e4baae70892453bca900231a6cedee87b93d3b19e3ffc2edd6a9691ab6

C:\Users\Admin\AppData\Local\Temp\qoUoQQAk.bat

MD5 fa2893f657c82803814a8d3c1f52725d
SHA1 3e3bcf2f9ebd6e3e1573cd8f3973149b8f09dd3c
SHA256 f5c9a5b2b058ab8b4d362356006017d949b5b1eb62ebca73e8c2274b82827f25
SHA512 7614b41bad859b019ac1ba1054d34dfe319b2ad9066b7294f83ef8767b865f9ec0247e55eefa6ec988502ad32fee7d14b0307e049500d8a9005f2f29cb255b9c

C:\Users\Admin\AppData\Local\Temp\yEke.exe

MD5 1b366d7e4c091fc5aaadc7a8574ee236
SHA1 a272d72ac74ad99f29ebe287ba79b2f14b09a011
SHA256 b84f9f8be3f737c871b2d6645beb031521e1a888cc594367fe9c85c01943f2d9
SHA512 e2d37d054e5d3d3d1dd1ace9c9f08911a9bf82fa5c0660364f58451504b75acf7fc5e5a2cf172a24cf71078a2e5c052aca739990678bac96ac8c8420c8f73071

C:\Users\Admin\AppData\Local\Temp\QwIc.exe

MD5 24bc4ae617990ab64d3c20452e99075c
SHA1 e03da718718f0aaf17e3896a34ad32bc6fe8d890
SHA256 a17a75ca1248092c15b21f3956e5d134b8deea86485dc50fd98704405e18e035
SHA512 486d315bffdf612a59665121057b336c67c3b2833b58f297b58cda3817727b71c492b1485c3515462408e2efa9bfb07c9b12178103e50300b5ca9aa1db8af4ff

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 186a2dc07bd2da1960d8ae969cf6b2e8
SHA1 973943eb994f2192a55e421dde20929fec159e39
SHA256 2845d13d87ceda462a836df03b523d12edc2712020240f2297a719e4849cc7f9
SHA512 f57240d54c25f86a55738e96ed68051d5517bfb2209f25df807b2c39b76cef49f474ed8848adfd0a1ea3648c1a73638ba24b580d6c07d13c826a6a53dcf7b5e6

C:\Users\Admin\AppData\Local\Temp\qswQEooA.bat

MD5 6f98cd47ac336cb1d99e200c702afc19
SHA1 2707a972c5ecda15be15a19669cae09083faf68a
SHA256 001cc0b3d8ccacf34832f1a1638aff755ff1e5c5acfc1612efe29502c046643d
SHA512 57faa95c646f7677ab96d0c9e58bb6dc9f76fd51df786a8ca275de81b240967a5cebe405b311ff1fd28dc7b3156676fc17d5fcfb7d6cbf01ca5e534fd5c94295

C:\Users\Admin\AppData\Local\Temp\sscW.exe

MD5 083e567b0b16d02d40b5b079f11971dc
SHA1 c214d360e6a6f34e171d192e0e96c41474bd8053
SHA256 3169f105b28adfe8bc1507d070aa7f48455c2a7a28b3f5f77bec8c4b55e7064e
SHA512 dfb7698eb6f5e1741c737bf65b7c889b21a936239621a2f5a3050e57283e251c4443c679427397121c4612669e0cce9da1b88e8cc53b3b27d4dafbc8c57f5ff8

C:\Users\Admin\AppData\Local\Temp\YcYe.exe

MD5 03c1da7691f4c1dfba959ff0a7e365d3
SHA1 7b937bb0c9ab4dbb14ce9152a8334c8f79e34e82
SHA256 7f9acb40f3b5c34fc1f453a06fcb1fa961bbbfbd3d9523450a3b6b8a433dd7e8
SHA512 a0920553d707a720556f2dbde1420e5f19833095668f5f38b518d1b0d17b9163008bbb248f5738a4eeb71a3271759cae622d78b3eea06fd718c39041ce2faa14

C:\Users\Admin\AppData\Local\Temp\sIQY.exe

MD5 6656e50b71766e375135418ffa3077c2
SHA1 441ef9f0c33bfdfc1c904927501e6ab11fec6c38
SHA256 6ed91011a9cf67b3fd82d5f1e540c4ab5cb8c3c473f20518423cca4e5ec26ac4
SHA512 dec472a4f2ee8eb8ef39e19846d4d27121c84e0e2ef2c3e3c815dd94d6b54181ef561e1bb831c215179fb2b9149e4ae5135928b61df1d09223ff8580661e8497

C:\Users\Admin\AppData\Local\Temp\wQQAUIog.bat

MD5 bb3ef62134850aa4bece3950f0f65558
SHA1 c8ea64f5c0a0776b8416a93209f47b091ef8534a
SHA256 2f620ab09b224e12d38118ae32c92e14b64b002560be14848802357cd6fb42f3
SHA512 e8a7f156b1c1b4ae681f5c2dad46f39c77bc76084b888df16b3d26d69265773fb52130650ba9ca681a24935f6de55c2e4f9d8d07f477aedad6cebefbbcd9eaf9

C:\Users\Admin\AppData\Local\Temp\zwYowgYw.bat

MD5 d0aaf30284b931794b13a27da0fd5ab0
SHA1 6697f0d2041337832a5449faf395bf06bf3ead6b
SHA256 0f4a12492dbb23979dc32beacf5f0b1778eff62fe88ea099be5c72af6ff5fcc6
SHA512 0357255e6b59cda0985726c8fff10ac7467a9972969cc5c44938417b04002d46f51acc353e763b9fde06231319cf4943ab4592b7aa107a548dd992e43d9c7cfe

C:\Users\Admin\AppData\Local\Temp\eMcO.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\SYEu.exe

MD5 38d8f6d47546b60d9b85d1db2987dd06
SHA1 fb15a6afd4ff1ddfe79285463c7f4486bf62fe96
SHA256 3959f8d46dda3a6ebc0087b5ad9ae8c72e3f14419a7158b15ce27c785dead115
SHA512 7d94a7e18c466fdde49c70eb80fec6a72aa6d67a662e51793f0ea85048fd8f87e2cc511667100d3cc22a3da96ad261986de64ba252a2ddc006312b35558028e0

C:\Users\Admin\AppData\Local\Temp\GQYW.exe

MD5 c7665658411a2b44230e27028e84d58b
SHA1 9076639d5d79ad6c3f890db2b55aa6860cd037f7
SHA256 e055e0c9eceda378c0df9e0985ebebc7a9a71a26a95e5a392d7c14ccfcc5091e
SHA512 ac6bc53a29d4cd5b4f5b0efe88efd60d0b450014a5bf9db3a8683f3287105359ec2f6a0cb7164dfca523f6319956015e9e6ceeba73e7ee756f5b0bb72449955b

C:\Users\Admin\AppData\Local\Temp\KYIK.exe

MD5 1943cb27b7ef8a1cf4abe69e5d379da4
SHA1 6813fb0584b31d0758a90944aa92f9d3d88f5eaa
SHA256 1c7af595b0feaf15a46ef87577900bd0103a0310c4f22082d02922a97b1b5bac
SHA512 933685a2a4a6151db6cc495a36526932bf073af7712f39922b616dba370d7b2afffb5f939146c4948be7912fd374e5ad76372d1a28c414f2e3e1d089007c0bea

C:\Users\Admin\AppData\Local\Temp\DMcgAscA.bat

MD5 ac084cebf3858d0516bae2810ba498a7
SHA1 dd9fb6b9f0eb3c650d103799c1b728a7eb0c178c
SHA256 c77c0d5b7340adb6a09df4685cbcb418a9c1a1f3d88060ff84eab21433d38b8e
SHA512 aa4a6039d77bc11c9febf7a02255ac7504ded2fac7ae7d1c7896d0d4ac0835f1fcd74db9acbb70a68a8f6b7a08d80b11e029f507610c4987b5d2d7b7ed8a6747

C:\Users\Admin\AppData\Local\Temp\WQwe.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\qoYY.exe

MD5 9c6f9ab4e9c78107dca771f05aeadae5
SHA1 f8cd76a8932101f04554a2606d752fd3d09a3725
SHA256 1c5b492e1adcd4613da1b2d0c2200275c852041bef975a023ff2360f4acb85d0
SHA512 b0c81264edc4ed31726462f41eb33ae8a4f8ff1b72528179770bb639786a68239f68a28183760ee79268513a1f0daea6a7a511ef1a389262a0b12277e818b451

C:\Users\Admin\AppData\Local\Temp\ykIC.exe

MD5 b340fed8ede0118362e7f46725341ebb
SHA1 b91503613818666aa45404d149aa08ae20327d2c
SHA256 135e20b1dc5b4eb81d72bfc8c4535800bfdca7237a5f3913ee1bc0a1f35346ea
SHA512 16a9669e18273d02a75197972f158be5afc5db10eb4ea436841992b02e4c346c0eb9ecf5109e0aada791639dca4921f2d4526e48959dcbb9c90a9857f551983b

C:\Users\Admin\AppData\Local\Temp\qkEK.exe

MD5 b9871512bead7d680e07ebc3d49569ca
SHA1 d0b663cb35fe59180f6279eb518b013597e6559b
SHA256 0f922f826671f4d44f59a7dcbc731f78a47145c7c99af44d4e22abc8631e4e27
SHA512 ed32560a3672738eb6d7db386f40d2a665c93abf7a9789ab01b2ea49e9c4c9a0b95f8ec86c01b5d1055926912e49c96e8c342123ff52dd7c080a0d9b2a019ea5

C:\Users\Admin\AppData\Local\Temp\PmQoMkss.bat

MD5 dedc75e6562ace7eb9505aefc2a92649
SHA1 5c727d8506a1c21d2dc8cf7f70a58d307262c11d
SHA256 805788af8b541596a6c3072783edf0f092a48c6950abc3fc66abaa65b0f3b2e2
SHA512 b93211d29381dc8bf5c7c5cfdd0c3a688297186be95b314708d72f921b8fc2fa4d8da87aeda3962ca77851d53cbdce9c5c7dd24d1d2285416a2e6676cda8ce81

C:\Users\Admin\AppData\Local\Temp\ykcu.exe

MD5 7ae2322c3bba0d067e5c2f853405f5aa
SHA1 6d38c816b75acf893ef14a641d506684f0f2ea25
SHA256 e69443083cc5b7f88f2c785c3da7e416e52ff35c7b49280bc7ae26a934240245
SHA512 482d8f30c02165fac9e14b780d08aae1992884be02de069dcc26b5ec65a030e16ac4b5828e415eabcb065a1f70e737ec0f1f5019eeffd52c0d84363ae4eefb12

C:\Users\Admin\AppData\Local\Temp\IgYc.exe

MD5 8e14348ac787c4386fe6210063999b7f
SHA1 c51733c29940344d3c48ae40b5f06e2dd2f202c5
SHA256 36efcf40ff6f81eeb0837693045c416ac273f9733dad0166ac19b68e4dfe063b
SHA512 8c46afbba573996016e80626a6e6dcd2abd6186ac86df218e33b7d1bc656b6987366b556e22e1f98c5e71fb24aeeab32c2567c1c5602128d940924a9b6ee320d

C:\Users\Admin\AppData\Local\Temp\kscI.exe

MD5 90a5304ecc8b6a3dda2a6f2b634a24ce
SHA1 06c22cbd6c090d64f1c0da2c89b888ec0fd85275
SHA256 5987f296cb537a69ff72c137084de738ef684ddd10f43a459b6bcbf3459a22fd
SHA512 95e1f7ff651b73a313b563f057cf2543aa344871bbb58204ed97be8de1d491728b77c81262501ccd8b3a9c498425a861b7c7255c4e5d2351e03ce83271ad86bb

C:\Users\Admin\AppData\Local\Temp\oEES.exe

MD5 35ebf866b10e2fe65809715ed3e88c7e
SHA1 ff7181cfe7590296386aadbe468bb3bd1f3fa082
SHA256 29643af3eb7dba19fb1ee531c3fc77282950f8de7a79b4fd61a5b9613abb21df
SHA512 e3fda78ff03ac67a38fbbda94bf67575df0cadaf654e0c29348841617f4c48265c2ae69076b63fa2d042e1339c6d44a85bfc259bbb11011ddaf826652af3bf0f

C:\Users\Admin\AppData\Local\Temp\aMwgQYcw.bat

MD5 2a8b4c81eb9740d516e98db676eaaf9d
SHA1 334adc710369c43dc6207846d3bbb4356ece4f89
SHA256 05221f2cc9b6d8ae7e9c1bb417ec2ddbccf50e2d69d6dad0d4f30e752b9e880d
SHA512 c4171edf87e75a38f7c565200a1e11bbb822e5c2a7c1b438abc70f7f920f1d5406cd83518ae9f2af38d6e4ec51649b84018957ac21cfdde9da20305d1ec2d98b

C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

MD5 9d404d3e65bb3654204e533fad6a06a6
SHA1 38bf2f5200826d5c1a67723dff816bc847b371db
SHA256 3b5287d79ba44858c6a25a71cbc1711624e69b110014af8e68a06aab96014673
SHA512 a3c4702a275e1d22c26ff0f3c5b0c78061ad36625d9fe167fdc3e65cffde43d60a71065e870f166239d30f2a548400d0bf6dfabd09c57d62ea8c97c8eb3d1eaa

C:\Users\Admin\AppData\Local\Temp\GaIoYwYU.bat

MD5 05890388de3d94227ac9dd02ada77308
SHA1 8a9030643bc7cdf976cc6a3855c2374ed9945e58
SHA256 1b52b40c06dc8dce8bc7e9b11abd30ce44cd72623e31e4b4d0a8997becbff8a9
SHA512 168ae6c6d1171a4b379cc582809f8d406b0b16580dbdf57c235b403b2c189c3592f782df11b883b6d30c279a6af91849a5adce37dec9d74eb9aee2783b5e5f9e

C:\Users\Admin\AppData\Local\Temp\kWQUAAYE.bat

MD5 63e23e2a75170228901e952b650c675d
SHA1 1f20109123bb241d333328bae1ea922b518a61b9
SHA256 bd559270d5cb713ca1ea02dccc606cdeb22e2cdb65b789400c2fc27ca65ff8b5
SHA512 0a1a1437731ce0158379a359a4617fe282b994267dd2265b2ba71c9058775313d7e55739ae16ee10932195ad1bde2a48621818193cf84863fd5ae651f06339b9

C:\Users\Admin\AppData\Local\Temp\BoUQIUAg.bat

MD5 68a8591dee254b344d22f8714d8568cc
SHA1 7b2fda522e044c7bb681e82ab9b9694da994b2c4
SHA256 fecafd7095067fb3a1c9f20e55ba937584c809af3d04e15215d7fd3dd1d6353f
SHA512 737dbf0c20f61896311398b5a2c45014393f56b15d9e5c69db665e1ccd387d335b6374c54504ffb0e383965a9f187299180d2905eebc22e537251e7fd7dd12ca

C:\Users\Admin\AppData\Local\Temp\RQYAkYQc.bat

MD5 48638dbee30c29066aec8fde36799216
SHA1 7397931aea95e66e95341ba1aeaa7c95f6af598c
SHA256 43f9d9e8f70b6a8e93e777613c01a386217058617b3f2dcca078fe233127fc21
SHA512 675f3fc3333c4e2ba468c5c7b5a12b1ccea02cf34af2dfb33989192673f1cabc02ff7e86a9369b4139f0fadea1e1933b2b9ffca276127e164d7d5edbed50487c

C:\Users\Admin\AppData\Local\Temp\REYAEYMA.bat

MD5 1d7a611d6157c7169316a2bf70eb0dcd
SHA1 9b3433f30f8322951c942002054caecaeb4543a4
SHA256 af201d7f1a79e4ee4b9c338e02e55b616bd2bf357cf76bfdfe42ca7ba5dc56f2
SHA512 e8002fa480763cf4abf79ac8c85faf53ee9d302bdf963da1c0b48969caafa2d7fc8160c62a45568bc2fdea864777893108d33caf67660cc29375119c4b4f0744

C:\Users\Admin\AppData\Local\Temp\VAQIksAs.bat

MD5 cd456b44f08a993909f7551c56ed639d
SHA1 1523f47d2a2683f64a6e9059fbab239bda5262c4
SHA256 4516bd96ebe517506dfe7d7b4c51bcbf56722e64d40d289e589a1561772d0c49
SHA512 aafdf9af4c932bb736bc8b92b549e18bac619bb898e78948966516fe1afbcfffff98bb265c0a9bfa390ddabfd11f3d550bc8f3d870860d9cfcf314638f29b663

C:\Users\Admin\AppData\Local\Temp\UicsooAE.bat

MD5 68dbf2c87062ecaeca2027b5634503f6
SHA1 f49fca0da99dfdb0358fa605087cdf9c5d75d903
SHA256 f526226213c1a0c154c931dcd8f47102d5c858b1b90ac2de80b25ca0f1b11fc7
SHA512 ae22e1c8250ad99901e74c566158adc99f7d48466fb641bd9842648a60ad1daceb62d9657b55f27acbbf293a29ad5fd36b6b85c22e5c7e0b4d1965e9ba6ea2b2

C:\Users\Admin\AppData\Local\Temp\gaAMooQM.bat

MD5 6fec9bfce0dea5cde7803f416c6655c1
SHA1 c6afd85f3edff18889fd055d45f17f356323f6bc
SHA256 ca0a0e60b6aa2a6d7f3c61df9169dc567e5ad17353f6fa6346cbca8ecd279657
SHA512 d511a9604d273b2fa762e101054a647d526812a265a3fa1309b45e8bc9a7dfc65cc8fa39977a6cd7146bc34325e80b1c13575d1c9ed68e8918af8225d98538af

C:\Users\Admin\AppData\Local\Temp\sssYQcMY.bat

MD5 116784ff5727f02ab5417eea05172d01
SHA1 f22de5c58e90ff0e9fd7a2afaf6c6051267f41f0
SHA256 bcf7d4017a51fbda7db6dddf27edf2fa211b4344dd6cb322d698d5f3d0d902ad
SHA512 3b1db3a3b357d237ef2e3c29af318607b4c436b4380dc433264a4456dae5664b8b8f95ad9150b8e22675a136399539badaf59e2c7b5414b4b7907802b39d2c56

C:\Users\Admin\AppData\Local\Temp\wcoUEUgs.bat

MD5 916f9c547f9be18bbbaf45416afa1188
SHA1 870caa0931205e80a2efecfe106a2578a5abd8fb
SHA256 e0f05c9611872f229f34073f0f872c6dab728169c2c1ba644fe9fad6ddadfaf0
SHA512 b72488fa8cf409811a617d4a55dca9a28d8dcd0f51c521629e680fa7e464effbe49feb2543d75ed21fce1126e7e40e49524f1c95cebcca9cb84b75c48c3ec868

C:\Users\Admin\AppData\Local\Temp\xiIMwsgo.bat

MD5 103ad58b8e58b942d88540c24e0a3147
SHA1 006e63501217ee02a5d66f10573a6e998e892dea
SHA256 3cdba1555eca5eddc97a35586cf2d171e6e58f705737666ca8e3299b904022f0
SHA512 ab3d28a57f30d44e761f0da190c1312c0e52da4969ecb71ea482142bd1b8336d1402c61b49882f543e4adce1fc89437d731fbf7c8a3e4d44da24dfb68c9b403a

C:\Users\Admin\AppData\Local\Temp\noYIEMEs.bat

MD5 e42503a727a2ff9edaea964cbaa7dab0
SHA1 bbc63457445f7b0185ef67a4312ec22189e327c2
SHA256 9782933c035205d12bbd0b84ee2982800763c3f7713820fbb3a7744026340870
SHA512 f966dae25baea837ed217b29bb58afeb8ebc80cfb3311f9090c96608fe782da706730ffaa9b7ab91beaf668af71810be5b383bbae849c79b1144cb410ac7cc4a

C:\Users\Admin\AppData\Local\Temp\DSkoEcwg.bat

MD5 d74f043eaf8a127bae0e572e205d0f84
SHA1 f2b75d03b9f77eabb69bb18b0b119e22951c6ba5
SHA256 6b56e57bf683d2892aed49e7ba6fe35b2369cfe1dc8c49b08ef86d6980c8bad4
SHA512 3def333c74d3c98b32b253cb9ae002ae18c8d521d9ee6c31515c3c194ff7ebfec721780cf9a1c77cad11fd4b305cc298312c57ebe44560361c5253d78ce3eb33

C:\Users\Admin\AppData\Local\Temp\uCsAkgsc.bat

MD5 5e4796b6d18e409081c2a2ed1c7a5031
SHA1 22c0285284c572528cd71b0e41f704b85c33ad42
SHA256 8c35898329e1ef8055cc28cb485c3770c3fad7e1d0340222a9b857c48646a077
SHA512 504abc470cfea6f59d159045968a5f877ec7b0184254edcbfd85f924a6e8f12ea983a4580aa4181eef3c45229944ebdcbc005a888ca0277365316707143506e1

C:\Users\Admin\AppData\Local\Temp\CgcQsgQo.bat

MD5 7f4dd322ce358670610204f7e2456182
SHA1 70d636a0b486e7fb8b8accb53e16fca5d1daafae
SHA256 e75cfe05cf92c3ad9eea3b44bac39cc3c5b44731b36ba290d4b6fa8af5b6ec90
SHA512 b4b20e65f4af8e0963ef73d921b3b3fcd44cc02ac59a55be6cf1a691fb3f1d63feee8e7efde2e773f19b4bd2550cddfd0143a3ecba39d94c42d0266dde7af656

C:\Users\Admin\AppData\Local\Temp\CoQoUQgg.bat

MD5 492d4d2b8af1b136799e90e965315886
SHA1 e4ae261801b6d2162c161724c9c60962fa5452c6
SHA256 665ba14ba19ac8c2205c4e8792215a4b1628a8155bd485d04c315abb4b55c943
SHA512 8edd7c1e101c298821773cd5daf791bc00e78bd9169c1eb8bba98b5f79ab7ce711b3b57326ec9d677ad701e5ed2515723d01ac3f75ad09cad22424173a22ee17

C:\Users\Admin\AppData\Local\Temp\SiAsUwAM.bat

MD5 4cfc9f33f2950f30e5f1690fb0a9dbe9
SHA1 1c9a8291d7069a2727cd8badc6dc1e5be90f0157
SHA256 7160c14f3767cecec7203f9dacef150397b134a17107e711e0a48e9f5511a4ef
SHA512 6c4fe6baba0ac22dd0e02597f099a0f12d3a8a7b3fe14e1989bf00f78197415cd15fab1e1dcffe7d61c4d03adfa7832db974fe154497f4ef440a4d1b1bfd8c8c

C:\Users\Admin\AppData\Local\Temp\FMEkkgcw.bat

MD5 33b596cffc17eb3b3e5f86d401418caf
SHA1 521d7161db1d83bd824f088a5de06f02bd029970
SHA256 8b309ba516d708cd048be14da1586a0a4a4580b93239a23bb18cd56b31c25276
SHA512 47ce26180abcdae0c3110482790654fa6c3dd0b947537fa7b0344c0ede6db82bdd3ab24d94eca4fe0916004571d0847e985b30ac18e35fbc8eb9c3122ea66f9a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 02:47

Reported

2024-11-04 02:50

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (85) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\msoccsYw\TWUogggA.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TWUogggA.exe = "C:\\Users\\Admin\\msoccsYw\\TWUogggA.exe" C:\Users\Admin\msoccsYw\TWUogggA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TWUogggA.exe = "C:\\Users\\Admin\\msoccsYw\\TWUogggA.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RGYAkccM.exe = "C:\\ProgramData\\ykggUkQU\\RGYAkccM.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RGYAkccM.exe = "C:\\ProgramData\\ykggUkQU\\RGYAkccM.exe" C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A
N/A N/A C:\ProgramData\ykggUkQU\RGYAkccM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Users\Admin\msoccsYw\TWUogggA.exe
PID 1152 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Users\Admin\msoccsYw\TWUogggA.exe
PID 1152 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Users\Admin\msoccsYw\TWUogggA.exe
PID 1152 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\ProgramData\ykggUkQU\RGYAkccM.exe
PID 1152 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\ProgramData\ykggUkQU\RGYAkccM.exe
PID 1152 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\ProgramData\ykggUkQU\RGYAkccM.exe
PID 1152 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1152 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1152 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1152 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1152 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1152 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1152 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1152 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1152 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1152 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 1276 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 1276 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 2700 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4356 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4356 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2284 wrote to memory of 236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 2284 wrote to memory of 236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 2284 wrote to memory of 236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
PID 2700 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 744 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 744 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 236 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 236 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 236 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 236 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 236 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 236 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 236 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 236 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 236 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 236 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 236 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 236 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 236 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 236 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 236 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe"

C:\Users\Admin\msoccsYw\TWUogggA.exe

"C:\Users\Admin\msoccsYw\TWUogggA.exe"

C:\ProgramData\ykggUkQU\RGYAkccM.exe

"C:\ProgramData\ykggUkQU\RGYAkccM.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWgEEAUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySoMgscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikMoccQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSUIwsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUEEQAoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwoQcMos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CawkUcYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCYkEMwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asQIsIow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGMIgcEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqgQIwwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tscgMswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cusgYsoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEIgkgsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMAwEwIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMYcAIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQUcsEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKUkAgwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Osogossg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeQUocMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCUsYoAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaAcIEAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkwowQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqEUQgko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUgkMsYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqwkcoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuEowMgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOUkkYMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwwocQEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkMYsEwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKsEcoII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAwQMcUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGkwswEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqkEYUwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcwUkoEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGwEgkkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swEEcYQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgMsEwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsQwAIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOIAosgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAQsgkIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaAUkgss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGEooUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQMkQwAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYMYMsws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsEMUIIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOQQwEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roYcwgIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOoYggQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUMEsQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKMwskIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkMwkAEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSockAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQgkYYYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkAcUggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boIksgIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScQEMAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgAAQAAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAggEEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MecoQkog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWwowUYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqQkgwwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eawUoMIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsEgQcgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWgQEIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWkoMQIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQoAQkgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQwUAUAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEskEoEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoEkIwcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gewMkAAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSYQIssg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BoYQsEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyEMMccs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neAEcIoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcQcIsAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkYwwEMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkAQUgAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYIocEAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCAQsYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQcoQYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCQssEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOIgscMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyMMwIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuIcMwAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiUwQEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYAEEAsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TugMgwMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv KdDXe0snVUqN2glUsRRfpg.0.2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEoYMcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYkAsYIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKQwIgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwIsMAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSMEkkUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1152-0-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2800-7-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\msoccsYw\TWUogggA.exe

MD5 762ba276dd49f27a4e090499922507b5
SHA1 02f7f1baaa3a0d4f51ef19b8e2e45da3c089fd51
SHA256 ea73231b6aeaf7e3a4e4c6f32df9c6b4af45647ab41265095757a5c9b703e3dd
SHA512 cd5b337f0939cc8d1bc8b508205bd7f3ff3fe88be8e102c3eb3b9cfe8761760a24499cfc51cb4cec6d0e1a271917c47635a2d462fdcdb0c7f4a864307bb36b3d

C:\ProgramData\ykggUkQU\RGYAkccM.exe

MD5 83e29614e5434ce89dd70796e9a5821e
SHA1 f2060768252d7737e54e0691ec9d6cc200e6b316
SHA256 f3372f03616c220cbaaa6b2940061924943044e2b9853fa3fb9abd7a68ce09bf
SHA512 3fe2a466b4edebf7ea03ab1e3a2dd5de5b505a5634a108c0704568fa9bbe32b673cc4bff28a187dca1e4e23ba6b901d6696c6f7914099ee2381b55d0eb7c5228

memory/4084-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1152-19-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2700-20-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock

MD5 d342c2b5f3d16dc992db22cb737ad617
SHA1 615a98744fb22809454b706174597a4d6b6d128b
SHA256 0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486
SHA512 4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

C:\Users\Admin\AppData\Local\Temp\wWgEEAUM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2700-30-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/236-42-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1456-43-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1456-54-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3376-55-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3376-66-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1796-77-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4916-88-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4920-99-0x0000000000400000-0x000000000042A000-memory.dmp

memory/352-100-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4920-111-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3524-122-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3604-133-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3312-144-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2964-155-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4368-163-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2116-167-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4368-178-0x0000000000400000-0x000000000042A000-memory.dmp

memory/756-189-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2960-200-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3872-211-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2632-222-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1796-233-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3516-244-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2768-252-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3092-260-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1640-268-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4952-270-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4952-277-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3816-285-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1800-293-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4692-301-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3204-309-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4448-317-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2796-325-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4332-333-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3620-341-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1456-349-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4564-357-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3256-365-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3204-366-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3204-374-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4912-382-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1728-387-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1512-391-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1728-399-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2084-407-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2304-415-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4956-423-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2884-431-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2084-439-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2304-447-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4544-455-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3572-456-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4544-464-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1636-472-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FYsc.exe

MD5 dc33b81dd8a68c1c41e2fd51e39ae800
SHA1 9a53c1c86ae447b4c876a3be344267ca1e653492
SHA256 49d206a6fa8e09c83fdff37aac7a350266a5e26796e611cd97db848b5db5fbb5
SHA512 0a6723655b0b786e7fd9ca5efd3d6d8389961eed333fb53179bcfc9de1b45b453c550657c23452276f419006f1e520e32897b0334a0b010d73dd1e65b4d62df8

memory/236-495-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fQEu.exe

MD5 0fefc93c562d5be641ecf5bc5d692b97
SHA1 15beb331f683edfcfc0364ff7ff8e4be7c136676
SHA256 0dbb35613cbda03092b381104bbbee6ead00c06cb87aec5a5663a3b0b6fa6e79
SHA512 3dee9edfa193de69d2115d37be012deffeaaa9594810e8c2e391e5f5d1cd201e5404bd64efeb0e36c7990f35bca3bc3336612421ed1287f0175a4a8b772d29b8

C:\Users\Admin\AppData\Local\Temp\lgkS.exe

MD5 0260e85a0c5e9759b1c890805a328cbc
SHA1 dd9b601269fab39fd854dd6fa7b0db376b793b41
SHA256 776eb5bb42a264598594ce23a251b0d5bc8e7ef32da7c99a0d470499ab1f3bfb
SHA512 bf281ee50a07825e2ad7cb9c8e21d7bfc5f9ee87b5d78961f000b69af215dd738ef32509f4c468daa2f53b28e5bb7d9a8adf03d843fb9442a250bd0c9f0c22c1

C:\Users\Admin\AppData\Local\Temp\FoIc.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\eEcg.exe

MD5 19634ce068d51bc43d7c26067acde4cc
SHA1 e9f48473010d6e6b8b320f75958f888dbb1208de
SHA256 9dcc3a71ac21838af0298389355aa469f339414a35f2635c41ee728592f40c75
SHA512 f70dc4474ecb4d999717be66125ac5dab42423333541a5d431499a87e855596189116c82ddb74ab069b2ee5f3b8ddc2fc91507c61bf2f6fb1e7f10ca7c28dc26

C:\Users\Admin\AppData\Local\Temp\BksU.exe

MD5 25d08201b43c81b3fa191482a76a4807
SHA1 4ec76d9f5b6dd3775eff77caff0fc64c8f87101a
SHA256 3c7660dcc1bef6cc95baa5b4af3406d0d01d39cac51a20186a4efd61a67523bd
SHA512 14e04d7fc598d5c54762fb926100bc9cad03f1b7b2441bec85bdfe1a61fe6de055c912c7dff41e499b1b5cc3d27c709bc98998ad84b2b392d2419003730dbe2c

memory/4892-558-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NwsS.exe

MD5 203343f0c9acf1bf7e17695fb946a322
SHA1 5152fcdbf426ffeed5b86707166e0956c8763943
SHA256 8f9dadc81f1d13eb95d52c66fbf3bf1b19a41771b4876fa55a80c5007229fcfb
SHA512 8eec6ad119987e77022400c28fc8726a34578cc6206b59992ffc844d2765ca242a24d1ad0b1d131fa1034b6e36b5a5bc43df7e0e3afe9ca4231c54524e968d6a

C:\Users\Admin\AppData\Local\Temp\BkwA.exe

MD5 f63012bf294e20059283004febde327b
SHA1 95e372d04b2a2584f6c9f9b3a75d1c1219e91aab
SHA256 accbd63a4eacdd27dfe8a09afb27d343be1aa97306dd315a384193f1f962de13
SHA512 5753dce7a819278bfb1cfead0ad13200927450a2397bb76dc2778307ec3a762ecd5cc2eecbeb495fffb48acd4d6a567b71db595397a39b5c45346b30e0b999b1

C:\Users\Admin\AppData\Local\Temp\uQQG.exe

MD5 f64214cc5e8d04b7bea59cae61632d6a
SHA1 246bd22c33c74f3ab0d36d1dea83c4b97ef6cf74
SHA256 d37ddaa2b6d8e3463530bc9e89d38b9de2f04f43d552eec3079413d263e24bc2
SHA512 9ff1210a6ac3e980e85ff93ae7b7e5f3864108ca35f77972acadc037ef7873676991357ae7cbe6fed36927befb04ef64f87e541d5b52fc31201c430fe33d1d98

C:\Users\Admin\AppData\Local\Temp\pkou.exe

MD5 33211a9d97c9d19896d941d57eb31a7e
SHA1 efbd097136ac652531d8900fcf857dadcbc4516d
SHA256 dde864656f1391a3048dace26d0d88d79f37960b3513e6d45c05b75295d43f9e
SHA512 5af6b23082edfbd76efc4a14ac6e4f3692ec39808ec2ad58da5b022ce29d3fe6a9028d05ca0838db3368d4ee994090eb2b03d9129f4c1a98f4ec963aeb925dc5

memory/4428-622-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qoQI.exe

MD5 c3ddd697fd4580ec51587fe381e0f7bb
SHA1 ae0228a4038a39e34b3f64848bcee41abcb58a9b
SHA256 da9cd995aaf4bd08075454652c5ceae3e89fe0618eb3c110e615044eee6b442b
SHA512 e5d99735aa02022d49509b3a83940a51e0a9fe7782ba6475e2ff620de20f2efa0f8529be57f231f1f1512c91f079621ba89cda147f679141c34dad5358793849

C:\Users\Admin\AppData\Local\Temp\tcku.exe

MD5 82b59b67d2ffaa36d5d6b1e0fa5e93df
SHA1 fbaf9ff72baae4a13c252535fb6000995f7fa11a
SHA256 eb3c614d2ba240eda99177474da6c96a60af5999d116c60d59382ad4c3e13630
SHA512 b49be0b80b501bb33ecaf4bc57018bb18c3d9e88faea361b80566ebeac5ba56c7ade3740479037a50d18d57164078f5b867c836ffb4951c4497cfc2ff3bf3a34

C:\Users\Admin\AppData\Local\Temp\Bgwq.exe

MD5 5556438797ef34dd7f659f13ffd59617
SHA1 62be2b8eb4900172e94b058b6238eef08275380f
SHA256 20b8e773b3491ccf091e6e07d291f4e8bd204a1e1697de7c1ad7797f5876962d
SHA512 8a23d1a5994a12ccc9d2616883505d7cac9ac548b072be202c2993ad7494c78971ca7e7ba50ae5a9990524d38a5d036d7899e1b65548094e7965365ba505c9c9

C:\Users\Admin\AppData\Local\Temp\Ookq.exe

MD5 75fa56e6d5a9978bb58bdec7d8413aad
SHA1 d88378e67133af15a104965994b31151554723b0
SHA256 58817766eb8247411c17f291dcc96136e19914eed329a22d5423ceb71b477e1a
SHA512 7c34a41277cf8d57a6460ee2320117c0a26c87792d231910afbc6afba9ba26e34b45b8a543bfbe6354a07acd53cdb57fcfbb945ba99d1b9712f47377af7840d3

C:\Users\Admin\AppData\Local\Temp\kYAg.exe

MD5 5cc0fca4414be8c5dfcfbfc293b44ed3
SHA1 b2645d6acb1121e819a9455d25c0137a84d8744c
SHA256 c29cc64ba7359d240bdb3a9c8325214b5d679a930db0e3d28368ae2f2eda1c74
SHA512 a14e62ddcd045caf1f187ba8c8e5dbaaaa9aabd96180e30a2d5188dce6138538b126f1559678bcd3e388ef44f42de1853c723921ff667363f35aac3ce0bd5482

C:\Users\Admin\AppData\Local\Temp\KkUu.exe

MD5 59ac1b8397a3dde7ee8f4ed8d5ec092c
SHA1 05c7064771c28fdd10ddeedde468a5ce160dd443
SHA256 b299759729f4c0a5dd5ff31c64353c463816e64bbc3460144283d2d25055c03a
SHA512 4a34b6c28bac789fbee6e94e1e267c398747022a542288011d6d3519d5a600d1aa7926faec6bb53bab2e8f82606ae4fbe20b0c2041629f1e8b8ec84f61bcd814

memory/2076-728-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\asIa.exe

MD5 d2d596e28f9ae4834fdbb6709d000aca
SHA1 327a0558417ebc89ef171a2e6f133412eb855cac
SHA256 a449a5072c0c77e5d3fea75e948d54e1244e4fb0eaead534596ee4f0869b26bc
SHA512 3b0c90a30e45ac1d20de74383781771630f91eca2587b6da3cce0c0acb31023d7d6c8f342a2432c8085dd544d7706ab8143940fb17ce145075b03493b864d5cc

C:\Users\Admin\AppData\Local\Temp\tgYm.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\zIQQ.exe

MD5 56d601cecbd1272e6bca3e683fa7065c
SHA1 ecb779a115ef0eedb21bc0c9286ead7b8dbf4e71
SHA256 1616d726f4dc08d2bd6709695554757894183017d1b8955317810f63fa8cb1ed
SHA512 160a7530cb6361528fd8ea6a874615fcd5da979f15eafbbd825cf43c20bb9e01dd4c17be5d8985816340fb9c2ffebf46b63e180586d5a040ff27acdd0d92b5a8

C:\Users\Admin\AppData\Local\Temp\dwgG.exe

MD5 e6f7fda48ec4f27411f0be2e0d190592
SHA1 877bac19ff5d61000a71fefefecbc939754687c8
SHA256 d41f5fdcaea17b0e938d723b3f6a63818a623148da1075f3f8da1ed7352d3be4
SHA512 cd34202d4e984a46b8cb741fb6cae0b0d932670263e1f3cbe95566d5d7038f5c919dc56e2bd8674ba7725880b184690f4f51ac16ed518bb6340b31dd6976fa45

C:\Users\Admin\AppData\Local\Temp\rkoY.exe

MD5 2564868f4451507d63467f9646893d07
SHA1 9a44149a9377125131ad33d5244bfd10a8ddf983
SHA256 0b53fd9d5dd7e9526bda4c75a1cc5a0b3946321ba4be1a2034a19d94ac0cda56
SHA512 66fb8f1cd2d5f51916d4d20c4490951ceb18e6201d316c6e8d8115672518b24c1ad7212fdcd01835c6a7196d08795916bea117e145466afffa3ed8a3af1812b0

C:\Users\Admin\AppData\Local\Temp\OcYQ.exe

MD5 3582a5ed1a8611df00516a14514ef21b
SHA1 b5f3176cce2cf23d5c22dc30bb6587a4a0c6919a
SHA256 1e03de79cfdcbba046dc58d4ea839d5086037056d99933a91ea56253619dd61f
SHA512 8b14a23a1321a6fcbde8a4d7937f3586983b4b2f52312977fb2d38ab81afce9441facfb03708e5cdcde82b3e7cf7769fc0a06af85e2e598f922b0bc6c0918c2c

memory/3996-792-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wAEW.exe

MD5 d8fcacd8d512e6cd39ac25d57e100b28
SHA1 c29a571809471531acb267aba1b79c8a72a98ac9
SHA256 bc13bc818e85084d0673231660d11af1a8cf4440987682817c4ec5a52f994280
SHA512 7b98589dd6715904dee68b7ed4a092256fef69cb76d00318ea5b26be4a3cf9dfd8ad2523b3f6bff872edf6773d71f887246d2936fddf0d636942d14d63176e38

C:\Users\Admin\AppData\Local\Temp\xsYk.exe

MD5 3dd50e512e4cd96afec1dcc348529f96
SHA1 927a9e8c6ca87eeee83b33bcc27707d22d955160
SHA256 fb300f777c2f589caa456c486db9fc04665f563ded456d4568c7add54c7a2e2e
SHA512 f32ef0a404a586d8b32603be5e9d3cc200ebe10caccc9f6667cb60cda4c3b64b2325847928e08674a6da8d364a335e9d047e399afbf4fd82b6b28fe7777cb3e1

C:\Users\Admin\AppData\Local\Temp\EscK.exe

MD5 393880394328fbf79b4de67142dfd880
SHA1 19e69bad6ac2fe9fe88807ff1476c8289a6bcdbc
SHA256 39554617b114f2b29fc352ba103ccefc9d3cb8b9362c51e8489f9b02d9bd1f60
SHA512 fe0902f5d72c2a399babd0dd6123ac246e8a0fa18a5ce8ea2367990b3d58ade7c77b59c7f1bf0e99756281e2446fca29d1e653c92e6f6a09d0318e7117aff8b2

C:\Users\Admin\AppData\Local\Temp\McYQ.exe

MD5 25801e7a2e6d6b4b4bdf25192a43e329
SHA1 d54719714c5a58ca49cbe0008dbb0efa2c7c1977
SHA256 77ce218f36efe598652d5083c9bd675cecd43d3455d7925e2a05f0515149dd06
SHA512 e597f4c7a77391af5770e0067cabf0b8eb7cc86dd64a0e3c5091238df062b51428a18b2c8581868635d0314fa25f25baf5f2ec6ab1d3868756348f7a304775c6

C:\Users\Admin\AppData\Local\Temp\tEce.exe

MD5 b2031cfeb812d9639f61a572463fb98f
SHA1 26660f726458b4075f2c7e607a4bc4683cd59735
SHA256 7234c0ce41855ad34a55d12678b91598509f1b95566fcb292f3872081a8201af
SHA512 f1a71c962d87da09a98875e09b9fc5087bd9763ef7630d132666e4c8e3dca1d4dd248a8dac5cfed29150d8f16690150072faf14ec319339a42cea9d15f75bdf2

memory/2136-857-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgkQ.exe

MD5 7e400de21d1fb334923c34700b6bf0be
SHA1 35a88b000034a3c4104de1060ef3b4aaf2e19555
SHA256 fc0edcd076f5ca189cc8213f85278c2765236139caf1931829584384d7503a88
SHA512 3194ecae0b85ce76ccd91b71679e239db5e8e7fec34255c28e42f082bc1bb802cd7fdfba4d12e9560693d26a13d35d7933ab438bd043a58a26ab789f4f535d93

C:\Users\Admin\AppData\Local\Temp\pscg.exe

MD5 252968b50efb58ff326a4559b7089ed9
SHA1 66b67ad67f585b648bda784e36f4ae01d2df27e3
SHA256 c0c539120a46e2aa752a38057de2a10b6ff285335cbd71fb0468bee1f3634824
SHA512 35b7e8749b464f348da3f38c18eb645521ffd9524c2e20944e1c3f3aecaa376846bbcc9db6b31c210b0f1c35b5f33014d6d4b9e02d35b42100df4cef9a76f165

C:\Users\Admin\AppData\Local\Temp\UYMe.exe

MD5 224c612bfc28346d0ed3f71ddc38a345
SHA1 9f8678751d27f02b90be7c68d3a4784d8af38793
SHA256 6206a04f5954c9dbe83f412eeb73ebd32b4f3e9209eb5106dac1854ff209ae54
SHA512 ab7a7d9f3bdccc7d2d4888d928d589795583c34400a23eff4799097b94de5966f5172dace410851e2f3696241660bef470ebe7e6039cad22933fdfd8a5a1e2b0

C:\Users\Admin\AppData\Local\Temp\IQAE.exe

MD5 742c6be945bd80d4a0f7445a1658fdf6
SHA1 14c7b0271901a445c483572011a5777c161c1516
SHA256 2219dae9810cb26cf8ce1b49ed112307d6ae897aa5032197208e0c35cc2f2da2
SHA512 b993b6958a245bdcbcfa5693be2be70ab712a8f98934758623f736a19f6efbf52ee11dc684ceffe51f2fa125d4d321fc6039cff85fb1ca897f51fe5728be7968

C:\Users\Admin\AppData\Local\Temp\UIkq.exe

MD5 68e3812716d8ffcb08777ffbe6a3042c
SHA1 c8ac28c9d6446ebe4d2ae0cada8e93c037a0b927
SHA256 5728a9ed2376d4fe7f3ca00c7e4bf316491d8526f9e060ee15e600aec446a13b
SHA512 9b48bbb9209d65709e4c07b33e120dc8f4bf6da723962d37eb91c94ad2242db762f3ce63f61175abf9f0bcb6eb380f1bc2bfe0946d22ba2cf618d783dc1f1582

memory/2380-948-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tEoY.exe

MD5 8c46abd9de3f9ad207feb536d628b7e7
SHA1 ec25457618dfc2691bda43c7d4dcaef72ccbb0d4
SHA256 195a2abda90a0ae5b30e0972036564bce775540d2b3ca782d85b143c1c70cc4e
SHA512 7d5382bc901e66116ede91aae47288d8e5ce0375f5e4e2b0083dc5e57b6f3b0974b2b4359d0890a12e96fdc3e1937e562d12268fe58a9c9da65eb4d75577b895

C:\Users\Admin\AppData\Local\Temp\DYYi.exe

MD5 612cbbe78021b49ccddad47445e37fa2
SHA1 a540a67cd39ad0241d7e33a09ad72e854fc32e69
SHA256 4f65356d4d84fd751b372abfcfe60dfd8e397aa8e7d6d6cda9fb6bde735acc98
SHA512 598b574e4af9fb15caf417d078735c15da6f9f914417ad2ac885e372b988b31f609943a80feef5bb92c685a0d875d9c001f4f6fbdc98f1174cf73a5e13885d24

C:\Users\Admin\AppData\Local\Temp\ooUo.exe

MD5 5795dec9c3bd07346dd6db0bbb84b432
SHA1 1b83b25f8ed5a36f27ed83c1004f4cff86e28602
SHA256 487b681ac61efa128f1aabaa86d543f9fc5118f97f38d50cc623cf29b6b034c4
SHA512 95a525acaceef398de7e1a055e62232a46faac73ddc01f82fa95c973c36df3b028ca54d68ae7ba8e7b680ec7a1ed08df4fcd0b59970af7c9036eb0762fda8af8

C:\Users\Admin\AppData\Local\Temp\pEYo.exe

MD5 65318dc374eb9c97d1b7ccd2dc60e67a
SHA1 39eba29d00698d131b88616896ecc5573cea8d92
SHA256 5b367d09c42281aedba293bb4bcb799abf2801de95dd78bb3abed2c03cba44c0
SHA512 dbf3ec86aa365164b0fc4c8cb8ee7c03fac9e7d0c05707e4955bb149cfffde08951dc90331a48d8671596fc01c0b21c97ad5b96b6184c29546d9c2bed271e656

memory/4564-1012-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SoIY.exe

MD5 77863146ca88c44976f1e56d8bd6d54b
SHA1 7c745b829711818a01390534bd2b5db91c76b493
SHA256 378d8181d7cd2c0959fcc7ad7442638dbddb9394b535d5474618c9529fa6fb3c
SHA512 ae9cf9b22292b649cfd5f3e134121d740ab1c9cf68b562e052dce46395b38cf12359cefb5c8e824c52cdc08b5641eb9e5341ae9ed5e52bc2432a142fe8cce5cb

C:\Users\Admin\AppData\Local\Temp\OogO.exe

MD5 12fafbaba56c3c65eeb291656e05768d
SHA1 27a6c64675c3a68dda2e8170c2bd015d58385a28
SHA256 70553892a0081b283662388f5d5ea0e90b62d6bc9f740c3a821e11f47bc9e55e
SHA512 1449203af5af0f6c99168e683f32a20a8a5712f2b73f5f0cd6961c9bc4d3bced7b4dec67c3f722f35293d5296bb818c88ffd25b2ed7ebf32d4bba66732f94fe2

C:\Users\Admin\AppData\Local\Temp\hEYO.exe

MD5 9c13b366edb7fe044c46c8d391937c1c
SHA1 8e46a121ab50cda92b7ea5d9747207deb530f66e
SHA256 2d69ba164a5cb0b70d4480f30c6470d78135765150f96ab78e7b22a5225f70b8
SHA512 35fa4fe01664a2ce53a554f0e105e21d1ba095b698a191e20788e5c6d7326aca14b9077f4322475ad6c0b4e64f0d469789b8c6eb8c1809c6823cdc8e8f5ad6e7

memory/3928-1062-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LIMC.exe

MD5 0166ad5ea7d08f549d917bebbc4aa7ba
SHA1 b7e282853c9ed27af6e3e0c4e52982ba22005189
SHA256 66990596e6bf36a6bc852af8fdf2d93390f710021cc42c86ec62bf4d39c1c599
SHA512 6c11d1dd0b468b613bc769158b85ab58760732b87b36be326598ee4f20d206816a58bbd4d7c26f3f769a976c333e15b18ce1f0f1b7cdc9908512bcc49909f6ad

C:\Users\Admin\AppData\Local\Temp\ggQw.exe

MD5 e08e572979a5e7f8b316c99939303504
SHA1 c4d82aabf0e22a6e322b87931b87b15983a2b0c7
SHA256 cfc3cafc2c30857f84967d2e1c0d00b9bc04919a3636e500bc526337e92ea86c
SHA512 2400bb39dc846bcd23b24f6431b7635735e60a30314fa9b0dafd6dd6ab61575c7cd93f3a9cde15a43f76ec170a50c6687c8a5f34a39ea3e5bdb6196fad8738b8

C:\Users\Admin\AppData\Local\Temp\kgkW.exe

MD5 dc2d61633ecaceff4fc0634c34386f9d
SHA1 1d9d8a1dde80eac3c07f0c8a3f21d3f2a5f78430
SHA256 a8c37d56a94d1dc254f3f5d8def4554f9c4ec6d325ed4bfd1b679e449957f879
SHA512 15841a73c2d3060387f0e0f345bc48ba620d3c7436e506c872788302024411b6c4ea1b53de9b401961e569817e10138c5d335e390c3bc68c8b159f74dcbb118b

memory/4540-1113-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pwkm.exe

MD5 77f421658b73c368afae7ff918089018
SHA1 aab56b95d38467723ab3c0a997a6829597ff561f
SHA256 82d14981ee1a8eff010c49963c6b0d50e49c6eda7b1574ef4ed2eccbe73b3210
SHA512 77a36e80eeff8ebffd5ee26f2abd115532f64858988a4f094fd0fa10ac5d738708c4d84d24a233e94df61f402dfec408fddfc821cf780aa63f5ab778fc1ad01e

C:\Users\Admin\AppData\Local\Temp\WMgw.exe

MD5 1b1f946bad9afc182e1e403c4337c1ef
SHA1 560a28278e4ad7e19c0ae84966cc4c385afd20dc
SHA256 06976bec6ddf624c02b8624adc16b629f16a44cad9db9f6bfc79fd252f43b756
SHA512 838fd05c5b522b52ba3733e3a31ce4c7387fc05f9f314843ee01ffa1d4ade58516c7508aa4ef90f67563042a800ab6b7b9e8fe3237baed0d8fbb7821fc76544a

C:\Users\Admin\AppData\Local\Temp\uMoo.exe

MD5 b32ac7a1287d62d1a506a316769be3fc
SHA1 610a44681054b71f6df0c746d6ec6124545ce9bb
SHA256 4714da0d7491ace48e224ae9458c84bc03d9d1e6d3adbc02d16c5bd3c221831f
SHA512 9deb7fc516db77cf40d337556cb19a6b3bd543596b62ebc2a82b5a3dfc81fd4c618e28a271653346874e6cd402d5461c9b37d175bde677ecf883ef5b977d3071

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 67fbef5c6f04fdfb2240b129880525f1
SHA1 2646a9a900424dda59520446d30bd6c6792fc148
SHA256 99ea3df70a0adcb8a6ae76db11ee011e89b0b509c67a07cd8de4e891984ab814
SHA512 192a45bb2eaa3a619a1f9a2752c3547aeb8947504572f3129184796bd621a1195b787ed56372cfebd8ee02bbccf7161ce4d0dc744bb18c0745eb4634950962ff

memory/2656-1181-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GcwI.exe

MD5 f882dea4a476b7931c54b775fd996988
SHA1 f4f5c9b66d09e1defc6270735b7d0d2db02cc245
SHA256 6d8cb56fe8d842fe071ab017a21e3a5b196d014a1a84b9d552a0bfb63f82b60d
SHA512 fcf1c8f500c801a12e8d91d3d54372d5b6d4064b8f83cecb1be047ff3d24b5c7a214eec6a1bee5540ac4615fb8a02c6ddd365dc51c4575a3cfaf218b5d86b648

C:\Users\Admin\AppData\Local\Temp\yMAQ.exe

MD5 a65bd38c81467ef4034062cbd4631694
SHA1 bfc749318a06d44bc370a1fc2f689155b629d1e3
SHA256 07fe4660ec6d64c5afe8d50723d4a47112887b0bba845841a0ff4442c50b5bbc
SHA512 5e88cd233c0c8b44626c8290e2ae26562ab278f4c34954279f142c1b1ab91a7be039452676a20764254c29100257044f76626c29c0e5ae4b215ca2b5fa01665e

C:\Users\Admin\AppData\Local\Temp\VQwy.exe

MD5 fe11af953e286590a048523d6fcfcd7b
SHA1 aaee658318502d1225735f444005b30d8e122a7c
SHA256 0f553fd2b5275bc25108523d449e8217956a36f9ffbb848f0b6ff45a213ad3e4
SHA512 1dbbd8a55479cc936e530369fd5d289ce36763c3a8c6384180f40ef74f2585c02f7f46bcc43f4c25db8ab22bceec1df08826070fea220a5ff2866667f5366c1a

C:\Users\Admin\AppData\Local\Temp\lIcQ.exe

MD5 4af17b9d525c774a3e705ccf2cb4add9
SHA1 ae7e3aa4c194ce205d98df60f9120a390e0018ff
SHA256 2acf3cdc8fcd91d042b858f60e820baa97877583d27861ff484f5205aa38234c
SHA512 c85d5be94a3c6e43ffeced2143a243944069e86611c3bf5cf58d6cd56a98739f79fada01b8bc89f46fdea87268276d4dd6383e8a79525bbbfb9504f40a50ec7e

memory/1512-1240-0x0000000000400000-0x000000000042A000-memory.dmp

memory/876-1241-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

MD5 379ee0c484855607ec407cab980731f7
SHA1 c2295b6994d20395e06556bd203bb9336845c3bf
SHA256 1232fe027bc9fafa13fa1c957ece5209a6fbed47252886c1c619627d976ab9f8
SHA512 0a4b233b4e7a821dbba10378bb8f2bab277eb5ad33cfe194d16cca8562022fc5a169c57eebd1d2e53dc737a300ef9e88c1665bd713da57249d8b3f0fd5e0451e

C:\Users\Admin\AppData\Local\Temp\WoMM.exe

MD5 f5bc2eb4e9c61fe5fa63036ed06d0353
SHA1 e382475c39743510f0bdd66ef57b836d1f4dc797
SHA256 5e40214aab60cf569767a490dbebdd2c08bb73a87962bb872705b914106bd7af
SHA512 c4f2311a4d2350fff1dde3cbc87aac8763689ccd9c70c8da674ba737629485db46a94fdaa85e478ffdf5834db0802e546bad789de9a7f1b04f7b93837f1697b6

C:\Users\Admin\AppData\Local\Temp\looQ.exe

MD5 24f381b64b672cab1c40ff37d0c21018
SHA1 f12027e70c3a0b3f59b809ecb637fd2cb9f58fd0
SHA256 f23f28b8cf4014e1a6a8c44082fa954104c33ae50bcd6eafaddc75e2d51ceb6a
SHA512 876bcd9f81e253868a4655a43bb2fdf5ecfb9f79efcb41630b0d4fe1d83b2ab6940a7c20b6ca2bddc2a9926ed0edafa6e5f18acd8c3207bc7c1e0ff6ea13bb00

memory/1512-1292-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kEAw.exe

MD5 dc25245106ae5752455cc4009ee1ad90
SHA1 e28eb3b1dfbc71ed16c3550eb34dac57c680fda5
SHA256 9065cfeace07d8501ab033ef53c244a77088d281950e2cded70112960004f925
SHA512 ce538e6422554b2d2bff49e0468abde3a2bd56687767c1551903165ef9b0e0962eab324c885016ff967745b0c6beecaa0052b8e8c288c64c02f2bac35c46505b

memory/3872-1291-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IQMG.exe

MD5 7513e929ab3e5dc31909a09a98489890
SHA1 c668bf0b8dd34931bb40dc3a45d859980e483efb
SHA256 1e14d2f26a1aa4090f59476b437900bedcd19d66a1973bcf0e54b8f1e1429c0d
SHA512 d6ffac089f4245e19e0d82c484a191f259a6dba9bfc5f44414b5272380da5ef5ffa742ae88c4f58ebec52abd57040c1210edbcdfb4bb7042f5f418b9c725685d

C:\Users\Admin\AppData\Local\Temp\MsIQ.exe

MD5 6ed2dc240bc95cb1347d059a53f11660
SHA1 60c401e7319f038f3ff3511b776c040ee0de8032
SHA256 c7e20b63dd453a6ddc4e83346ee4b3de743994799bf4c0d45a7dc19c6698274f
SHA512 8d8a9453b9bcb2689b242d8b6853083925bf5270670605f8e77f3ae6e85821b2e5441c1eae580082605acc53a471a0c23d7eac40400320576365a2172c355d51

C:\Users\Admin\AppData\Local\Temp\Xkkg.exe

MD5 b93756c31a049ef97ae327061fc3a8d8
SHA1 a190734805ab057d66762091d2f6a2715e056d96
SHA256 d110bfe840d6e01f633c25bc531118385ffb1dad9a191bcce749c556e901ec9d
SHA512 f42fb246850ae0a92c89233617db82301de3c132f2881de2c9065681424eed1e07d12ea187dec290640dd9e89103910bb1166a734aea6aba147562dca8f47e9f

memory/3872-1370-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gAQI.exe

MD5 1527ff12b88668a10635e92b33532152
SHA1 e1704b10c7c2805bbe3939d40e20b213a1cc1be2
SHA256 8370d503e70c8efcf2f86a9cde1b22c53fa65b8ecab88c60d2766eb3fb42bf67
SHA512 3994a132a44cd8406632c7d6a2c8782a9db9448958c53a1a8dede45cee6f222600a03df9c2b1acd450f4d8f889c39819ed5a9c91ed172614dfcd8436eb223658

C:\Users\Admin\AppData\Local\Temp\EMIS.exe

MD5 819dd741d6107c028576e479fbe99b1d
SHA1 6de8c645f39ec1f2c579a65e09253886672ba304
SHA256 fb5ef321ae8bc403b1aa8420244e70349fdea1af472d50a3ddfc1ddb5d23dda5
SHA512 3a420b77408307397b3e76e471b045db15bb80b58f93708315c0bf35638570989ead8c3cfcbfd3602c151f0f7a9b0fe2d77d3f3154ddb79a1fea4cc13a41d963

C:\Users\Admin\AppData\Local\Temp\PQUs.exe

MD5 6e92a856e395a5681095b816ba25772e
SHA1 ebb6702c33703303d410f5d283d85eebafa56137
SHA256 5ca20b34a582bb01089c17c5a44f3dd21bf22709222c1642bcc681f7e739d2ff
SHA512 36ff830019ba65f67f76f1634156d3e1e6f43c04176b8fc74cff3e4c785987d1eb8e4bfd96e61a2ee097eed5e8670cb71d7ec1a222b840703623a37d4641663d

memory/1532-1420-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wIIs.exe

MD5 523f1d71017faded2efe51025fc212b5
SHA1 1d1af97d5bfd6c8440d9af86c83b426dbdfbfdaa
SHA256 be8700eac41d29c78fa717669759f3c3413616c038dd3a6e76cdad03e2a6f4b9
SHA512 71cb89fe39994b916c5b4200e957fdec08a7b6c0b809a98f05075b0bf15f62045f576d25c84be8bd6fa44f6e381d47d64f780552e0353d49ffbcd56f14b688a5

memory/472-1421-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QIYQ.exe

MD5 01050111fe988a1e722b8bb3f98b7435
SHA1 aa0468170a694068437fbaa16d360ca78a9f610f
SHA256 956cedbdec0704e1f4b3c9d655b0e2f0c7e662c68d057017f6e5f36e735fdcdd
SHA512 16f71f7e30165ebaa569cc99f3a36e59d4f3c10db9eb3970a74777996078dc8aabe08d26715619c34a9cffdf480728639fbff4974cfdfb1bc89386329ab4620c

C:\Users\Admin\AppData\Local\Temp\MwYM.exe

MD5 dfeb7f374c84e0762103a04c2c76c6aa
SHA1 5a247bb8fabf9d9a751860fe80f0db50da61efeb
SHA256 63a7ccd2c4ffa55b2fbd4398cc514c65dcffb02677df45731d04102e3241671f
SHA512 f41703540c3b4aa4c544f7b6f198e71d554873dc9687af297eecea307c61a27911590d9c3283c828f339f206fed62f7f23d82d8ad6b03b052c20208bf9a1b9b3

C:\Users\Admin\AppData\Local\Temp\OIcM.exe

MD5 c52bc469b6acefe06632531a0ca746a9
SHA1 b5b00dba228d21bc262c91f5d6236e0fc7ecb36e
SHA256 0a8be1a3761d9bd300e7858c1078d6bd95b7cf007c0bf563cc47f81f53ba5a46
SHA512 94e652c0a7e1346eca7bcfb79500a4926e099a06e07d19059e80d4dd475db649e3fb43e470ce28e04d8c4bf1bd0f4b8bb8b966cfe1eea50810359d4d679344dd

C:\Users\Admin\AppData\Local\Temp\ecAw.exe

MD5 0094e656bcb8361816140f42404d7e67
SHA1 4165531ef98dc9708b8fb23639fa6cb85992b714
SHA256 de4bc2787350e6f2f6b36edecb2204830ead2912f1fa2b2e3f203feb44c86bc3
SHA512 f4f644c303f7856fa9b7857162748187cd17c4eba348bd6eeb4c16b67088b5efef884794186123193bd9742ea804964e14a80bdcc0de32915eb83cf74372de0a

memory/472-1484-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cssW.exe

MD5 588a4353c831c1b9376b5374eb81e14c
SHA1 d67ebb44155fe9d9d65e9da40481bf23beacccc8
SHA256 42b9cf489ebda1916bb25c22fddeae5e5dcc9d5db6f08c1c4b7b5257386275c3
SHA512 0c8153ad2aa311b4fb52c76f467eb4169e1a8a7356faedf7f2f5c943d00f08c32af4021ffc94a85a80582bc25074c80fbdee34a8798be5b4c709f99c98c14c34

C:\Users\Admin\AppData\Local\Temp\vQAo.exe

MD5 14c95e271d4dfe2d5b8d3fa851d248a9
SHA1 7ec75138693c77dc1183aab7650629fc8369fb50
SHA256 d3b697e3077be8605455f07c42a35255493edb5f3ccc05b2767d9d306a97937c
SHA512 eacad1c9199d9f71f485ed388707e920f8dd728bbb1b6bb29b6124a552870f6d3d53c585e7c03c2fe25648ad47b5ecf2d96b12122f49a698a7300411684dff9b

C:\Users\Admin\AppData\Local\Temp\DIge.exe

MD5 4cafbdb552ca7569308a163bff1aedeb
SHA1 6bd28dc8d41e91f25f78ab513e5f7462f9deef1c
SHA256 46f945b7c5a916bf79c6f177b61b5edda36cf0054754238d50228314b929d665
SHA512 d367fa474b0f6d20dc1700714ad40dea5464ae6996eca9a61535a64d5a844a08ca82d1e35e2ba723f5e8d15a93f2c2c6aeed477eb40b968a08c8634082dffc1b

C:\Users\Admin\AppData\Local\Temp\eUAi.exe

MD5 e16e4007a74d89950a9713b248237652
SHA1 0510872abf69f178941b87dcf3369ae4a7b02a94
SHA256 a5202c837203f9dba3698cc215aa6219df4335a2232994ccc82531b5a504ef9d
SHA512 509c636e8c4ce5398bedf9243ee9f8829997ec7b1671ce953c5f6f0e62db7a4076f5b12bf2e24fbe247f10cd81c0df39c62c87dc5438f655986f51604ec71fa6

C:\Users\Admin\AppData\Local\Temp\pcIa.exe

MD5 31dee6a57f7aebcdf2fd76dd4a721107
SHA1 2b9b191537118317090f285329abf6fe6e7b22fe
SHA256 0d41a80c7e2a0c7b097db012fd0272f32c3844fd9efe6c4b56e294e6a84a5df2
SHA512 e32b226a0419e19fd44886574a9a18cb93cb70f3ef9e0fe7b2e5c928407c1355902b18830737c0723ce89371dc8b71cdd1f97988c19f017472cf3065ccfcecac

memory/1140-1559-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kkoc.exe

MD5 2c6a38319b45fa6e13d9c4edbb7bd54c
SHA1 4b64888910f02bf6802c5f89b5e8e6a650e9787b
SHA256 ac7ad0c2b435448b8714df58082c5ada1171d01e361f0cb43435f6500f70ad22
SHA512 3ba1d979280f157ea69ce97a16cdaf351ba0104169185449d710c43e62c3e8a79682a2ed4ad19509584ee14d2672d84b8c2c897a8154f7133769e1753fe7ea28

memory/3816-1577-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BscW.exe

MD5 ca655096fbf7fde1212f994ddb9c4331
SHA1 ad8aefc1e2ab4c3577853ef7b149acd73efdfdfb
SHA256 9a8113c84cfbe0ae2e31cd2bb1ec6b18a4e3777c956dc066ffe822b6a87fda51
SHA512 80bf0120eaf7314c31ca51f51f186a57a8373c05046e414e61c873cbf6fbf713a92f1bc83be0501f993834298bcd576b93b5bf98b6e7419bdbd05b10fae58433

C:\Users\Admin\AppData\Local\Temp\xAUM.exe

MD5 ce5826033da3ba45a3730d7c109e8915
SHA1 3f033d7822f387ec08397e3934025942288e7dbf
SHA256 2d8ee909f79dfdf1a02b190f0dded499f7cf1e33dba6b840c569272cd663edbe
SHA512 4b4da6912decb21292abca5e7de7919b363e10179c0f6b0864fe6171a18ee0c583ab4b9302830d2644091dae1e4c3c3a953b59922c6ad58b78f38f99a92b8d8f

C:\Users\Admin\AppData\Local\Temp\Jook.exe

MD5 4bb40dd9c6a5048c7becf5a7686055fb
SHA1 c79e9b7e76a044f63f2dc38fb9a934e2d1f6bd80
SHA256 b6bafc63eeb7b0b775c38031d72f144ea1b7dc1821379f5effe914f06a89757b
SHA512 67a3c9490d3ca93e323dced5c43330d3e3ec7018fb810695b55f33ac6748d05ab0d403fabf968d7c022006b792b5d53cf3dd38afabf85b9204c343b5b7c76fc4

memory/1140-1627-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wsoY.exe

MD5 100460affedfc24eb6101edfa37194d5
SHA1 9fabe913646fe80471a1782652859618223c92ef
SHA256 ff14f85bf364f6f56850cedcb94423b6388e04aa6acb3b05666b23df38d5e6d2
SHA512 63d197e9e4ed2c7e84dbeb745b9fc3c3747e0083ad9e806a99625b4c0d7bd2146fbfca716f3392921025034c9efe785f0fe33dcfd5e053792e432b13619e8ac8

memory/1212-1642-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RoIs.exe

MD5 400bed4707aa9246d3b4984e0a1b4791
SHA1 36987e7f1449b4ac89f6ba535623b8844fca59c0
SHA256 b660973ff9ff93551c89f6be83eef3e144bf77ab1c4538b1211a1e2c1a1385de
SHA512 a2220f8c79e50fd1885eb78e0efcf2356c575f21472fdf93b085926a3d0fcdec3daf38e83b698ece3b0c0990533f24842759fb285999809f2ed7b1eda236170f

C:\Users\Admin\AppData\Local\Temp\ZkAS.exe

MD5 669f1b7bddf7697efe25b0e920c5cde6
SHA1 e80232fd2921dbe5963a479e924679b2a3f896b8
SHA256 34e33710958f88e5617d51a2dfee578a1645f9b5b8430ffdc4d592b40f4548a3
SHA512 2f83e0b5d0ea53ed5e02642d9e3831c1f8ab84d25a7323ce42b7a48665f12d7fea8d71087a52b83cc01e7e1e450b4cabe70e2c65760acfe8d5b54385c9c3d527

C:\Users\Admin\AppData\Local\Temp\SEwO.exe

MD5 012b33bdc839546c6ac0e3a62b8ddb59
SHA1 fe92247622117f169f39d72ee699712efa182691
SHA256 de042a9463491c6196406d8e1e888dbecffab85cef5bcd41b48d6f701314ad8e
SHA512 a113ff8cc9dcd897e74beb63402ccf837739756e89587c87cf6cf4337dd6405be21dded2453179f30831ea20b9cc94529057bba8214af877c4eddbfcb3dc3bfa

memory/5020-1692-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1212-1693-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vgME.exe

MD5 7c80ecff05198fd2837beae3c60fa2c7
SHA1 87a84d7dc0779b8de70866700bd4f26bb7a612f7
SHA256 37786fba1cc0d57d9d67440addd1748c604435a554f66b1021f30b5b9f09548f
SHA512 6648f132a6758c0b704e222d9ddb68c52b92774f22b890ab16f814a425644216997cc8c30f4fbd095c3a5dbe129d12704be2b47df6200b7cf4459732638734cc

C:\Users\Admin\AppData\Local\Temp\CEkW.exe

MD5 b50a356cbec767a9076c635a42b18313
SHA1 bc17a8897ded98f79c333fe6bda9b5f318f5a0ee
SHA256 4e20b9c72de85c7246732d3c22348c17c926dc6ec0e64fc51b3854ba708aa66c
SHA512 2557678f961306fee25850881cd3c6c405de2836a9ac9ff32a356ff787c87de7c5051cb99520d6021a03aa2d80e3305b39148f098810b765b94b1dad37c77e1c

memory/5020-1743-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WEYk.exe

MD5 e4d8d30ebe76f2d6a382e792c2f54a6a
SHA1 29cbba7caa4d3eda80c586214cf80a54a9e1ff29
SHA256 55f357a747d6fa16a439ba51cc232d164d036fc51ead48c5a7472a98b25b3388
SHA512 34e2d09389730d1a9019713c289b3e34f4e921c12daf57ebd3e763d7d0a21ecdabfd96845f8deea26127b390802cb921d36bb20e163260435a54bfea4555b3f6

C:\Users\Admin\AppData\Local\Temp\eEss.exe

MD5 dd748fa84fd896eeb06b8e790e301406
SHA1 13d425d947ebe89ee4bf40aeadb36c2969a920ee
SHA256 1bc82d990ddc40f6931046fea065913d6a6cfb96cff9ccaef4a5f7f8ee0ec6c3
SHA512 757cca0755c12df1bfd7ffbd8fee1eb35c2f0729d1ab31da897c28bb0c93413bd43c77598777178577c704398510f624aa81210e807e8652012533e8be99b824

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 ab314be3a51dd4a015c039dc97b09f1c
SHA1 dde6097111bce651bfacaad64b681b1f4e08c7a4
SHA256 a73c60c4f442df8e02869700776e921784404203aab1ff7980d38860abc7a5d6
SHA512 49132bb67e29a1bf7552c4e1f90834e0a34dc8ee34dd6ca2195338a2973aed16fa3efa8f59692cea27b16df9640692e03049873bdad76df5f576dd04d712fec6

C:\Users\Admin\AppData\Local\Temp\iMcW.exe

MD5 6c10673d85fd99f9083240ba1eaa8def
SHA1 496576a32852d40d3e772687f5d516c58fca3ead
SHA256 b67964901653e5c83b70461e54e100897678722cb23da104618b4b72b2b19971
SHA512 1bc3c73188aa3bf03352d9675e088e1c7a08ba0a9987f2cdffeb901272d000826043640778af12e5bd8ab1670450aff9483413172a892aab46b56a7a7dd7abca

C:\Users\Admin\AppData\Local\Temp\cQIo.exe

MD5 7225def8024b85581e057be3a72f555b
SHA1 5913fd5493615102cae23af0cafd11e0f5f2ca5c
SHA256 82660de1cc610f9e4eb87869a0d67f144abca2c2f35501572926b64f36f7be27
SHA512 01fb4bc8ebfc2ad0f5e7586dbbd279f61e90573e7ebaeac02e63e37de272b9af7ee9575c9d50e2bbedec9457f9247655f4455234a2bbc9660f348fca67a3676e

memory/3956-1807-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bwQe.exe

MD5 0a780fb071d26e2e0e058791b9145c46
SHA1 11b70f0ae6bd2a1b1bd721705efd4d00a017d0f3
SHA256 6e8369e67cc187038ed3c6e485535b0d4d0bb08d0adaec9b4e60d6a334e692ca
SHA512 1536b318454bcc20e3abaa54728cb7a9fb0828f5b6bf77377988759a9d80b8546fa65f1edec111bb32f30827ab804ca7dcc11ce5e4da8ffb7dffb3c9b6f92431

memory/3756-1822-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pYAS.exe

MD5 e342c589ba6049333f87fe1111d238bd
SHA1 30072bacd57ae298a770075d4168b13db3496e3f
SHA256 0795e8481ef6e79059bab730d4ce9174b4f3694123306cbe99e40e448cfe9072
SHA512 ea0c15a3a4d804de9d82ec9b8651ad27d023266d2d2952b8fdeac74f8396f237a6065ea638b75d241a8a04e97f014a8406e85cb36aad98db8caade752c50cc9b

C:\Users\Admin\AppData\Local\Temp\WskI.exe

MD5 aabbf5df9fb685cc2589d59916efe12b
SHA1 7c2b482e65661f8d7209e7a72b51b6e9b8921dab
SHA256 e729cb0400fee3136c9a4283ce95defab127ad54b7c770af497adab44d0353e4
SHA512 b7489ec2e98701408351733a2efe603c9b59fd041cd2acdad97f674d8fa85db7413490a93838928b0a58f69f3d67002c0a0ce2479962e22f279a48aa1b8ed988

C:\Users\Admin\AppData\Local\Temp\CMAq.exe

MD5 2ca0e84248fc591843cc8c7fc5e02ab9
SHA1 f6dae66112651a7399e569dabdb5887d522b3a00
SHA256 d6801c10a133793d78771bcd3e7ac0900d967f8389ccf58f3ae3761d56b8b23c
SHA512 39481b250d3602b1282f259f67c2b12f22bc6d4394013e11b25d74a7bd947e60d2747f6a370722bd381f3b48b67c366ca37c3d6e887940d9fb63571d568b3da3

memory/3756-1873-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zMQK.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\sMoW.exe

MD5 b5bf97d4fbcd766877253e092c34cce5
SHA1 c596284b0fd313a063429a42f56bfcc995e7173b
SHA256 605519d30a87fa8002076f996247b8797a6b6d3a34a2471ff3f0aca9e1272aa6
SHA512 63ef55f1183cff461325a7faa0322e01ccfb6a4ef2307625dc8e7018135c6a922feab1a03e383806a307695f4006ab1bc86eeac988e18bb472fafb0763325047

C:\Users\Admin\AppData\Local\Temp\yYAC.exe

MD5 ea876eddc79d18f6ce5e39d3126684ae
SHA1 3f0ac83917602ab7c4fdf939796f543a95425cde
SHA256 f5885fdf444deeff78370b2995a80115418838c7fe37e4a67fd5e6755268754a
SHA512 7132836a6cd801cb3ffe1a4971b816771384c5186a382a08ba1919a98bacfba9e5736dbd0c8666774f0b919ea55032d04011d09d8224f89858428b98004d4514

C:\Users\Admin\AppData\Local\Temp\HUMG.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\LsgI.exe

MD5 4c0b89b62a3b570e37ca78d5237ffb44
SHA1 45e887d0880d2f43c63f6283fa18960d4836dfc9
SHA256 db0618903512016daed67d735b2b8231e66c1e3e7dba4cdc991c59653a234ec9
SHA512 b07f3616d577c18974c10c5239fc7aa84eb48215a2aff653f8d50e430528c8396496b35ef29620ab1c61a9648c71944a5431b4f45f9013b9583632f070e50874

C:\Users\Admin\AppData\Local\Temp\yQIC.exe

MD5 55c25b01176fde9bb665a28b3f1e0cf7
SHA1 05e4a19a544f20d374c684642b35182d6b2ba502
SHA256 65bbf88953e1cf0f5821705612723bb21fdbed52046556792544c8810dc064b3
SHA512 4d54efd083f206dedde6750db54da71ff4b2e16842808470ebc868bbf6ba6bb765806020b80a8b005bf8fa3b44718159535738172f976e6489832198397bb120

C:\Users\Admin\AppData\Local\Temp\sAQk.exe

MD5 473398295b1c2210ba6247eda014ab3d
SHA1 90f1e02db608aea3c4ef5080b2aeda1dc424bcaa
SHA256 1bd83e2384689817bb5d79b3aa20438e8eabd3a7f7fe0b8dd92520ce800075e4
SHA512 3287f89ff0170c1172b7cfc5d176994c43e1f57c14ce9f27925218abe19442504ad400bbaa21141ecbb855c5c0fafff7056d0fcee3a2b761bdf6a5b85975b808

memory/1320-1936-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HksE.exe

MD5 72ff2a7f6cabe272c1732dba649070b0
SHA1 ca62d2e8735c0535b66daa5d07685ced50ed78f2
SHA256 0e096be19669d364733565f1ba339b7f91214bbb22cce0e77154edca4809aba7
SHA512 adb475c1bcd812e34f554d0a963841ba8f214ffbe885c6bf7cb11a8c135eb65fa7694d4e534393ef038356ce10573f926df7d7ec8a03ec4ea0aa0e28c20041f5

memory/3304-1966-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hgky.exe

MD5 0ef12f728b961c154b4167dd192f44e9
SHA1 6454fe452064498562d829558e9a6c49d2071277
SHA256 ed8063071c611550a950c3722af62912b7aadf75a1b69e36641a667bddfdd8cb
SHA512 05cd4e2716848f3b8301e3061e3b9ffd0e8983d211c4e793755531f883e7ff1c4e9f0ca62d474ab99dfcbcfdb440233c19e24307554890a4e6d25323b4f332ee

memory/236-1985-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3304-1988-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\boMa.exe

MD5 39c2805a769bfaca6c3141ffa209082c
SHA1 b2bf4b1057c0ea27c081494d7a9a264db8ff353a
SHA256 b77c3b0c4178aa678ef4d738a687c0a114ad7047f340f695de70589d0bc0a8b0
SHA512 137121861bddd5380d0663ae63d94749a8d32deeea1f499003c1778ad818481f8f6a121255c6a345d682788111d3569e8b8062ee22ee8f5b72348bda4d403a12

C:\Users\Admin\AppData\Local\Temp\AocA.exe

MD5 9fc3d17c0b82f0db62bd4ce2864ae5ab
SHA1 ca345af4fb1d17812ccbc0284d1325a40bc0625f
SHA256 fed086cb434cf38d054e2c88b93d7da071eb8f88dbb634889bfe410844a9e683
SHA512 7f7b8fbe9c0ea6b8399f5c11ba2b173fa454202cb215192c15ccb6fde0dd64ce9bda4ca0f193011dffa40eedf1cdb3c845bb0843dbc068bfc9e7d97ca0ed0184

C:\Users\Admin\AppData\Local\Temp\jQQi.exe

MD5 6ce975d3c656e29efc2e909ce78b966a
SHA1 1ea2b26e153d24e1b2fa5aee6f713950317a4747
SHA256 1a145dad7ce446928bc155f44e296e444f35d6ed0f38cbd0b5597f7d01123c23
SHA512 6571cfcba341c80b51c0c606f606f1e5d6c0608d29c1f285c287527a154b085abae93ba92e952f29f00b695cd019bce69eddd96a4b72d7648d7b94140a5775d0

memory/236-2038-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JYUk.exe

MD5 06423aa76f644d6b1b7cef901340f327
SHA1 1c541257fc51fad02b5842472ed6844388b6a07c
SHA256 33c4e81ca49a550994f0252d78c86577e6fdc8dbc8959fb75e1ba8b25a4fd018
SHA512 67f051cd7eb3ef96dbb31ccc1c2fd6ce8869ad6c10e4dd0534dea1f4d67e216a8207450de356c6e7bd1b71529d38d9c4d5d33e4498c9ca1c3603ff7a19bca007

memory/1456-2067-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lsQW.exe

MD5 5e670d48c3546090762c2080d283ffd8
SHA1 0455ba44d7192b356700d3caa527d89f984bedf1
SHA256 395083e3fc68ac25f361444a35cce151a36f645a3bcb50713ee914bc771ea7f5
SHA512 63514e520729b0433f86a66ca7af6226127f7bcac5dffd29493b1d3e674ac8ac80b5a2fe8d56aab8d5981de4c8514070bc46087762e68266b0e4c2c0138d833b

C:\Users\Admin\AppData\Local\Temp\qAMM.exe

MD5 8aa198117591abae0addec39192db504
SHA1 9c48a138590256aaa7326e4bd474feb7c17e7b9c
SHA256 e5207e7621d2b3d8b5c3361915a3b7c51c3062c9e34167674c9e771f1de55e63
SHA512 c1d72e1b778f008977f0be543598605e888dd0569228005b7473162fa03f2a4c40ef3b87e8775ed662bcf402659f3a4b7b7c5da7749acee13ad4310c66064a0d

C:\Users\Admin\AppData\Local\Temp\kQEC.exe

MD5 e67e3f98c86732052abaedd4cfaf7ddd
SHA1 b4be0d4ea48bcedd0d75bd7afebccc84c5491965
SHA256 8c5983f4fcc4a80e75d3961c5aa15db876102e8afd7aaaac9c8813e3caca966a
SHA512 3410101bb6fdf618115b4a6be45b343fe1d76bad696769cb7a274db3d3b704fb982ed96f3aa304ce14c5a1c1c8951ba8dcd9255b98ad5625daee218c50b3b12f

C:\Users\Admin\AppData\Local\Temp\hUAk.exe

MD5 4746309eb7d2da1c521269e5ca98d2d3
SHA1 f91dc710868446e151c22e5d881816bd18a32fd3
SHA256 3ac3927a79f555585c3b741aa6a5867e714ce3f517bc050e03f2102378ede2c5
SHA512 132e3b89d1750bce7b7913bb9a73948a8d5638da48dc8e186a72310135e56c1c8c145464f93cebdad7abf4393b459b0dcb861306a13947858678de0803dd2661

C:\Users\Admin\AppData\Local\Temp\QUQA.exe

MD5 fae99a6bab6af5bb5f206a32b6a30b2c
SHA1 12b182f53485b97a630f2180b5089dce68377347
SHA256 525ef2426a24b09027e9384205360f5a7bdcf538ac4a64c42f788705093f4b53
SHA512 d3e9e422cb9d613c9a3e39631b0cbd89b9f037ed8af998bcdc541a7f3cfafa8ba50fe1615198612d4757a970b28720246805089961a6f3597cc19ff21d9d2c9d

C:\Users\Admin\AppData\Local\Temp\rcAo.exe

MD5 bf0a96eebe28a231ef72f9eb1d899946
SHA1 193ab96c869c8811854afc2d52d0857ea15254fc
SHA256 7db191a0675bd232bdf850f321aa16ba6605a4dc068fd42b36274b0408fa3d29
SHA512 4b4ccb1a4ab5ef10bbdd2d9ac7e72d81d6c1bd828a1a2076a7812a7799b145770faf9f15210e89460c3d503ab7938f041e359d2fe8f5aa2fd4fe4c7f6904fb74

C:\Users\Admin\AppData\Local\Temp\XYkS.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\kUIc.exe

MD5 32fe9cad513b48df7eb8cc5bfff86fa8
SHA1 a723f1a720bf5f9930158d4bc62be011c4e36f03
SHA256 5885e9590b990d5b4efc09f6cfbc54ae7424fc5a868026669a23fb0e4f41296c
SHA512 cffa5d48e4d2196b61d2066ac551fb6103020a6398c5fc488cc624adaeaaca29e50f3d09d948d44ee2cae1a4c17d20155179255262e00e4855c12709b3e3a2a0

C:\Users\Admin\AppData\Local\Temp\BIYI.exe

MD5 6521a9048c9e9e2bf84b7482bfbf53eb
SHA1 c478ceba35f1dd223e081d14637502e0edf5b8b4
SHA256 e1e17a503cffdedc8caac646b944dc99265ef83f1ae916bf71b9445f9b5bd0d0
SHA512 9f061c88c225e530582bdc66b2e133a1d5f61f8464949e080539f1fe99d8aa756d2e709972a77a19bdd15ac977365a810c97301312faf0963ddbab63b9e65572

C:\Users\Admin\AppData\Local\Temp\qUQk.exe

MD5 ac71b606f0ae2b59a668a676621e6996
SHA1 0fcd42d37f87e2f9c63fae431182b695a8c4791c
SHA256 f328cefa1042c8b7448b7d4bd61c1fd112c1f64a0f894e0b63e5e51a27829eac
SHA512 68dc28434bd0f000cb1fcf8a66a853d7d2811c5c19e1738f8049d9a57269101a6b1e074430065dc57c8ed251bd01503b63f608ebe1e5b0b735bb1cd211ee3831

C:\Users\Admin\AppData\Local\Temp\NUow.exe

MD5 d4e98d80978d894cbfab6b2a10c52742
SHA1 ceae736e0e66c375bd64adac02ecaf17052820e6
SHA256 3d584f293f0417d531f45f43eb45d4be3c46c1dafe9a3e9f8cc099c119f7367f
SHA512 1f679262d25db7d5b225faf1a1f4a715f86810e8bbb64e8ced25f6b8866510cd0c55fb5056384eb38b0ce96862a1e23097457be9698c3c3f136d70347023c4f9

C:\Users\Admin\AppData\Local\Temp\MsgG.exe

MD5 aa06821926fe95b912372a78e8180bed
SHA1 42c816c87dace99394299e35c5623e187b27e3a2
SHA256 1d34aec384aca642bf8fb86f84fc1567275849c930cb5f4ef753eb48319b2564
SHA512 c4cd2bc70477632745fad6a80b9f6dd3bcb57309777a0a0eb51a9bfd5c88420ed9cad82ca08092148d6752b5c2f49a243ac7cb68eaa5f292525c1c7bef622572

C:\Users\Admin\AppData\Local\Temp\BUIw.exe

MD5 21ab63c960a978118a2464b6f555e6d6
SHA1 e66723490e658c6fe5362ee17798037196fc7ca1
SHA256 e75ebc4805b6fc225149d290d05769982b077baf6e9950838894b33430290562
SHA512 f1a47ebf63d8e6546729f513d30bfb28784a8f0f56a15c9f3f30fe7effd833e1ab84d4a135d7c830e5ef2a7284d1af8d8f4201371a5735b6211b75554d7a79f5

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 aa13232da8b6d58fd6ca184b29c97187
SHA1 abbd325d866ec15fd36a289fee705e046e977a3e
SHA256 db95b6ac17e399d3b7c24316d64b39bf9211ab70a805706128133e6c03f61f1c
SHA512 b1b40b677df9510cedd27fef568fd4724c5db4155afdb9c3aa0b04233f96ad649d1bc69e75e01c6a5aab75b428c6386165a878b9e94d4f3d0c1f9db10af078fc